Skip to main content

Subprocessors

Subprocessors

In providing you with our Service, the Bright Software Group of Companies (“Bright”, “we”, “us”, “our”) may use carefully selected third party service providers (each, a “Subprocessor”) to help us deliver that Service to you.
This page provides essential information about the identity, location, and role of the Subprocessors used by Bright.

What is a Subprocessor?

A Subprocessor is a third-party data processor engaged by Bright who has, or potentially will have access to, or process Service data (which may contain personal data) on our behalf. Bright engages multiple Subprocessors to perform various functions as explained in the tables below.

Due diligence

Bright will always take steps to ensure that the safety and security of your information is considered, implementing and maintaining necessary technical and organisational measures over each transfer of personal information, and mandating that our third parties maintain a similar level of duty and care.

Contractual safeguards

Bright requires its Subprocessors to satisfy equivalent obligations as those required of Bright (as a Data Processor) as set forth in either Bright’s, or the corresponding Subprocessor’s equivalent, Data Processing Addendum (“DPA”), incorporating either an appropriate European Commission adopted framework (eg. EU-US Data Privacy Framework), or Standard Contractual Clauses (“SCC“) where appropriate for transfers outside the EU, including but not limited to the requirements to:

  • process Personal Data only in accordance with Bright’s instructions;
  • in connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • implement and maintain appropriate technical and organisational measures (including measures consistent with those to which Bright is contractually committed to adhere as far as they are equally relevant to the Subprocessor’s processing of Personal Data on Bright’s behalf);
  • promptly inform Bright about any actual or potential security breach; and
  • cooperate with Bright in order to deal with requests from data controllers, data subjects or data protection authorities, as and where applicable.

This policy does not give users of the Service any additional rights or remedies and should not be construed as a binding agreement. The information here is provided for transparency purposes to illustrate Bright’s engagement process for Subprocessors as well as to provide the actual list of third party Subprocessors used by Bright (as of the date of this policy) which Bright may use in the delivery and support of its Service.

Process to engage new subprocessors

As our business grows and evolves, the Subprocessors we engage may also change. We will provide users of the Service with notice of any new Subprocessors to the extent required under the Agreement by posting such updates here.

Bright will provide notice, via this policy, of updates to the list of Subprocessors that are utilised, or which Bright proposes to utilise to deliver its Service. Bright undertakes to keep this list updated regularly to enable users of the Service to stay informed of the scope of subprocessing associated with the Service.

Infrastructure Subprocessors

Bright online Services are located in secure, ISO 27001 certified data centre facilities. We may use the following Subprocessors to host Service data or provide other infrastructure that helps with the delivery of the Service.

Purpose Entity Country(ies) Adequacy
Cloud infrastructure provider Microsoft Azure Ireland EU GDPR
ISO 27001
DPA
Cloud infrastructure provider Amazon Web Services Ireland EU GDPR
ISO 27001
DPA
Cloud infrastructure provider OVH Ireland
Germany
EU GDPR
ISO 27001
DPA

Other Subprocessors

Bright works with certain third parties to provide specific functionality around and within the Service. These providers are the Subprocessors detailed below. In order to provide the relevant functionality, we may transfer Service data to these Subprocessors. Their use is limited solely to the listed purposes.

Purpose Entity Country(ies) Adequacy
Customer management services Hubspot Germany EU GDPR
SOC 2
DPA
Customer support services Zendesk, Inc. United States ISO 27001
GDPR Link
EU-US DPF
DPA
VoIP telephony for sales and prospecting Aircall United States SOC 2
EU-US DPF
Subscription, billing and licence management Maxio EU ISO 27001
DPA
Email delivery service Twilio, Inc. (Sendgrid) United States SOC 2
GDPR Link
EU-US DPF
DPA
Email delivery service Mailgun Germany
Belgium
EU GDPR
DPA
Service analytics Google LLC United States ISO 27001
GDPR Link
EU-US DPF
DPA
Sales & Marketing Support GCL B2B Ltd United Kingdom UK GDPR
Email marketing & automation GetResponse S.A. Poland EU GDPR
DPA
User experience research Hotjar Ltd. Malta EU GDPR
DPA
Feature requests Productboard, Inc. United States EU-US DPF
DPA
Customer NPS surveys SweetHawk Pty Ltd. Australia DPA with SCC
AML & credit checking services Veriphy Ltd. United Kingdom UK GDPR
Video calling; webinars Zoom Video Communications, Inc. United States ISO 27001
EU-US DPF
Video calling; webinars GoTo Technologies UK Limited United States ISO 27001
EU-US DPF
Development & Support Relate Infotech India IDTA / DPA with SCC
Development & Support Silver Cloud India IDTA / DPA with SCC

Payment processors

Bright does not store payment card information or your bank account access details. Payment processing and account access information is handled directly by the following third parties according to their respective Privacy Policies and Terms of Service.

Entity Purpose Country(ies) Adequacy
Outsourced payment management Stripe United States
Europe
Privacy Policy
Outsourced payment management Global Payments Ireland Privacy Policy
Outsourced payment management Paypal United States
Europe
Privacy Policy
Outsourced payment management Modulr United Kingdom Privacy Policy
Open banking connection and management Plaid United Kingdom Privacy Policy

This page was last updated 8th March, 2024.