Sub-Processors
Last updated: 2025-11-29
ComplySherpa engages the following third-party service providers (“sub-processors”) to support delivery of our platform. Each sub-processor is vetted for security and privacy practices. We maintain written agreements, including data-processing terms.
Change Notifications
We will update this page at least 30 days before engaging a new sub-processor or making material changes. Customers may subscribe to change notifications by emailing legal@complysherpa.com.
Current Sub-Processors
| Vendor | Service / Purpose | Data Categories | Primary Regions | Transfer Mechanism | Notes |
|---|---|---|---|---|---|
| Microsoft Azure | Cloud hosting, databases, storage, networking | Customer content (stored & processed), account metadata, logs | Canada, USA, EU (as configured) | Regional hosting; SCCs / DPA as applicable | Encryption at rest & in transit; role-based access |
| Amazon Web Services (AWS) | Optional workloads / integrations (per feature) | Customer content (processed), integration artifacts, logs | USA, EU (service-dependent) | Regional hosting; SCCs / DPA as applicable | Used for specific integrations or redundancy |
| Microsoft Clarity | Analytics: heatmaps & session insights (marketing site) | Usage analytics (pseudonymous); no sensitive form content (masked) | Global (service-managed) | Consent-based analytics; SCCs / DPA | Loaded only after user consent via cookie banner |
| SendGrid / Twilio | Transactional email (trial confirmations, notifications) | Contact details (name, email), message metadata | USA, EU (service-dependent) | SCCs / DPA | No marketing without consent; unsubscribe links included |
| Stripe | Payments & subscription billing | Billing contact, limited payment metadata (no card data stored by us) | USA, EU (service-dependent) | SCCs / DPA | PCI-DSS handled by Stripe |
Data Categories (Reference)
- Customer content: evidence files, policy docs, control data uploaded by customers.
- Account metadata: names, emails, roles, workspace configuration.
- Operational logs: access, changes, job runs, error telemetry.
- Usage analytics: pseudonymous events on public site (consent-based).
Regionality & Transfers
We aim to process data in the region selected by the customer where supported. Where international transfers occur, we rely on adequacy decisions or Standard Contractual Clauses (SCCs) and implement additional safeguards.
Questions
Contact privacy@complysherpa.com for a signed DPA, regional hosting options, or security documentation (e.g., SOC 2 Type II report).