Sub-Processors

Last Modified: April 27, 2020

Brightidea, Inc. (“Brightidea”) uses certain sub-processors and content delivery networks to assist it in delivering the Brightidea Services described in the Master Services Subscription Agreement (MSA), Order Form, SoW or similar commercial agreement.

What is a Sub-processor
A sub-processors is a third-party data processor engaged by Brightidea, who has or potentially will have access to or process Service Data (which may contain personal data). Brightidea engages different types of sub-processors to perform various functions as explained in the table below.

Due Diligence
Brightidea undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy, and confidentiality practices of proposed sub-processors that will or may have access to or process Service Data.

Contractual Safeguards
Brightidea requires its sub-processors to satisfy equivalent obligations as those required from Brightidea (as a Data Processor) as set forth in Brightidea’s Data Processing Agreement (DPA), including but not limited to the requirements to:

  • Process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions;
  • In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
  • Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Brightidea is contractually committed to adhere insofar as they are equally relevant to the sub-processor’s processing of Personal Data on Brightidea’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Brightidea reserves the right to audit the sub-processor;
  • Promptly inform Brightidea about any actual or potential security breach; and
  • Cooperate with Brightidea in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Brightidea’s engagement process for sub-processors as well as to provide the actual list of third-party sub-processors and content delivery networks used by Brightidea as of the date of this policy (which Brightidea may use in the delivery and support of its Services).

If you are a Brightidea Subscriber and wish to enter into our DPA, please email us at data-privacy@brightidea.com.

Process to Engage New Sub-Processors
For all Subscribers who have executed Brightidea’s standard DPA, Brightidea will provide notice via this policy of updates to the list of sub-processors that are utilized or which Brightidea proposes to utilize to deliver its Services. Brightidea undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the Brightidea Services.

Pursuant to the DPA, a Subscriber can object in writing to the processing of its Personal Data by a new sub-processor within ten (10) business days after updating of this policy and shall describe its legitimate reason(s) for objection. If Subscriber does not object during such time period, the new sub-processor(s) shall be deemed accepted.

If a Subscriber objects to the use of a sub-processor pursuant to the process provided under the DPA, Brightidea shall have the right to cure the objection through one of the following options (to be selected at Brightidea’s sole discretion):

  • Brightidea will cease to use the new sub-processor with regard to Personal Data;
  • Brightidea will take the corrective steps requested by Subscriber in its objection (which steps will be deemed to resolve Subscriber’s objection) and proceed to use the sub-processor to process Personal Data; or
  • Brightidea may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of a Brightidea Service that would involve use of the sub-processor to process Personal Data.

The following is an up-to-date list (as of the date of this policy) of the names and locations of Brightidea sub-processors and content delivery networks:

Infrastructure Sub-Processors
Brightidea owns or controls access to the infrastructure that Brightidea uses to host Service Data submitted to the Services, other than as set forth below. Currently, the Brightidea production systems for the Services are located in co-location facilities in the United States and Europe and in the infrastructure sub-processors listed below. Subscriber accounts are typically established in one of these regions based on where the Subscriber is located but may be shifted among locations to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged by Brightidea in the storage of Service Data. Brightidea also uses additional services provided by these sub-processors to process Service Data as needed to provide the Services.

Entity Name Entity Type Entity Country
Amazon Web Services, Inc. Cloud Service Provider United States, Ireland

Service Specific Sub-Processors
Brightidea works with certain third-parties to provide specific functionality within the Services. These providers are the Sub-processors set forth below. In order to provide the relevant functionality these Sub-processors may access or process Service Data. Their use is limited to the indicated Services.

Entity Name Purpose Entity Country
SolarWinds Worldwide, LLC Connectivity logging and monitoring via Papertrail United States
Functional Software, Inc Error reporting via Sentry United States
Mixpanel, Inc. Analytics United States
Heap Analytics United States
Intercom, Inc. Live support and customer engagement United States
Drift Live support and customer engagement United States
Box, Inc. Storage United States
Mailgun Technologies, Inc. Email service provider United States
Gong.io Conversation intelligence tool United States

Content Delivery Networks
Brightidea’s Services use content delivery networks (“CDNs”) to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by Brightidea’s Services.

CDN Provider CDN Location Description of CDN Services
Amazon Web Services, Inc. Global Public website content served to website visitors may be stored with Amazon Web Services, Inc., and transmitted by Amazon Web Services, Inc., to website visitors, to expedite transmission.