Sub-Processors

Sub-Processors Policy

Last Updated: 28 October 2025

Introduction

To deliver our Services effectively, Board Secure Limited t/a Governance360 (“Governance360”, “we”, “us”, “our”) works with carefully selected third-party service providers (called “Sub-Processors”). These Sub-Processors may process certain customer data on our behalf to help us provide our platform subscription service and Learning Academy.

This policy explains which Sub-Processors we use, what they do, and how we ensure your data remains protected.

Plain English Note: A Sub-Processor is simply a company we work with that might handle some of your data whilst helping us run our services. For example, we use a cloud provider to host our platform. We remain responsible for your data even when a Sub-Processor is involved.

Definitions

Terms used in this policy have the meanings set out in our Terms of Use and Terms of Sale. Key terms include:

• “Service(s)”: Our Governance360 platform subscription service and Learning Academy
• “Service Data”: Data processed through our Services, including personal data
• “Sub-Processor”: A third-party data processor engaged by Governance360 to process Service Data

Legal Basis and Your Rights

We engage Sub-Processors in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Our contractual obligations to you as outlined in our Terms of Use and Terms of Sale

We remain the data controller or processor (depending on our relationship with you) and are fully responsible for our Sub-Processors’ compliance with data protection laws.

Plain English Note: UK data protection law allows us to use Sub-Processors, but only if we have proper contracts in place with them and they meet strict security standards. We can’t just pass the buck – we’re still accountable for keeping your data safe.

Our Sub-Processor Standards

Every Sub-Processor we engage must:

1. Meet rigorous security standards equivalent to our own obligations
2. Have appropriate technical and organisational measures to protect personal data
3. Process data only on our documented instructions
4. Maintain confidentiality of all Service Data
5. Comply with UK GDPR and UK data protection law
6. Assist with data subject rights requests and security incidents
7. Delete or return data when our contract ends (unless required by law to retain it)

We conduct due diligence on all Sub-Processors before engagement and monitor their ongoing compliance.

Plain English Note: We don’t just pick any company to work with. Each Sub-Processor must prove they take data protection seriously and sign contracts that hold them to the same high standards we follow. We check them out before we start working with them and keep monitoring them afterwards.

Infrastructure Sub-Processors

These Sub-Processors provide the core infrastructure that hosts or supports our Services:

Entity Name	What They Do	Location	GDPR/Data Protection Information
Amazon Web Services, Inc. (AWS)	Cloud hosting and infrastructure services	UK/EU data centres	AWS GDPR Centre

Plain English Note: These are the companies that provide the fundamental technology infrastructure our Services run on, like servers and data storage. Your data is hosted in UK or EU data centres ((Europe (London) | eu-west-2))

Functional Sub-Processors

These Sub-Processors help us deliver specific features and business functions:

Entity Name	What They Do	Data Processing Purpose	Privacy Information
Circleloop	Business telephone system	Call handling and customer support communications	Circleloop Privacy Policy
Egnyte	Document storage and collaboration	Secure file storage and sharing for business operations	Egnyte Privacy Centre
GoCardless	Payment processing	Direct debit payment collection and subscription billing	GoCardless Privacy Policy
Google Analytics	Website and platform analytics	Understanding how customers use our platform to improve services	Google Privacy Policy
HubSpot	Customer relationship management	Customer support, account management, and service communications	HubSpot Privacy Policy
Intercom	Customer messaging and support	Live chat, customer support communications, and in-app messaging	Intercom Privacy Policy
Mailchimp	Email marketing platform	Marketing emails and customer communications	Mailchimp Privacy Policy
Meta Group companies	Marketing and communications	Business advertising, marketing communications, and content management	Meta Privacy Centre
Microsoft	Cloud productivity services	Business communications, document collaboration, and productivity tools	Microsoft Privacy Statement
SendGrid	Email delivery service	Transactional emails and service notifications	SendGrid Privacy Policy
Slack	Business communication platform	Internal team communications and collaboration	Slack Privacy Policy
Stripe	Payment processing	Card payment processing and subscription billing	Stripe Privacy Policy
Typeform	Survey and form builder	Customer feedback, surveys, and form submissions	Typeform Privacy Policy
Xero	Accounting software	Financial management, invoicing, and accounting operations	Xero Privacy Policy

Plain English Note: These companies help us run different parts of our business. For example, HubSpot and Intercom help us manage customer support, Stripe and GoCardless process payments, and Google Analytics helps us understand which parts of our platform are working well. Each only gets access to the specific data they need for their particular job.

International Data Transfers

Some of our Sub-Processors may transfer data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the UK Information Commissioner’s Office
• UK Adequacy Regulations where transfers are to countries with adequate data protection standards
• Additional security measures as required under UK law

Plain English Note: Sometimes data might be processed in other countries. When this happens, we use special approved contracts (called Standard Contractual Clauses) that give your data the same legal protection it would have in the UK. We only work with companies in countries that the UK recognises as safe, or where we’ve put extra protections in place.

Changes to Our Sub-Processors

Adding New Sub-Processors

We may need to add or change Sub-Processors from time to time as our business and technology needs evolve. When we do this:

1. We conduct thorough due diligence on any new Sub-Processor
2. We ensure contractual protections are in place before any data is shared
3. We notify you in accordance with our notification procedures (see below)
4. We provide you with an objection period if you have concerns

Notification Process

For Platform Subscription customers:

• We will typically update this page at least 30 days before engaging a new Sub-Processor
• We will send email notification to your registered account administrator
• You may object to the new Sub-Processor within the notice period
• If we cannot resolve your objection, you may terminate your subscription in accordance with our Terms of Use

For Director Learning Academy purchases:

• We will typically update this page at least 30 days before engaging a new Sub-Processor
• As Academy modules are individual product purchases that cannot be refunded once started or opened, continued use of the platform after the notice period constitutes acceptance

Plain English Note: We’ll always let you know before we start working with a new Sub-Processor by updating this page and sending you an email. Subscription customers get 30 days to raise concerns. For Academy module purchases, these are one-time products, so once you’ve started using a module, the standard refund rules apply (no refunds once opened or started). But we’ll still tell you in advance about any changes.

Sub-Processor Security Incidents

If a Sub-Processor experiences a data security incident that affects Service Data, we will:

1. Require immediate notification from the Sub-Processor
2. Investigate the incident thoroughly
3. Notify affected customers without undue delay
4. Take appropriate remedial action
5. Cooperate with any supervisory authority investigation

Plain English Note: If something goes wrong with one of our Sub-Processors – like a data breach – they have to tell us straight away, and we’ll tell you quickly. We’ll investigate what happened, fix the problem, and work with the UK’s data protection authority (the ICO) if needed.

Your Rights and Our Responsibilities

Customer Rights

You retain all your data protection rights under UK GDPR, including:

• Right of access to your data
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object to processing

We will coordinate with our Sub-Processors to facilitate these rights.

Our Responsibilities

Governance360 remains fully responsible and liable for:

• All Sub-Processor activities and compliance
• Ensuring appropriate contracts are in place
• Monitoring Sub-Processor performance
• Data protection compliance throughout the processing chain

Plain English Note: You have the same legal rights over your data regardless of whether we or a Sub-Processor is handling it. We’re responsible for making sure our Sub-Processors respect those rights. If something goes wrong, we’re accountable – you deal with us, not them.

Audit Rights

Under our Terms of Use, authorised customers may have audit rights in relation to our data processing activities. These rights extend to our Sub-Processors, subject to:

• Reasonable notice requirements
• Confidentiality obligations
• Audit scope limitations (to the extent the Sub-Processor permits)
• Scheduling and access constraints

Plain English Note: If your contract gives you the right to audit how we handle data, this can include checking what our Sub-Processors do. However, there are practical limits – for example, we can’t give you unrestricted access to another company’s premises, but we can provide evidence of their compliance.

Questions and Concerns

If you have questions about our Sub-Processors or wish to:

• Object to a new Sub-Processor
• Request information about our Sub-Processor due diligence
• Raise a data protection concern
• Exercise your data subject rights

Please contact us at:

Email: dataprotection@governance360.com
Address: Board Secure Limited t/a Governance360, C/o Alacrity Foundation, Moderator Wharf, Newport, NP20 1HG

For general enquiries about our Services, please see our Contact Us page.

You also have the right to lodge a complaint with the UK’s supervisory authority:

Information Commissioner’s Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113

Our ICO number: ZA509974

Plain English Note: Got questions or concerns? Get in touch using the details above. You can also complain directly to the ICO (the UK’s data protection regulator) at any time – you don’t have to contact us first, though we’d like the chance to help resolve any issues.

Related Policies

This Sub-Processors Policy should be read alongside:

• Privacy Policy
• Terms of Use
• Terms of Sale
• Security Measures

Note: By using our Services, you acknowledge that you have read, understood, and agree to this Sub-Processors Policy. If you do not agree, please discontinue use of our Services immediately and contact us to discuss your concerns.

This policy is compliant with UK GDPR, the Data Protection Act 2018, and reflects best practices for B2B SaaS providers operating in the United Kingdom.