SolidCo Pty Ltd
ABN 41 680 244 446

Subprocessor Policy

Version 1.0

1. Purpose

SolidCo Pty Ltd (“SolidCo”, “we”, “our” or “us”) is committed to protecting the personal information entrusted to us by our clients and their users.

As part of providing our services, we may engage carefully selected third party service providers (“subprocessors”) to assist us in delivering web development, cloud hosting, managed services, cybersecurity, software development, communications, billing and related business services.

This policy explains how we select, manage and monitor our subprocessors and should be read together with our:

2. Scope

This policy applies whenever SolidCo processes personal information on behalf of a client and engages a third party to assist in delivering those services.

Where SolidCo acts as a data processor under applicable privacy legislation, including the UK General Data Protection Regulation (UK GDPR) and the European Union General Data Protection Regulation (EU GDPR), we will only appoint subprocessors that provide appropriate safeguards for protecting personal data.

3. What is a Subprocessor?

A subprocessor is a third party organisation that processes personal information on behalf of SolidCo so that we can deliver our services to our clients.

Examples include providers of:

  • Cloud hosting
  • Content delivery and cybersecurity
  • Email and productivity services
  • Accounting and invoicing
  • Payment processing
  • Source code management
  • Business communications

4. Our Principles

When selecting subprocessors, SolidCo aims to:

  • use reputable providers with established security practices;
  • minimise the amount of personal information shared;
  • only share information necessary to provide the relevant service;
  • require subprocessors to protect personal information appropriately;
  • periodically review the suitability of our subprocessors; and
  • comply with applicable privacy legislation and contractual obligations.

5. International Data Transfers

Some of our subprocessors operate globally and may process personal information outside Australia, the United Kingdom or the European Economic Area.

Where required by applicable law, we rely on appropriate safeguards for international data transfers, which may include:

  • European Commission Standard Contractual Clauses (SCCs);
  • the UK International Data Transfer Addendum or International Data Transfer Agreement (IDTA);
  • adequacy decisions; or
  • other lawful transfer mechanisms recognised under applicable privacy laws.

6. Security

SolidCo expects subprocessors to maintain appropriate technical and organisational measures to protect personal information.

Depending on the services provided, these measures may include:

  • encryption in transit;
  • encryption at rest where appropriate;
  • multi factor authentication;
  • role based access controls;
  • security monitoring and logging;
  • vulnerability and patch management;
  • incident response procedures; and
  • business continuity and disaster recovery processes.

While we undertake reasonable due diligence before engaging subprocessors, each provider remains independently responsible for the security of its own systems and services.

7. Current Subprocessors

The following organisations may process personal information on our behalf as part of delivering our services.

Subprocessor Headquarters Purpose Typical Personal Information Processing Locations
Amazon Web Services (AWS)United StatesCloud hosting, databases, storage and backupsCustomer application data, databases, files and logsRegional AWS infrastructure and global support operations
CloudflareUnited StatesDNS, CDN, Web Application Firewall, Zero Trust, Workers and edge securityIP addresses, request metadata and security logsGlobal Cloudflare network
GoogleUnited StatesGoogle Workspace, email, documents and collaborationBusiness contact information, emails and documentsGlobal Google infrastructure
MicrosoftUnited StatesMicrosoft 365 and productivity services where utilisedBusiness contact information and documentsGlobal Microsoft infrastructure
StripeUnited States / IrelandPayment processing and billingBilling details and payment metadataGlobal Stripe infrastructure
XeroNew ZealandAccounting and invoicingCustomer names, business details, invoices and payment recordsGlobal Xero infrastructure
TwilioUnited StatesSMS and communication services where enabledPhone numbers and communication metadataGlobal Twilio infrastructure
SlackUnited StatesInternal business communications and supportBusiness contact information and support communicationsGlobal Slack infrastructure
BrevoFranceTransactional email and marketing communications where utilisedNames, email addresses and communication historyEuropean and global infrastructure
MailchimpUnited StatesEmail marketing where utilisedContact details and marketing preferencesGlobal Mailchimp infrastructure
Bitbucket (Atlassian)AustraliaSource code hosting and software development collaborationDeveloper account details, repositories and development recordsGlobal Atlassian Cloud infrastructure

Additional subprocessors may be engaged where necessary to deliver specific client services.

8. Changes to Subprocessors

SolidCo may update its list of subprocessors as our business or technology changes.

The current version of this policy will always be available on our website.

Where required by contract or applicable law, we will notify affected clients before appointing a new subprocessor that materially changes the processing of client personal information.

9. Client Enquiries

Clients may request additional information regarding our subprocessors or the safeguards we apply by contacting us using the details below.

Where required by applicable privacy legislation or contractual obligations, we will respond within the applicable legal timeframes.

10. Contact

Privacy Officer
SolidCo Pty Ltd
ABN 41 680 244 446

Privacy enquiries may also be submitted using the contact details provided in our Privacy Policy.

Contact Us Contact Us

11. Policy Updates

We may amend this policy from time to time to reflect changes in our services, subprocessors or applicable legal requirements.

The latest version will always be published on our website.


Related Documents