Data Handling & Sub-Processing Policy
Data Handling & Sub-Processing Policy
Data Handling & Sub-Processing Policy
At Karbon Digital Group, including its subsidiaries and affiliates (“Karbon Digital,” “we,” “our,” or “us”), we are committed to safeguarding the privacy and security of your personal information. To provide our services, we may engage third-party companies (“Sub-processors”) to process personal data on our behalf. This Data Handling & Sub-Processing Policy outlines the nature of such relationships, our criteria for selecting Sub-processors, and the measures we take to ensure the security and privacy of your data.
1. Sub-Processor Details
A Sub-processor is a third-party service provider that we engage to process personal data on behalf of Karbon Digital in connection with the services we provide. Sub-processors may include cloud infrastructure and storage providers, authentication and identity providers, customer support platforms, payment processors, email and communication services, analytics providers, integration and productivity tools, and AI or other technical service providers.
Sub-processors are engaged by Karbon Digital to perform specific tasks related to data processing. They may have access to personal data only to the extent necessary to provide the agreed services and in accordance with our instructions and applicable data protection agreements.
2. Our Commitment to Data Privacy
We take data privacy and security seriously and select Sub-processors who meet stringent data protection requirements. We ensure that all Sub-processors:
Adhere to applicable data protection laws: Sub-processors must comply with all relevant data protection laws and regulations, including (as applicable) the General Data Protection Regulation (GDPR) in the European Economic Area, the UK GDPR, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable national or regional laws.
Implement adequate security measures: Sub-processors must have appropriate technical and organizational measures in place to ensure the security of personal data and to protect against unauthorized access, loss, alteration, or misuse.
Enter into data protection agreements: We require each Sub-processor to sign a Data Processing Agreement (DPA) or equivalent contract that sets out their responsibilities in protecting the data we share with them and ensures they process personal data only for the purposes and in the manner defined by Karbon Digital.
We maintain information on the identity (name, address, and where relevant contact person) of our Sub-processors and keep this information up to date to support transparency and accountability.
3. List of Sub-Processors
Below is a list of categories of Sub-processors that we may engage, along with examples of the types of services they provide. We regularly review and update our list of Sub-processors. The actual Sub-processors we use may vary by product, region, or over time.
Cloud infrastructure & storage
Examples: Google Cloud Platform (GCP), Amazon Web Services (AWS), Microsoft Azure
Purpose: Hosting applications and data, cloud storage, databases, compute
Authentication & identity
Examples: Google (Firebase / Identity Platform), Okta
Purpose: User authentication, identity management, single sign-on, access control
Payment processing
Examples: Stripe
Purpose: Payment processing, subscription billing, fraud prevention
Email & communications
Examples: Resend, SendGrid, or similar
Purpose: Transactional and account-related emails, notifications
Analytics
Examples: Firebase Analytics (Google)
Purpose: Website and product usage analytics, performance measurement
Integrations & productivity
Examples: Nango (cloud integrations), Slack, Asana, or similar
Purpose: Cloud file integrations (e.g., Google Drive, OneDrive, Dropbox), internal collaboration and project management
AI and machine learning
Examples: Google (Gemini), Anthropic, OpenAI, Cohere, xAI, or similar
Purpose: AI-powered features and processing as part of our services
Customer support
Examples: Zendesk, Intercom, or similar
Purpose: Customer service, help desk, live chat (where used)
We may engage additional or different Sub-processors within these categories or add new categories as our services evolve. Where required by law or our contracts, we will inform you of significant changes and, where necessary, obtain consent or allow objection in line with Section 7 below.
4. Due Diligence and Risk Assessment
Before engaging any Sub-processor, we conduct a due diligence process that includes:
Assessing security measures: We evaluate the Sub-processor’s security practices to ensure they meet industry standards and our internal security requirements (e.g. encryption, access controls, incident response).
Reviewing data protection practices: We review the Sub-processor’s privacy and data protection policies and, where appropriate, certifications (e.g. SOC 2, ISO 27001) to ensure they align with applicable regulations and our expectations.
Ongoing monitoring: We monitor our Sub-processors and, where necessary, conduct or request audits, security questionnaires, and third-party assessments to verify ongoing compliance.
The extent of verification is proportionate to the nature of the processing and the risk to individuals’ rights and freedoms.
5. Sub-Processor Responsibilities
Sub-processors are contractually required to meet obligations that include, where applicable:
Processing personal data only on Karbon Digital’s documented instructions.
Implementing appropriate technical and organizational security measures.
Not engaging further sub-processors (or only in accordance with our contract and consent).
Not using or disclosing personal data for their own purposes or to unauthorized third parties.
Notifying us promptly of any personal data breach or security incident.
Assisting Karbon Digital in responding to data subject requests and in meeting our obligations under applicable data protection laws (including GDPR Article 28 and equivalent requirements).
Deleting or returning personal data at the end of the service relationship, as we instruct.
6. Data Transfers and International Sub-Processors
Some Sub-processors may be located outside your country or region. When personal data is transferred internationally, Karbon Digital ensures that appropriate safeguards are in place. These may include:
Adequacy decisions: Transfers to countries that have been recognized by the European Commission (or equivalent authority) as providing an adequate level of data protection.
EU–U.S. Data Privacy Framework (DPF) and UK Extension: For Sub-processors in the United States, we may rely on the EU–U.S. Data Privacy Framework and the UK extension to the DPF, where the Sub-processor is certified and the transfer falls within the scope of the framework.
Standard Contractual Clauses (SCCs): We may put in place EU/UK Standard Contractual Clauses (or equivalent) with Sub-processors to ensure that personal data is transferred in compliance with GDPR and UK GDPR requirements.
Other lawful mechanisms: We may also use other recognized transfer tools (e.g. binding corporate rules, derogations where applicable) as appropriate.
We are happy to provide more detail on the safeguards used for a specific transfer on request (see Section 8).
7. Updates to Sub-Processors
We may update our list of Sub-processors when we engage new providers or end relationships with existing ones. We will notify users and customers of significant changes through updates to this policy (and, where relevant, by email or in-product notice). Where required by applicable law or our contracts, we will also allow a reasonable period to object to the use of a new Sub-processor or to the change,
and we may need to obtain consent for the use of new Sub-processors that process sensitive or special-category personal data.
The “Last updated” date at the bottom of this policy indicates when the policy was last revised.
8. Your Rights as a Data Subject
Depending on your location and applicable law, you may have rights regarding your personal data, including:
Access: You may request access to your personal data and, where we act as controller, information about how we process it (including, on request, a list of Sub-processors relevant to the processing of your data).
Rectification: You may request correction of inaccurate or incomplete personal data.
Erasure (“right to be forgotten”): You may request deletion of your personal data, subject to any exceptions or conditions under the law applicable to you (for example, where we must retain data for legal or contractual reasons).
Restriction and portability: Where applicable, you may have the right to restrict processing or to receive your data in a structured, commonly used format.
Objection: You may object to certain processing of your personal data (for example, processing based on legitimate interests or for direct marketing). Where you object to the use of a specific Sub-processor, we will assess the situation and respond in accordance with our legal obligations.
Withdraw consent: Where processing is based on consent, you may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Complaint: You have the right to lodge a complaint with a supervisory authority in your country or region.
To exercise any of these rights, or to ask questions about our use of Sub-processors, please contact us using the details in Section 9. We will respond within the timeframes required by applicable law.
