Subprocessors

Subprocessors

In providing you with our Service, the Bright Software Group of Companies (“Bright”, “we”, “us”, “our”) may use carefully selected third party service providers (each, a "Subprocessor”) to help us deliver that Service to you.

This page provides essential information about the identity, location, and role of the Subprocessors used by Bright.

What is a Subprocessor?

A Subprocessor is a third-party data processor engaged by Bright who has, or potentially will have access to, or process Service data (which may contain personal data) on our behalf. Bright engages multiple Subprocessors to perform various functions as explained in the tables below.

Due diligence

Bright will always take steps to ensure that the safety and security of your information is considered, implementing and maintaining necessary technical and organisational measures over each transfer of personal information, and mandating that our third parties maintain a similar level of duty and care.

Contractual safeguards

Bright requires its Subprocessors to satisfy equivalent obligations as those required of Bright (as a Data Processor) as set forth in either Bright’s, or the corresponding Subprocessor’s equivalent, Data Processing Addendum (“DPA”), incorporating Standard Contractual Clauses ("SCC") where appropriate for transfers outside the EU, including but not limited to the requirements to:

  • process Personal Data only in accordance with Bright’s instructions;
  • in connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • implement and maintain appropriate technical and organisational measures (including measures consistent with those to which Bright is contractually committed to adhere as far as they are equally relevant to the Subprocessor’s processing of Personal Data on Bright’s behalf);
  • promptly inform Bright about any actual or potential security breach; and
  • cooperate with Bright in order to deal with requests from data controllers, data subjects or data protection authorities, as and where applicable.

This policy does not give users of the Service any additional rights or remedies and should not be construed as a binding agreement. The information here is provided for transparency purposes to illustrate Bright’s engagement process for Subprocessors as well as to provide the actual list of third party Subprocessors used by Bright (as of the date of this policy) which Bright may use in the delivery and support of its Service.

Process to engage new subprocessors

As our business grows and evolves, the Subprocessors we engage may also change. We will provide users of the Service with notice of any new Subprocessors to the extent required under the Agreement by posting such updates here.

Bright will provide notice, via this policy, of updates to the list of Subprocessors that are utilised, or which Bright proposes to utilise to deliver its Service. Bright undertakes to keep this list updated regularly to enable users of the Service to stay informed of the scope of subprocessing associated with the Service.

Infrastructure Subprocessors

Bright online Services are located in secure, ISO 27001 certified data centre facilities. We may use the following Subprocessors to host Service data or provide other infrastructure that helps with the delivery of the Service.

PurposeEntityCountry(ies)Adequacy

Cloud infrastructure provider

Microsoft Azure

Ireland

EU GDPR
ISO 27001
DPA

Cloud infrastructure provider

Amazon Web Services

Ireland

EU GDPR
ISO 27001
DPA

Cloud infrastructure provider

Blacknight Internet Solutions Ltd.

Ireland

EU GDPR
ISO 27001
DPA

Cloud infrastructure provider

OVH

Ireland
Germany

EU GDPR
ISO 27001
DPA

Other Subprocessors

Bright works with certain third parties to provide specific functionality around and within the Service. These providers are the Subprocessors detailed below. In order to provide the relevant functionality, we may transfer Service data to these Subprocessors. Their use is limited solely to the listed purposes.

PurposeEntityCountry(ies)Adequacy

Customer management services

Hubspot

Germany

EU GDPR
SOC 2
DPA

Customer management services

Elastic, Inc.

United States

DPA with SCC

Customer support services

Zendesk

United States

ISO 27001
GDPR Link
DPA with SCC

Email delivery service

Sendgrid

United States

SOC 2
GDPR Link
DPA with SCC

Email delivery service

Mailgun

Germany
Belgium

EU GDPR
DPA

Service analytics

Google, Inc.

United States

ISO 27001
GDPR Link
DPA with SCC

Email marketing & automation

GetResponse S.A.

Poland

EU GDPR

User experience research

Hotjar Ltd.

Malta

EU GDPR
DPA

Feature requests

Productboard, Inc.

United States

DPA with SCC

Customer NPS surveys

SweetHawk Pty Ltd.

Australia

DPA with SCC

Live customer chat

Tawt.to, Inc.

United States

DPA with SCC

AML & credit checking services

Veriphy Ltd.

United Kingdom

UK GDPR

Video calling; webinars

Zoom Video Communications, Inc.

United States

ISO 27001
SPA with SCC

Video calling; webinars

GoTo Technologies UK Limited

United States

ISO 27001

Payment processors

Bright does not store payment card information or your bank account access details. Payment processing and account access information is handled directly by the following third parties according to their respective Privacy Policies and Terms of Service.

EntityPurposeCountry(ies)Adequacy

Outsourced payment management

Stripe

United States
Europe

Privacy Policy

Outsourced payment management

Global Payments

Ireland

Privacy Policy

Outsourced payment management

Paypal

United States
Europe

Privacy Policy

Outsourced payment management

Modulr

United Kingdom

Privacy Policy

Open banking connection and management

Plaid

United Kingdom

Privacy Policy