Subprocessors Policy

At Karbon Digital Group, we are committed to safeguarding the privacy and security of your personal information. To provide our services, we may engage third-party companies (“Sub-processors”) to process personal data on our behalf. This **Sub-processors Policy** outlines the nature of such relationships, our criteria for selecting sub-processors, and the measures we take to ensure the security and privacy of your data.

1. Sub-processors Details 

A Sub-processor is a third-party service provider that we engage to process personal data on behalf of Karbon Digital Group in connection with the services we provide. Sub-processors may include cloud storage providers, customer support platforms, payment processors, or other technical service providers.

Sub-processors are engaged by Karbon Digital to perform specific tasks related to data processing, and they may have access to personal data depending on the nature of the services provided.

2. Our Commitment to Data Privacy

We take data privacy and security seriously and select Sub-processors who meet stringent data protection requirements. We ensure that all Sub-processors:

– Adhere to applicable data protection laws: Sub-processors must comply with all relevant data protection laws and regulations, such as the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA), and other applicable laws.

– Implement adequate security measures: Sub-processors must have appropriate technical and organizational measures in place to ensure the security of personal data and prevent unauthorized access, loss, or misuse.

– Enter into data protection agreements: We require each Sub-processor to sign a Data Processing Agreement (DPA) that outlines their responsibilities in protecting the data we share with them, ensuring they process personal data only for the purposes defined by Karbon Digital.

3. List of Sub-processors

Below is a list of categories of Sub-processors that we may engage, along with examples of the types of services they provide. We regularly review and update our list of Sub-processors to ensure transparency.

– Cloud Infrastructure Providers
– Example: Amazon Web Services (AWS), Microsoft Azure or Google Coud Platform ( GCP) 
– Purpose: Hosting data and applications, cloud storage

– Payment Processing Services
– Example: Stripe, PayPal
– Purpose: Payment processing, fraud detection, and prevention

– Customer Support Platforms
– Example: Zendesk, Intercom
– Purpose: Customer service management, live chat support, help desk services

– Analytics Services
– Example: Google Analytics
– Purpose: Analyzing website traffic, user behavior, and site performance

– Email and Communication Platforms
– Example: Mailchimp, SendGrid
– Purpose: Sending marketing communications, account-related notifications

– Collaboration and Productivity Tools
– Example: Slack, Asana
– Purpose: Internal communication and project management

– Identity Verification Services
– Example: Okta
– Purpose: User authentication, identity management, and access control

 4. Due Diligence and Risk Assessment

Before engaging any Sub-processor, we conduct a thorough due diligence process, which includes:

– Assessing security measures: We evaluate the Sub-processor’s security practices to ensure they meet industry standards and comply with our internal security requirements.

– Reviewing data protection policies: We review the Sub-processor’s privacy and data protection policies to ensure they comply with relevant regulations and have appropriate safeguards in place.

– Conducting regular audits: We monitor our Sub-processors and, where necessary, conduct audits or request security certifications and third-party assessments to verify compliance.

5. Sub-processor Responsibilities

Sub-processors must agree to specific obligations, including but not limited to:

– Processing personal data only on Karbon Digital’s instructions
– Implementing adequate technical and organizational security measures
– Not sharing personal data with unauthorized third parties
– Providing prompt notifications of any data breaches or incidents
– Assisting Karbon Digital in fulfilling its obligations under applicable data protection laws

6. Data Transfers and International Sub-processors

In some cases, Sub-processors may be located outside of your home country or region. If personal data is transferred internationally, Karbon Digital Group ensures that appropriate safeguards are in place to protect your data. These safeguards may include:

– Standard Contractual Clauses (SCCs): We require Sub-processors to sign SCCs to ensure that personal data is transferred in compliance with GDPR requirements.

– Privacy Shield (or equivalent frameworks): For Sub-processors based in the United States, we verify compliance with the EU-U.S. or Swiss-U.S. Privacy Shield Framework, where applicable.

– Other safeguards: We may also rely on other recognized legal mechanisms to protect data during international transfers.

 7. Updates to Sub-processors

We may update our list of Sub-processors from time to time as we engage new providers or terminate relationships with existing ones. We will notify our users and customers of any significant changes through updates to this policy. Where required by applicable law, we will also obtain consent for the use of new Sub-processors that process sensitive personal data.

8. Your Rights as a Data Subject

As a data subject, you have certain rights with regard to your personal data, including the right to:

– Access your data: You may request a list of the Sub-processors we use in connection with the processing of your personal data.
– Object to processing: You may object to the processing of your personal data by a Sub-processor, in which case we will assess the situation and take appropriate action.
– Request deletion: You may request the deletion of your personal data, subject to certain conditions and exceptions as outlined by relevant law where the company is headquarterd.