Skip to main content

Approved data processors

Approved data processors

  • Per the Company data processing policy, only data processors approved by the DPO can be used. The list of those approved processors is maintained here.

  • This list is subject to occasional review and may be changed at any time. The DPO will make an announcement and ensure that all members of staff are informed whenever a data processor is removed from this list. Whenever possible, enough advanced warning will be given to afford all affected members of staff time to migrate or delete the affected personal data.

  • Do not use a data processor that is not listed here to process personal data, even temporarily by doing so, due to UK and/or EU GDPR regulations, you may be in violation of the law.

  • Ensure that you're familiar with the definitions of personal data and data processing before you process any data that may be personal. (What is considered to be personal data by various jurisdictions is subjective and is often quite surprising.) When in doubt, consult the DPO.

  • If you believe that you have processed personal data using an unapproved data processor, whether intentionally or unintentionally, stop the processing and inform the DPO immediately.

  • If you know or suspect that a member of staff has processed personal data using an unapproved data processor, inform the DPO immediately.

Data processing agreements

Every third-party data processor is required to offer a data processing agreement if they want to serve data controllers who are regulated under the UK or EU GDPR. In some cases, these agreements are signed by both the data controller and the data processor; in some cases, they're signed only by the data processor, and the data controller is assumed to have accepted the terms implicitly under the data processor's more broad terms of service (ToS); and in every other case, they're signed by neither party, and the data controller is assumed to have accepted the terms implicitly under the data processor's ToS. Note that in all of these third-party DPAs, the Company are the data controller.

In addition to maintaining this list of approved data processors, the DPO will also be responsible for maintaining a link to the current DPA that's in effect for each of our approved data processors. Keeping track of all of the currently-in-effect DPAs is a data protection best practice, and may even be a legal requirement, depending on the jurisdiction.

DPAs change from time to time, and the DPO will ensure that the latest version is linked from this page at all times. If you're aware that a DPA for an approved data processor has been updated, please inform the DPO.

Sub-processors

Data processors may share the data they're processing with other third parties. For example, HubSpot may build their own data processing services on top of Google Cloud Platform. In this case, the act of data processing is transitive, and therefore, it's in our best interest to keep track of these sub-processors, as well

The DPO will maintain these per-processor sub-processor lists here as well, which may be useful in certain cases; e.g., in the case of a data breach. (We do not keep the sub-processors' DPAs at hand as we are not bound by those.)

HubSpot

What personal data do we process

We process the personal data of individuals who consent to share their information with the Company via HubSpot's services when invited to do so on one of our websites. These data may include any of the following:

  • name
  • email address
  • phone number
  • usernames on other online services
  • other personal data submitted via a form

Justification for use

The Company use HubSpot as a customer relationship management system (CRM), which manages the personal contact data of existing and previous customers, and of individuals who may be interested in our products and services but who are not yet customers.

How we will use the personal data

At all times, the Company's use of personal data will be bound by the terms of the Company's data privacy policy. In the specific case of personal data stored in HubSpot, the Company will use individuals' personal data to provide any products and services that individuals have requested from the Company. From time to time, the Company will contact individuals about products, services, and other content they may be of interest to them. Individuals can opt out of these communications at any time.

Retention period

As we use HubSpot as a CRM, we retain personal data in HubSpot indefinitely, until the individual makes an erasure request, or the Company decides there is no longer any lawful basis upon which to justify storing it.

Lawful basis for processing

The lawful basis for processing data on HubSpot is that individuals have consented to its collection by submitting it in a form on one of our websites, after having been presented with the Company's privacy policy and then affirmatively and explicitly opting into sharing it with the company for the stated purposes.

Documentation

Sub-processors

The current list of HubSpot data sub-processors can be found in the HubSpot Data Processing Agreement. Note that the DPO has signed up to receive updates to the list of HubSpot's data sub-processors as documented here.

Do HubSpot transfer personal data outside the UK and/or EU?

Per their DPA in Section 7(g), they may, but they will not do so unless they consider it to be legal (either by adequacy regulation or via appropriate safeguards).

Last updated on