Subprocessors
In providing you with our Service, the Bright Software Group of Companies (“Bright”, “we”, “us”, “our”) may use carefully selected third party service providers (each, a “Subprocessor”) to help us deliver that Service to you.
This page provides essential information about the identity, location, and role of the Subprocessors used by Bright.
What is a Subprocessor?
A Subprocessor is a third-party data processor engaged by Bright who has, or potentially will have access to, or process Service data (which may contain personal data) on our behalf. Bright engages multiple Subprocessors to perform various functions as explained in the tables below.
Due diligence
Bright will always take steps to ensure that the safety and security of your information is considered, implementing and maintaining necessary technical and organisational measures over each transfer of personal information, and mandating that our third parties maintain a similar level of duty and care.
Contractual safeguards
Bright requires its Subprocessors to satisfy equivalent obligations as those required of Bright (as a Data Processor) as set forth in either Bright’s, or the corresponding Subprocessor’s equivalent, Data Processing Addendum (“DPA”), incorporating either an appropriate European Commission adopted framework (eg. EU-US Data Privacy Framework), or Standard Contractual Clauses (“SCC“) where appropriate for transfers outside the EU, including but not limited to the requirements to:
- process Personal Data only in accordance with Bright’s instructions;
- in connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
- implement and maintain appropriate technical and organisational measures (including measures consistent with those to which Bright is contractually committed to adhere as far as they are equally relevant to the Subprocessor’s processing of Personal Data on Bright’s behalf);
- promptly inform Bright about any actual or potential security breach; and
- cooperate with Bright in order to deal with requests from data controllers, data subjects or data protection authorities, as and where applicable.
This policy does not give users of the Service any additional rights or remedies and should not be construed as a binding agreement. The information here is provided for transparency purposes to illustrate Bright’s engagement process for Subprocessors as well as to provide the actual list of third party Subprocessors used by Bright (as of the date of this policy) which Bright may use in the delivery and support of its Service.
Process to engage new subprocessors
As our business grows and evolves, the Subprocessors we engage may also change. We will provide users of the Service with notice of any new Subprocessors to the extent required under the Agreement by posting such updates here.
Bright will provide notice, via this policy, of updates to the list of Subprocessors that are utilised, or which Bright proposes to utilise to deliver its Service. Bright undertakes to keep this list updated regularly to enable users of the Service to stay informed of the scope of subprocessing associated with the Service.
Infrastructure Subprocessors
Bright online Services are located in secure, ISO 27001 certified data centre facilities. We may use the following Subprocessors to host Service data or provide other infrastructure that helps with the delivery of the Service.
Other Subprocessors
Bright works with certain third parties to provide specific functionality around and within the Service. These providers are the Subprocessors detailed below. In order to provide the relevant functionality, we may transfer Service data to these Subprocessors. Their use is limited solely to the listed purposes.
Purpose | Entity | Country(ies) | Adequacy |
---|---|---|---|
Customer management services | Hubspot | Germany | EU GDPR SOC 2 DPA |
Customer support services | Zendesk, Inc. | United States | ISO 27001 GDPR Link EU-US DPF DPA |
VoIP telephony for sales and prospecting | Aircall | United States | SOC 2 EU-US DPF |
Subscription, billing and licence management | Maxio | EU | ISO 27001 DPA |
Email delivery service | Twilio, Inc. (Sendgrid) | United States | SOC 2 GDPR Link EU-US DPF DPA |
Email delivery service | Mailgun | Germany Belgium |
EU GDPR DPA |
Service analytics | Google LLC | United States | ISO 27001 GDPR Link EU-US DPF DPA |
Sales & Marketing Support | GCL B2B Ltd | United Kingdom | UK GDPR |
Email marketing & automation | GetResponse S.A. | Poland | EU GDPR DPA |
User experience research | Hotjar Ltd. | Malta | EU GDPR DPA |
Feature requests | Productboard, Inc. | United States | EU-US DPF DPA |
Customer NPS surveys | SweetHawk Pty Ltd. | Australia | DPA with SCC |
AML & credit checking services | Veriphy Ltd. | United Kingdom | UK GDPR |
Video calling; webinars | Zoom Video Communications, Inc. | United States | ISO 27001 EU-US DPF |
Video calling; webinars | GoTo Technologies UK Limited | United States | ISO 27001 EU-US DPF |
Development & Support | Relate Infotech | India | IDTA / DPA with SCC |
Development & Support | Silver Cloud | India | IDTA / DPA with SCC |
Payment processors
Bright does not store payment card information or your bank account access details. Payment processing and account access information is handled directly by the following third parties according to their respective Privacy Policies and Terms of Service.
Entity | Purpose | Country(ies) | Adequacy |
---|---|---|---|
Outsourced payment management | Stripe | United States Europe |
Privacy Policy |
Outsourced payment management | Global Payments | Ireland | Privacy Policy |
Outsourced payment management | Paypal | United States Europe |
Privacy Policy |
Outsourced payment management | Modulr | United Kingdom | Privacy Policy |
Open banking connection and management | Plaid | United Kingdom | Privacy Policy |
This page was last updated 8th March, 2024.