Sub-Processors
Third-party service providers that help us deliver our SaaS platform securely and efficiently.
Last reviewed: 06 Sep. 2025
Where a vendor is an active participant in the EU-US Data Privacy Framework (DPF) (and UK Extension), we rely on DPF and do not use SCCs. For non-adequate destinations, we use EU 2021 SCCs with the UK Addendum.
Please refer to the official list of DPF-certified organisations here: https://www.dataprivacyframework.gov/list
1) Hosting & Core Infrastructure
| Provider | Purpose | Location / Residency | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | IaaS hosting, databases, networking, object storage, KMS | US West (e.g., Oregon) primary | DPF Certified, ISO 27001/27017/27018 |
| Cloudflare | CDN | Global network; caching in-region where available | DPF Certified, ISO 27001 |
2) Security, Performance & Threat Detection
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Trend Micro – Trend Cloud One | Workload security, threat detection (IPS/IDS) | EU (Germany/Netherlands) or Japan | ISO 27001 | If Japan region is used, EU/UK→Japan relies on adequacy. |
| AWS CloudWatch | Infrastructure/application monitoring, metrics & logs | As per AWS region configuration | DPF Certified (covered under AWS) |
3) Payments & Tax Processing
| Provider | Purpose | Location / Residency | Safeguards |
|---|---|---|---|
| Stripe | Payment processing | Global (regional routing) | DPF Certified, PCI-DSS |
| Quaderno | VAT invoicing, EU OSS/MOSS tax compliance | EEA processing (EU data centres) | DPA on file, EEA residency |
| Xero | Accounting (invoicing, AR/AP, bank feeds) | New Zealand (EU/UK→NZ adequacy) | Adequacy (NZ); DPA on file |
4) Customer Communication & Support
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Intercom | In-app messaging, support CRM | EU/US (vendor hosted) | DPF Certified | |
| Paperform | Web forms (contact, intake) | Vendor hosted | SCCs | Use limited to non-sensitive submissions. |
5) Analytics, Marketing & Advertising
| Provider | Purpose | Location / Residency | Safeguards |
|---|---|---|---|
| Google Analytics / Tag Manager | Website analytics, tag orchestration | Vendor hosted | DPF Certified |
| Meta (Facebook) | Advertising & retargeting | Vendor hosted | DPF Certified |
| Advertising & retargeting | Vendor hosted | DPF Certified | |
| X (Twitter) Ads | Advertising | Vendor hosted | DPF Certified |
6) Application Monitoring & Error Reporting
| Provider | Purpose | Location / Residency | Safeguards |
|---|---|---|---|
| SmartBear – Bugsnag | Error reporting, crash analytics | Vendor hosted | DPF Certified |
7) Internal Business, Email & Collaboration
| Provider | Purpose | Location / Residency | Safeguards |
|---|---|---|---|
| Google Workspace | Email, documents, storage | Vendor hosted | DPF Certified |
| Microsoft 365 | Productivity suite | Vendor hosted | DPF Certified |
| Slack | Team communications | Vendor hosted | DPF Certified |
| Microsoft Teams | Meetings, chat & collaboration | Vendor hosted | DPF Certified |
8) Development & Testing / Front-End Assets
| Provider | Purpose | Location / Residency | Safeguards |
|---|---|---|---|
| GitHub | Source control, CI | Vendor hosted | DPF Certified |
| Postman | API collaboration & testing | Vendor hosted | DPF Certified |
| Font Awesome | Icon fonts / CDN | Vendor hosted | DPF Certified |
9) Email & Forms
| Provider | Purpose | Location / Residency | Safeguards |
|---|---|---|---|
| Mailchimp / Mandrill | Marketing email & transactional relay | Vendor hosted | DPF Certified |
10) Development Partner
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Histone Web Solutions (Private) Ltd. | Software development & maintenance | Pakistan | EU SCCs (2021, Module 3); UK Addendum | Direct SCCs/UK Addendum executed for restricted transfers. |
Questions?
If you have any concerns about SellerLegend's use of Sub-Processors, please contact us at:
support@sellerlegend.com