Subprocessors

Last updated: 7/28/2025

1. Introduction

Citosoft Ltd uses certain subprocessors to assist in providing the CitoHR platform and services. This page lists the subprocessors we use, the services they provide, and their locations. All subprocessors are bound by data protection obligations equivalent to those in our Data Processing Agreement (DPA).

2. Subprocessor Categories

Our subprocessors fall into the following categories:

  • Cloud Infrastructure: Hosting, deployment, and data storage services
  • Database & Backend: Database management and backend services
  • Payment Processing: Payment gateway and transaction processing
  • Analytics and Monitoring: Service analytics and performance monitoring
  • Communication Services: Email delivery and marketing services
  • CDN & Security: Content delivery network and security services

3. Current Subprocessors

The following is a list of our current subprocessors:

Subprocessor Service Location Data Processed
Vercel Hosting & Deployment EU, USA Application hosting, deployment data
Supabase Database & Backend Services EU, USA Customer data, application data, database records
Resend Email Delivery EU, USA Email addresses, email content
Google (Analytics) Analytics & Monitoring EU, USA Usage analytics, aggregated data
Stripe Payment Processing EU (Ireland), USA Payment information, billing data
MailerLite Email Marketing EU (Lithuania), USA Email addresses, marketing preferences
Amazon Web Services (AWS) Cloud Infrastructure & Storage EU (Ireland), UK, USA Customer data, application data, backups
Cloudflare CDN & Security Services Global (EU, USA, Asia) Network traffic, security logs, cached content
Teamwork.com Ticket Management EU (Ireland), USA Support tickets, customer inquiries, ticket data
Zoho Mail Email Services EU, USA, India Email addresses, email content, email metadata
GitHub Backup Storage EU, USA Backup data, code repositories, version control data

Note: This list is subject to change. We will notify customers of any material changes to our subprocessors in accordance with our Data Processing Agreement.

4. Subprocessor Requirements

All subprocessors are required to:

  • Comply with applicable data protection laws, including GDPR
  • Implement appropriate technical and organizational security measures
  • Process personal data only in accordance with our instructions
  • Maintain confidentiality and security of personal data
  • Notify us of any data breaches without undue delay
  • Assist us in responding to data subject requests
  • Delete or return personal data upon termination of services

5. Data Transfers

Some subprocessors may process personal data outside the European Economic Area (EEA). When such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other appropriate safeguards as required by GDPR

6. Changes to Subprocessors

We may add or replace subprocessors from time to time. When we do so, we will:

  • Update this page with the new subprocessor information
  • Notify customers of material changes via email or through our platform
  • Provide at least 30 days' notice for material changes, where possible
  • Ensure new subprocessors are bound by equivalent data protection obligations

If you object to a new subprocessor, you may terminate your agreement with us in accordance with our Terms of Service.

7. Subprocessor Security

We regularly assess our subprocessors' security practices and compliance with data protection requirements. All subprocessors must demonstrate:

  • ISO 27001 certification or equivalent security standards
  • GDPR compliance and data protection certifications
  • Regular security audits and assessments
  • Incident response and breach notification procedures
  • Data encryption in transit and at rest

8. Contact Information

For questions about our subprocessors or to request additional information, please contact:

  • Company: Citosoft Ltd
  • Address: Ipswich, Suffolk, UK
  • Email: legal@citosoft.co.uk
  • Data Protection Officer: Daniel Cherrington
  • ICO Registration Number: ZB995691

Related Documents: