Effective date: 01/09/22.
Nexus Software Platforms Ltd (“Parent Hub”, “We” or “Us”) use certain subcontractors or third parties (together the “Sub-Processors”) to assist us in providing the Parent Hub Services as described in our:
Defined terms used herein shall have the same meaning as defined in those Terms.
CONTENTS
- What is a Sub-Processor?
- Due diligence
- Changes to this Sub-Processor Policy
- Parent Hub's Sub-Processors
WHAT IS A SUB-PROCESSOR?
A Sub-Processor is a third-party data processor engaged by Parent Hub who is used to process some of the data that is generated or used by the Parent Hub Services (“Service Data”).
Parent Hub engages different types of Sub-Processors to perform various functions as explained in the sections to follow. In some cases, Service Data includes Personal Data as defined by the General Data Protection Regulation (“GDPR”). Any sharing of personal data with a Sub-Processor is detailed in full in the sections to follow.
DUE DILIGENCE
Parent Hub undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed Sub-Processors that may be processing Service Data.
We require all Sub-Processors to satisfy the same obligations as those required by you as a Data Controller, from us as a Data Processor, as set forth in our Privacy Policy.
As a minimum, we ensure that Parent Hub’s Sub-Processors store and process all Service Data we share with them in a manner that is compliant with EU data protection requirements under GDPR.
CHANGES TO THIS SUB-PROCESSOR POLICY
We will keep this list updated regularly to enable Parent Hub users to stay informed of the scope of sub-processing associated with the Parent Hub Services.
We reserve the right to remove, amend, change or add Sub-Processors to this policy. We will do our best to bring to your attention any new Sub-Processor that is utilised or to be utilised in conjunction with the Services, or any substantial scope in processing of an existing Sub-Processor, by posting a notice on the services or notifying you by email or by some other means.
As a Parent Hub user, you can object to changes to this Sub-Processor policy, but this may result in you not being able to use certain features of the Services or in some instances, no longer being able to use the Services in their entirety.
Termination rights, as applicable and agreed, are set forth exclusively in our Terms of Service for Publishers and our Terms of Service for Subscribers.
PARENT HUB’S SUB-PROCESSORS
The following table is an up-to-date list (as of the date of this policy) of Parent Hub Sub-Processors. The sections which follow detail for each of these Sub-Processors, what data is shared and what the Sub-Processor does with it.
NOT ALL SUB-PROCESSORS ON THIS LIST MAY BE RELEVANT TO YOU AND YOUR DATA.
MICROSOFT (Platform Infrastructure and Service Data Storage)
Parent Hub is a cloud-hosted service, hosted in Microsoft’s Azure platform. This means that the physical infrastructure on which the Parent Hub Services run and on which Service Data is stored, is owned and maintained by Microsoft.
Microsoft’s Azure platform is highly accredited, holding (amongst others):
- ISO/IEC 27001 (the international information security standard)
- ISO/IEC 27018 (the international cloud privacy standard)
At the time this policy was last updated, a full list of Azure’s accreditations can be found here: https://azure.microsoft.com/en-gb/overview/trusted-cloud/
Whose data does this affect?
All users of the Parent Hub Services: Publishers and Subscribers.
What data is shared with this Sub-Processor?
Because Parent Hub is hosted in Azure, all Service Data is shared with this Sub-Processor.
When is data shared with this Sub-Processor?
As soon as you submit any data, either by entering it in the Services or by importing it from a third-party source, this data is stored in our database, hosted by Microsoft.
What does this Sub-Processor do with my data?
Microsoft host all Parent Hub Service Data. Microsoft’s policies protect our Service Data against unauthorised access and prevent sharing with any other third-party, or data mining of any sort.
Where is the data stored?
All Parent Hub Service data is stored in Microsoft’s West Europe Data Centre, located in Dublin, Ireland.
How long is my data stored for?
Parent Hub user data or any information submitted or uploaded to the Services will remain hosted in Azure until:
- You request for it to be deleted. Please note that, in some instances it may not be possible to delete your data as explained in our Privacy Policy.
- Your account has been inactive for a period of 365 days, after which you will be notified of account deletion in line with our Data Retention Policy.
How do I find out more?
- Azure website: https://azure.microsoft.com/en-gb/
- Security certifications: https://azure.microsoft.com/en-gb/overview/trusted-cloud/
- Microsoft Privacy Standards: https://www.microsoft.com/en-us/trustcenter/privacy/we-set-and-adhere-to-stringent-standards
MESSAGEBIRD (SMS Sending)
MessageBird is a telecom software company and is our chosen provider for the sending of SMS messages via the Parent Hub service.
Whose data does this affect?
Anyone who is the recipient or intended recipient of an SMS message from Parent Hub or from an Organisation (for example a school), through the Parent Hub service. This may include parents, guardians and school staff members.
What data is shared with this Sub-Processor?
In order to send an SMS, two things are required:
- The recipient’s mobile phone number (UK numbers only).
- The message to be sent.
When is data shared with this Sub-Processor?
Parent Hub delivers SMS to individuals in “real-time”. This means that data is sent to MessageBird for processing at the time a message is required to be delivered, for example when parent requests a verification code or when a teacher uses Parent Hub to send a message to a parent or guardian.
No data other than that required to send a particular message is shared with MessageBird.
What does this Sub-Processor do with my data?
MessageBird uses the data we share to deliver SMS to the recipient’s mobile phone. Just like when sending an SMS from your phone, SMS is delivered via a telecoms network (EE or Vodafone, for example).
Under the contract between Parent Hub and MessageBird, Parent Hub retains total control over any of the data shared with MessageBird. When a user requests that their personal data is removed from Parent Hub, our processes ensure that this includes any personal data related to that individual that is stored by MessageBird.
Where is the data stored?
MessageBird store data in their datacentres in Amsterdam, the Netherlands. It is never transferred outside of these datacentres (with the exception of submission to a telecoms network for SMS delivery, of course).
How long is my data stored for?
Because we retain control over all data shared with MessageBird, our processes ensure that your personal data is removed if you request for it to be deleted, either specifically from MessageBird or from Parent Hub more generally, in accordance with our Privacy Policy.
For data that is not deleted by us, MessageBird retain a record of all sent SMS (including the message content and recipient's mobile number) for a maximum of 90 days. After that, the record of sending is permanently and irrevocably removed from MessageBird’s servers and security backups.
How do I find out more?
- MessageBird website: https://bird.com
- MessageBird Privacy Policy: https://bird.com/en-gb/legal/legal/privacy
- MessageBird Security Overview
SENDGRID / TWILIO (Email Sending)
SendGrid – now part of Twilio - is an email delivery company and is our chosen provider for the sending of email via the Parent Hub service.
Whose data does this affect?
Anyone who is the recipient or intended recipient of:
- A Parent Hub system email (such as an invite, welcome email or password reset email); or
- An email via Parent Hub containing a message from an Organisation (for example a school), or an employee or agent of that Organisation.
What data is shared with this Sub-Processor?
In order to send an email, two things are required:
- The recipient’s email address.
- The message to be sent.
When is data shared with this Sub-Processor?
Parent Hub delivers emails to individuals in “real-time”. This means that data is sent to SendGrid for processing at the time a message is required to be delivered, for example when a user requests a password reset or when a teacher uses Parent Hub to send a message to a parent or guardian.
No data other than that required to send a particular message is shared with SendGrid.
What does this Sub-Processor do with my data?
SendGrid uses the data we share to deliver email to the recipient’s email address.
Under the contract between Parent Hub and SendGrid, Parent Hub retains total control over any of the data shared with SendGrid. When a user requests that their personal data is removed from Parent Hub, our processes ensure that this includes any personal data related to that individual that is stored by SendGrid.
Where is the data stored?
Because email hosting providers can be located all over the world, it is important that an email provider is equally global. SendGrid have data centres in the EU and the USA and transfer data between the two is covered by the European Commission’s Standard Contractual Clauses.
It’s important to note that GDPR does not stop data being transferred outside of the European Economic Area (EEA). Instead it demands that any data transferred outside of the EEA has to be done with appropriate safeguards, as demanded by the GDPR. The European Commission’s Standard Contractual Clauses do exactly this.
How long is my data stored for?
Because we retain control over all data shared with SendGrid, your personal data is removed if you request for it to be deleted, either specifically from SendGrid or from Parent Hub more generally, in accordance with our Privacy Policy.
For data that is not deleted by us, SendGrid retain a record of all sent emails (including the message content and recipient’s email address) for a maximum of 365 days. After that, the record of sending is permanently and irrevocably removed from SendGrid’s servers and security backups.
How do I find out more?
- SendGrid website: https://sendgrid.com/
- SendGrid Privacy Policy: https://sendgrid.com/policies/privacy/
- SendGrid Security Policy: https://sendgrid.com/policies/security/
- SendGrid Data Protection Addendum: https://www.twilio.com/legal/data-protection-addendum
ZENDESK (Customer support)
Zendesk is a customer service software and support ticketing system.
Whose data does this affect?
- Anyone who submits a request for support by email to support@parenthub.co.uk.
- Anyone who replies to an email from support@parenthub.co.uk.
- Anyone who submits a request for support using the Help button on our website (parenthub.co.uk)
What data is shared with this Sub-Processor?
All information that you include in your support request email. This includes your email address and any information you provide in your support message.
When we reply to your support request, all information contained in that reply is also shared with Zendesk.
When is data shared with this Sub-Processor?
Data is shared with Zendesk whenever you submit or send a support query or whenever we reply to your support query.
What does this Sub-Processor do with my data?
Zendesk host (store) Parent Hub support request data on our behalf.
Under the contract between Parent Hub and Zendesk, Parent Hub retains total control over any of the data shared with Zendesk. When a user requests that their personal data is removed from Parent Hub, our processes ensure that this includes any personal data related to that individual that is stored by Zendesk.
Please note that the support requests you submit may be retained so we can continue to evaluate and improve our Service, but the personal data contained within them will be removed and the support ‘tickets’ anonymised.
Where is the data stored?
Support ticket data is stored on Zendesk’s servers in the USA. Transfer of data outside of the European Economic Area (EEA) is protected by the European Commission’s Standard Contractual Clauses.
It’s important to note that GDPR does not stop data being transferred outside of the EEA. Instead it demands that any data transferred outside of the EEA has to be done with appropriate safeguards, as demanded by the GDPR. The European Commission’s Standard Contractual Clauses do exactly this.
How long is my data stored for?
Because we retain control over all data shared with Zendesk, your data is stored in Zendesk until:
- You request for it to be deleted, either specifically from Zendesk or from Parent Hub more generally, in accordance with our Privacy Policy; or
- 3 years after inactivity.
Once we delete a record from Zendesk, it is also immediately permanently and irrevocably removed from all backups.
How do I find out more?
- Zendesk website: https://www.zendesk.co.uk
- Zendesk Policies and Procedures: https://www.zendesk.com/company/policies-procedures/
STRIPE (Payments Processing)
Stripe is an online payments processing company and is our chosen provider for the processing of electronic payments on the Parent Hub service.
Whose data does this affect?
Anyone who either sends or receives electronic payments or refunds via Parent Hub.
What data is shared with this Sub-Processor?
Parent Hub collects and shares the minimum required amount of data in order to allow Stripe to process payments on our behalf. This includes:
- Details of the payment or refund, including the amount, currency, and some metadata for tracking, such as the item(s) purchased or refunded and a pseudonymous customer ID.
- The parent’s email address (for sending email receipts and allowing Stripe to store customer payment details).
Stripe themselves securely and directly collect additional information from the parent and the school in order to open and amend payment accounts, and to process payments or refunds:
- From the parent, they collect details of the payment method, such as credit card number, expiry, customer name, as well as physical and IP addresses.
- From the school, they collect details of the bank account and beneficiary.
Because this additional information is collected directly by Stripe, only certain PCI-compliant aspects are visible to Parent Hub in order to allow us to provide technical support, and none is stored on our systems.
When is data shared with this Sub-Processor?
Parent Hub sends data to Stripe at the moment a school account is created or amended, and when a payment or refund needs processing.
No data other than that required to manage the school account(s) or to process a particular payment or refund is shared with Stripe.
What does this Sub-Processor do with my data?
Stripe uses the data we share to process payments and refunds, and to pay out money to school bank accounts.
They also use data that they collect, such as credit card and address details, to conduct risk assessments for payment transactions.
Where is the data stored?
Stripe Inc. is US-based company with global operations. Stripe has in place a variety of measures to ensure adequate protection of the transfer of personal data outside of the European Economic Area (EEA), including the European Commission’s approved Standard Contractual Clauses. For more information, please see Stripe’s Privacy Centre.
It’s important to note that GDPR does not stop data being transferred outside of the EEA. Instead it demands that any data transferred outside of the EEA has to be done with appropriate safeguards, as demanded by the GDPR. The European Commission’s Standard Contractual Clauses do exactly this.
How long is my data stored for?
Stripe retain personal data while an account is open and, after an account is closed, to the extent necessary to comply with their legal and regulatory obligations, and for the purpose of fraud monitoring, detection and prevention. They also retain personal data to comply with their tax, accounting, and financial reporting obligations, where they are required to retain the data by their contractual commitments to their financial partners, and where data retention is mandated by the payment methods that they support. Where they retain data, they do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law.
How do I find out more?
- Stripe website: https://stripe.com/en-gb
- Stripe Privacy Policy: https://stripe.com/gb/privacy
- Stripe Privacy Centre: https://stripe.com/privacy-center/legal#data-transfers
Comments
0 comments
Article is closed for comments.