Subprocessor List

Effective Date: January 1, 2023
Last Updated: December 11, 2024

1. Purpose

This document lists all third-party subprocessors (service providers) that Coropos Web Services engages to process customer data. We are committed to transparency about how and where your data is processed.

This list is maintained in compliance with GDPR Article 28 and other data protection regulations that require disclosure of subprocessors.

2. What is a Subprocessor?

A subprocessor is a third-party data processor engaged by Coropos Web Services to assist in providing our services. Subprocessors may have access to customer data to perform specific functions on our behalf.

2.1 Our Responsibilities

We ensure that all subprocessors:

• Are bound by Data Processing Agreements (DPAs)
• Implement appropriate technical and organizational security measures
• Process data only according to documented instructions
• Comply with applicable data protection laws (GDPR, CCPA, etc.)
• Undergo regular security and compliance audits

3. Current Subprocessors

3.1 Infrastructure and Hosting

Cybrancee

• Service: Web Hosting Infrastructure
• Purpose: Provides managed hosting servers and infrastructure for customer websites and applications
• Data Processed: Website files, databases, email data, backups, server logs
• Location: United States
• Security Certifications: Industry-standard security practices
• DPA: Data Processing Agreement in place
• Website: cybrancee.com

3.2 Email and Collaboration

Google LLC (Google Workspace)

• Service: Email hosting, productivity, and collaboration tools
• Purpose: Provides email services, document storage, and collaboration features for client Google Workspace accounts
• Data Processed: Email messages, calendar data, documents, contact information
• Location: United States (with global data centers)
• Security Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 2/3, GDPR compliant
• DPA: Google Workspace DPA
• Website: workspace.google.com

3.3 Payment Processing

Square, Inc.

• Service: Payment processing and merchant services
• Purpose: Processes credit card and ACH payments for our services
• Data Processed: Payment card data (tokenized), billing addresses, transaction history, email addresses
• Location: United States
• Security Certifications: PCI-DSS Level 1 Service Provider, SOC 2 Type II
• DPA: Square Data Processing Agreement
• Website: squareup.com
• Note: We do not store full payment card numbers; Square handles all sensitive payment data

PayPal Holdings, Inc.

• Service: Payment processing and digital wallet services
• Purpose: Processes PayPal, Venmo, and credit card payments for our services
• Data Processed: Payment information, email addresses, billing addresses, transaction history
• Location: United States (with global operations)
• Security Certifications: PCI-DSS Level 1 Service Provider, ISO 27001
• DPA: PayPal Privacy Statement
• Website: paypal.com
• Note: PayPal handles all sensitive payment data; we do not access or store payment credentials

3.4 Domain Registration

We purchase domains on behalf of clients through multiple registrar partners to provide the best pricing and features:

ResellerClub (Endurance International Group)

• Service: Domain registration and management
• Purpose: Provides domain registration, transfer, and DNS management services
• Data Processed: Domain registrant information (name, address, email, phone), DNS records
• Location: United States and India
• Security Certifications: ICANN accredited, industry-standard security
• DPA: Reseller Agreement with data protection terms
• Website: resellerclub.com

Cloudflare Registrar

• Service: Domain registration at cost pricing
• Purpose: Provides domain registration with no markup, integrated with Cloudflare DNS and security services
• Data Processed: Domain registrant information (name, address, email, phone), DNS records, WHOIS data
• Location: United States (with global infrastructure)
• Security Certifications: ICANN accredited, ISO 27001, SOC 2 Type II
• DPA: Cloudflare DPA
• Website: cloudflare.com/products/registrar

Cybrancee (Domain Services)

• Service: Domain registration and management (when bundled with hosting)
• Purpose: Provides integrated domain and hosting services
• Data Processed: Domain registrant information, DNS records
• Location: United States
• Security Certifications: Industry-standard security practices
• Website: cybrancee.com

3.5 Analytics and Monitoring

Google LLC (Google Analytics)

• Service: Website analytics and visitor tracking
• Purpose: Analyzes website traffic and user behavior on our website (coroposws.com)
• Data Processed: IP addresses (anonymized), browser information, page views, session data
• Location: United States (with global data centers)
• Security Certifications: ISO 27001, GDPR compliant
• DPA: Google Ads Data Processing Terms
• Website: analytics.google.com
• Note: IP anonymization enabled; 26-month data retention

Matomo (Self-Hosted)

• Service: Privacy-focused web analytics
• Purpose: Alternative analytics platform for enhanced privacy
• Data Processed: IP addresses (anonymized), visitor behavior, page views
• Location: Hosted on our own infrastructure (via Cybrancee)
• Security: Self-hosted, full data control
• Website: matomo.org
• Note: GDPR-compliant, no third-party data sharing

3.6 Invoicing and Document Management

Zoho Corporation (Zoho Invoice)

• Service: Invoicing and billing management
• Purpose: Creates, sends, and tracks invoices for our services
• Data Processed: Client names, addresses, email addresses, invoice details, payment records
• Location: United States and India (data center location varies by region)
• Security Certifications: ISO 27001, SOC 2 Type II, GDPR compliant
• DPA: Zoho DPA
• Website: zoho.com/invoice

Zoho Corporation (Zoho Sign)

• Service: Electronic signature and document signing
• Purpose: Facilitates electronic signing of contracts, agreements, and other documents
• Data Processed: Documents, signatures, signer names, email addresses, IP addresses, timestamps
• Location: United States and India (data center location varies by region)
• Security Certifications: ISO 27001, SOC 2 Type II, ESIGN Act and UETA compliant
• DPA: Zoho DPA
• Website: zoho.com/sign

3.7 Customer Support and Communication

Chatwoot

• Service: Customer support chat and messaging platform
• Purpose: Provides live chat support on our website
• Data Processed: Chat messages, email addresses, names, conversation history
• Location: Cloud-hosted (data center locations vary)
• Security: Encrypted communications, GDPR compliant
• Website: chatwoot.com

Brevo (formerly Sendinblue)

• Service: Email marketing and newsletter platform
• Purpose: Sends newsletters and marketing communications to subscribers
• Data Processed: Email addresses, names, subscription preferences, email engagement metrics
• Location: European Union (primary), with global infrastructure
• Security Certifications: ISO 27001, GDPR compliant
• DPA: Brevo DPA
• Website: brevo.com

3.8 Content Delivery and Performance

Tailwind CSS CDN

• Service: CSS framework delivery
• Purpose: Delivers Tailwind CSS framework for website styling
• Data Processed: IP addresses, request headers (minimal, for CDN delivery)
• Location: Global CDN
• Website: tailwindcss.com

Cloudflare CDN (if used)

• Service: Content Delivery Network and DDoS protection
• Purpose: Accelerates website delivery and provides security
• Data Processed: IP addresses, request headers, cached content
• Location: Global network
• Security Certifications: ISO 27001, SOC 2 Type II, GDPR compliant
• Website: cloudflare.com

3.9 Security and Compliance

Trustpilot

• Service: Review and reputation management platform
• Purpose: Collects and displays customer reviews
• Data Processed: Email addresses, names, review content
• Location: European Union and United States
• Security Certifications: ISO 27001, GDPR compliant
• Website: trustpilot.com

Sectigo (SSL Certificate Authority)

• Service: SSL/TLS certificate issuance
• Purpose: Issues SSL certificates for secure HTTPS connections
• Data Processed: Domain names, certificate signing requests, validation data
• Location: United States and United Kingdom
• Security Certifications: WebTrust certified CA
• Website: sectigo.com

4. Data Processing Locations

4.1 Primary Locations

• United States: Primary data processing location for hosting, payments, and most services
• European Union: Email marketing (Brevo), some analytics
• Global CDN: Content delivery networks operate globally for performance

4.2 Data Transfer Mechanisms

For subprocessors located outside the EU/EEA:

• Standard Contractual Clauses (SCCs) implemented
• Supplementary measures for data transfers
• Compliance with GDPR Chapter V requirements
• Regular review of transfer risk assessments

5. Subprocessor Security Requirements

5.1 Minimum Security Standards

All subprocessors must implement:

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Access controls and authentication
• Regular security audits and penetration testing
• Incident response procedures
• Employee background checks and training
• Physical security measures

5.2 Compliance Requirements

Subprocessors must comply with:

• GDPR (for EU personal data)
• CCPA (for California residents)
• Industry-specific regulations (PCI-DSS for payment processors, etc.)
• Our Data Processing Agreement terms

6. Changes to Subprocessor List

6.1 Notification of Changes

We will notify clients of changes to our subprocessor list:

• New Subprocessors: 30 days advance notice before engagement
• Removed Subprocessors: Updated within 30 days of removal
• Changes to Existing: Material changes communicated within 30 days

6.2 Notification Methods

• Email notification to active customers
• Update to this webpage with "Last Updated" date
• Notice in customer dashboard (if applicable)

6.3 Right to Object

Enterprise clients with custom Data Processing Agreements may object to new subprocessors:

• Objection must be made within 30 days of notification
• Must be based on legitimate data protection concerns
• We will work to find alternative solutions or subprocessors
• If no alternative is feasible, either party may terminate the agreement

7. Subprocessor Audits

7.1 Our Audit Rights

We maintain the right to:

• Audit subprocessor security and compliance measures
• Request security certifications and compliance reports
• Review incident response procedures
• Assess data protection safeguards

7.2 Client Audit Rights

Enterprise clients may request:

• Copies of subprocessor security certifications (SOC 2, ISO 27001, etc.)
• Summaries of our subprocessor due diligence processes
• Information about data processing activities

8. Data Breach Notification

If a subprocessor experiences a data breach affecting customer data:

• Subprocessor must notify us within 24 hours
• We will assess impact and determine notification requirements
• Affected customers notified within 72 hours (GDPR requirement)
• We will coordinate breach response and remediation
• Post-breach review and potential subprocessor changes

9. Data Retention by Subprocessors

Subprocessor data retention policies:

• Active Services: Data retained while service is active
• Upon Termination: Data deleted within 90 days unless legally required to retain
• Backups: Backup data purged according to backup retention schedules
• Logs: Typically retained 30-90 days depending on subprocessor

10. Removal of Subprocessors

We may remove subprocessors if they:

• Fail to maintain adequate security measures
• Experience significant security incidents
• Violate data protection agreements
• No longer meet our compliance requirements
• Are replaced by better alternatives

11. Sub-subprocessors

Some subprocessors may engage their own subprocessors (sub-subprocessors). We ensure:

• Sub-subprocessors meet the same standards as primary subprocessors
• Contractual flow-down of data protection obligations
• Ultimate liability remains with primary subprocessor and Coropos Web Services

12. Contact Information

12.1 Subprocessor Questions

For questions about our subprocessors or data processing:

• Email: privacy@coroposws.com
• Data Protection Officer: dpo@coroposws.com

12.2 Subscribe to Updates

To receive automatic notifications of subprocessor changes:

• Enterprise clients: Notifications sent automatically per DPA
• Standard clients: Check this page or contact us to be added to notification list

This Subprocessor List is maintained as part of our commitment to transparency and GDPR compliance. We continuously evaluate and improve our subprocessor relationships to ensure the highest standards of data protection and security.

Last Updated: December 11, 2024

Appendix: Subprocessor Summary Table