Subprocessors Policy
Effective Date: July 22, 2025
Last Reviewed: July 22, 2025
Contact: [email protected]
1. Purpose
This Subprocessors Policy outlines how IntelliVersal Integrated Solution (IVIS) engages third-party vendors and service providers ("subprocessors") to support the delivery of our products and services. We maintain strict criteria for selection, monitoring, and compliance to ensure data security, privacy, and regulatory alignment at every level of service.
2. Definitions
- Data Controller: The client or organization that determines the purpose and means of processing personal data.
- Data Processor (IVIS): The entity that processes data on behalf of the data controller.
- Subprocessor: A third party engaged by IVIS to process personal data on behalf of our clients.
3. Subprocessor Engagement Principles
All subprocessors must:
- Enter into Data Processing Agreements (DPAs) with IVIS
- Adhere to GDPR, ISO/IEC 27001, and local data protection laws
- Implement technical and organizational measures to secure client data
- Provide transparency into their processing activities upon request
4. Categories of Subprocessors
|
Category |
Example Functions |
|
Cloud Infrastructure |
Hosting, storage, compute power (e.g., AWS, Azure) |
|
Analytics & Monitoring |
Performance metrics, logging, system alerts |
|
Communication Platforms |
Email delivery, messaging, alerts |
|
Customer Support Systems |
Help desk, ticketing, live chat |
|
Payment & Invoicing |
Payment processors, billing platforms |
|
Security Services |
Pen-testing, DDoS protection, vulnerability scanning |
5. Current List of Authorized Subprocessors
|
Subprocessor |
Service Category |
Location |
Compliance Certifications |
|
Amazon Web Services (AWS) |
Cloud Infrastructure |
USA/EU |
ISO 27001, SOC 2, GDPR |
|
Microsoft Azure |
Cloud Infrastructure |
Global |
ISO 27001, SOC 2, GDPR |
|
Google Workspace |
Communication Tools |
Global |
ISO 27001, GDPR |
|
HubSpot |
CRM / Email Marketing |
USA |
GDPR, Privacy Shield |
|
Freshdesk |
Customer Support |
USA |
GDPR, SOC 2 |
|
Stripe |
Payment Processing |
USA |
PCI-DSS, GDPR |
|
Cloudflare |
Network Security |
USA/EU |
ISO 27001, SOC 2 |
Note: This list may be updated as services evolve. Clients will be notified of any material changes with at least 30 days’ notice where required by applicable law or contract.
6. Subprocessor Vetting Process
Before engagement, all subprocessors undergo:
- Security risk assessments
- Compliance checks
- Contractual controls (DPA, SLA, confidentiality)
- Reputational due diligence
Annual reviews are conducted to reassess ongoing eligibility and compliance posture.
7. Client Notification & Objection Rights
Clients have the right to:
- Be informed of any changes to the subprocessor list
- Object to a new subprocessor on reasonable grounds relating to data protection
- Request detailed documentation on subprocessor compliance and safeguards
Please send any objections or concerns to [email protected].
8. Data Transfer & Jurisdiction
Subprocessors may process data outside of the client's country of origin. In such cases, IVIS ensures:
- Standard Contractual Clauses (SCCs) are in place
- Additional safeguards are used (encryption, zero-trust access, pseudonymization)
- Transfers are compliant with GDPR and applicable international laws