SolidCo Pty Ltd
ABN 41 680 244 446
Subprocessor Policy
Version 1.0
1. Purpose
SolidCo Pty Ltd (“SolidCo”, “we”, “our” or “us”) is committed to protecting the personal information entrusted to us by our clients and their users.
As part of providing our services, we may engage carefully selected third party service providers (“subprocessors”) to assist us in delivering web development, cloud hosting, managed services, cybersecurity, software development, communications, billing and related business services.
This policy explains how we select, manage and monitor our subprocessors and should be read together with our:
- Privacy Policy;
- Data Processing Addendum (where applicable); and
- Information Security Statement.
2. Scope
This policy applies whenever SolidCo processes personal information on behalf of a client and engages a third party to assist in delivering those services.
Where SolidCo acts as a data processor under applicable privacy legislation, including the UK General Data Protection Regulation (UK GDPR) and the European Union General Data Protection Regulation (EU GDPR), we will only appoint subprocessors that provide appropriate safeguards for protecting personal data.
3. What is a Subprocessor?
A subprocessor is a third party organisation that processes personal information on behalf of SolidCo so that we can deliver our services to our clients.
Examples include providers of:
- Cloud hosting
- Content delivery and cybersecurity
- Email and productivity services
- Accounting and invoicing
- Payment processing
- Source code management
- Business communications
4. Our Principles
When selecting subprocessors, SolidCo aims to:
- use reputable providers with established security practices;
- minimise the amount of personal information shared;
- only share information necessary to provide the relevant service;
- require subprocessors to protect personal information appropriately;
- periodically review the suitability of our subprocessors; and
- comply with applicable privacy legislation and contractual obligations.
5. International Data Transfers
Some of our subprocessors operate globally and may process personal information outside Australia, the United Kingdom or the European Economic Area.
Where required by applicable law, we rely on appropriate safeguards for international data transfers, which may include:
- European Commission Standard Contractual Clauses (SCCs);
- the UK International Data Transfer Addendum or International Data Transfer Agreement (IDTA);
- adequacy decisions; or
- other lawful transfer mechanisms recognised under applicable privacy laws.
6. Security
SolidCo expects subprocessors to maintain appropriate technical and organisational measures to protect personal information.
Depending on the services provided, these measures may include:
- encryption in transit;
- encryption at rest where appropriate;
- multi factor authentication;
- role based access controls;
- security monitoring and logging;
- vulnerability and patch management;
- incident response procedures; and
- business continuity and disaster recovery processes.
While we undertake reasonable due diligence before engaging subprocessors, each provider remains independently responsible for the security of its own systems and services.
7. Current Subprocessors
The following organisations may process personal information on our behalf as part of delivering our services.
| Subprocessor | Headquarters | Purpose | Typical Personal Information | Processing Locations |
|---|---|---|---|---|
| Amazon Web Services (AWS) | United States | Cloud hosting, cloud services, databases, storage, backups, email delivery and infrastructure | Application data, databases, files, logs, backups, contact information, email addresses and email content | Regional AWS infrastructure and global support operations |
| Atlassian | Australia | Bitbucket, Trello and other Atlassian Cloud services where utilised for source code hosting, version control, software development collaboration, project management, task tracking and team collaboration | User account information, source code repositories, project records, task information, communications and development records | Global Atlassian Cloud infrastructure |
| Brevo | France | Email marketing and audience management where utilised | Contact information, email addresses and marketing preferences | European and global infrastructure |
| Cloudflare | United States | DNS, CDN, cloud services, Web Application Firewall, Zero Trust, Workers and edge security | IP addresses, request metadata, authentication data and security logs | Global Cloudflare network |
| Dropbox | United States | Cloud file storage, file sharing, document collaboration, synchronisation and backups | Files, documents, project assets, contact information, contracts, invoices and backups | United States and other regions where Dropbox and its authorised subprocessors operate data centres and provide support services |
| GitHub | United States | Source code hosting, version control and software development collaboration | User account information, source code repositories and development records | Global GitHub infrastructure |
| United States | Cloud hosting, cloud services, databases, storage, backups, email, document management and collaboration | Application data, databases, files, logs, backups, contact information, emails, documents and calendars | Global Google infrastructure | |
| Mailchimp | United States | Email marketing and audience management where utilised | Contact information, email addresses and marketing preferences | Global Mailchimp infrastructure |
| Microsoft | United States | Cloud hosting, cloud services, databases, storage, backups, email, document management and collaboration | Application data, databases, files, logs, backups, contact information, emails, documents and calendars | Global Microsoft infrastructure |
| OpenAI | United States | Transcription, caller identification and verification | Shared topics and transcribed recorded communications | Global OpenAI infrastructure |
| Slack | United States | Business communications and collaboration | Contact information, messages and shared files | Global Slack infrastructure |
| Stripe | United States / Ireland | Payment processing and billing | Contact information, billing information and payment metadata | Global Stripe infrastructure |
| Twilio | United States | SMS and communication services where enabled | Phone numbers, communication storage and metadata | Global Twilio infrastructure |
| Xero | New Zealand | Accounting, bookkeeping and invoicing | Contact information, invoices, financial records and payment information | Global Xero infrastructure |
Additional subprocessors may be engaged where necessary to deliver specific client services.
8. Changes to Subprocessors
SolidCo may update its list of subprocessors as our business or technology changes.
The current version of this policy will always be available on our website.
Where required by contract or applicable law, we will notify affected clients before appointing a new subprocessor that materially changes the processing of client personal information.
9. Client Enquiries
Clients may request additional information regarding our subprocessors or the safeguards we apply by contacting us using the details below.
Where required by applicable privacy legislation or contractual obligations, we will respond within the applicable legal timeframes.
10. Contact
Privacy Officer
SolidCo Pty Ltd
ABN 41 680 244 446
Privacy enquiries may also be submitted using the contact details provided in our Privacy Policy.
11. Policy Updates
We may amend this policy from time to time to reflect changes in our services, subprocessors or applicable legal requirements.
The latest version will always be published on our website.