Sub-Processor Policy
Sub-Processor Policy
Effective as of 23 April 2022
What is a Sub-Processor
A Sub-processor is a third party data processor engaged by RideSuite, who has or potentially will have access to, or will process, Service Data (which may contain Personal Data). RideSuite engages different types of Sub-processors to perform various functions as explained in the table below.
Definitions
The capitalised terms used in this Sub-processor Policy shall have the meanings set forth in this Sub-processor Policy. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Data Processing Addendum.
Due Diligence
RideSuite undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed Sub-processors.
Contractual Safeguards
RideSuite generally requires its Sub-processors to satisfy equivalent obligations as those required of RideSuite where it acts as data processor, as set forth in RideSuite’s Data Processing Addendum (“DPA”), including but not limited to the requirements to:
- Process Personal Data in accordance with Subscriber’s, the data controller’s, documented instructions (as communicated in writing to the relevant Sub-processor by RideSuite);
- In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable Data Protection Laws;
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
- Implement and maintain appropriate technical and organisational measures (including measures consistent with those to which RideSuite is contractually committed to adhere to insofar as they are equally relevant to the Sub-processor’s processing of Personal Data on RideSuite’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification RideSuite reserves the right to audit the Sub-processor;
- Promptly inform RideSuite about any actual or potential security breach; and
- Cooperate with RideSuite in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate RideSuite’s engagement process for Sub-processors as well as to provide the actual list of third party Sub-processors used by RideSuite as of the date of this policy (which RideSuite may use in the delivery and support of its Services).
Sub-Processor Engagement
Where requested, RideSuite will provide notice via this policy of updates to the list of Sub-processors that are utilised or which RideSuite proposes to utilise to deliver its Services. RideSuite undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the RideSuite Services. RideSuite Subscribers may request to receive email notifications of updates to this policy by emailing [email protected].
Pursuant to the DPA, a Subscriber may object in writing to the processing of its Personal Data by a new Sub-processor within ten (10) days following receipt of RideSuite’s communication advising of the new Sub-processor. Such objection shall describe Subscriber’s legitimate reason(s) for objection. If Subscriber does not object during such time period, the new Sub-processor(s) shall be deemed accepted.
If a Subscriber objects to the use of a new Sub-processor pursuant to the process provided under the DPA, RideSuite shall seek to cure the objection through one of the following options (to be selected at RideSuite’s sole discretion):
(a) RideSuite will cease to use the new Sub-processor with regard to Personal Data;
(b) RideSuite will take the corrective steps requested by Subscriber in its objection (which steps will be deemed to resolve Subscriber’s objection) and proceed to use the Sub-processor to process Personal Data; or
(c) RideSuite may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of a RideSuite Service that would involve use of the Sub-processor to process Personal Data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following is an up-to-date list (as of the date of this policy) of the names and locations of RideSuite Sub-processors:
Sub-processors
RideSuite owns or controls access to the infrastructure that RideSuite uses to host and process Service Data submitted to the Services, other than as set forth below:
| Sub-Processor | Purpose & Description | Location |
|---|---|---|
|
Hosting services, file storage, backup and cloud services for Service Data, including Personal Data of Subscribers’ Agents and End Users. |
Netherlands |
|
|
Nexus Geographics provides location and mapping services for RideSuite. Nexus has access to location-related Service Data of End Users to provide the Services. |
Spain |
|
|
Google provides cloud services to RideSuite, including validation of addresses. Google acts as a RideSuite sub-processor when, for example, validating home addresses of Subscribers’ Agents and End Users. |
United States |
|
|
RideSuite uses Twilio’s development platform to enable voice and sms messages among Subscribers, Agents and End Users. Twilio has access to Service Data contained in the messages and the Personal Data of Subscribers’ Agents and End Users as needed to send and deliver the messages. |
United States |
|
|
Sendgrid |
RideSuite uses Sendgrid, a Twilio company, to send notification emails to Agents and End Users. The primary information Sendgrid has access to is the email addresses of recipients and the content of the emails themselves. |
United States |
