Third Party Sub Processors

Who we are and what this is

Method Apps Limited (“we”, “us” or “our”).
Registered company address: 11 Laura Place, Bath, England, UK, BA2 4BL.
Registered in England & Wales 11235998.

Method Apps Limited engages the third party entities below to perform limited activities in connection with customer data associated with Method Grid and Method Apps Limited.


Google

Activity: Marketing, Office Applications, Communications, Support

Data processed: IP address, marketing tracking

App data processed: None

Data locations: US, Multiple

As described in our Privacy Shield certification, we comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries (including EEA member countries) and the UK as well as Switzerland, respectively. Google, including Google LLC and its wholly-owned US subsidiaries (unless explicitly excluded), has certified that it adheres to the Privacy Shield Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Sharing your information” section.

Source: https://policies.google.com/privacy/frameworks?hl=en-US


Stripe Inc.

Activity: Finance

Data processed: Name, email, organization, billing details

App data processed: Name, email, organization, billing details

Data locations: US, Multiple

We are a global business. Personal Data may be stored and processed in any country where we have operations or where we engage service providers. We may transfer Personal Data that we maintain about you to recipients in countries other than the country in which the Personal Data was originally collected, including to the United States. Those countries may have data protection rules that are different from those of your country. However, we will take measures to ensure that any such transfers comply with applicable data protection laws and that your Personal Data remains protected to the standards described in this Privacy Policy. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Data.

If you are located in the European Economic Area (“EEA”), the UK or Switzerland, we comply with applicable laws to provide an adequate level of data protection for the transfer of your Personal Data to the US. Stripe Inc. is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework and adheres to the Privacy Shield Principles in connection with personal data transfers from the EEA, the UK and Switzerland. For more, see Stripe’s Privacy Shield Policy. In addition, we have implemented intra-group data transfer agreements which you may view upon request.

UPDATE September 15, 2020: While Stripe Inc. remains self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, it is not currently relying on these frameworks for the transfer of personal data to the U.S.

Where applicable law requires us to ensure that an international data transfer is governed by a data transfer mechanism, we use one or more of the following mechanisms: EU Standard Contractual Clauses with a data recipient outside the EEA or the UK, verification that the recipient has implemented Binding Corporate Rules, or verification that the recipient adheres to the EU-US and Swiss-US Privacy Shield Framework.

Source: https://stripe.com/gb/privacy


Xero Limited

Activity: Finance, Communications

Data processed: Name, email, organization, billing details

App data processed: None

Data locations: US

Similar to many SaaS providers, we use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/

Xero has no short term plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.

Xero makes sure that it complies with EU data export restrictions when it exports data outside of the EU, and will be doing a full audit prior to May 2018 on the data export mechanisms it has in place to ensure they comply, and will continue to comply, with GDPR.

Source: https://www.xero.com/uk/campaigns/xero-and-gdpr/
Source: https://www.xero.com/uk/about/legal/privacy/


DigitalOcean, LLC

Activity: Infrastructure

Data processed: Name, email, organization, profile image, all app data

App data processed: Name, email, organization, profile image, all app data

Data locations: UK

… your proprietary data that you upload to Droplets, Spaces, and other services will remain within the region where you choose to host such data, unless we inform you otherwise.

Source: https://www.digitalocean.com/security/gdpr/faq/
Source: https://www.digitalocean.com/legal/privacy-policy/


Chargebee, Inc

Activity: Finance, Communications

Data processed: Name, email, organization, billing details

App data processed: Name, email, organization, billing details

Data locations: US

Chargebee participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (“EU”) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Privacy Shield Framework’s applicable Privacy Shield Principles.

Source: https://www.chargebee.com/privacy/


Cloudflare, Inc.

Activity: Infrastructure

Data processed: IP

App data processed: None

Data locations: US, Multiple

While Cloudflare no longer relies on the EU-U.S. and the Swiss -U.S. Privacy Shield as a lawful basis for international transfers of personal data from the EEA and Switzerland to the U.S., Cloudflare remains certified under both the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks respectively as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, the UK, and Switzerland to the United States, respectively (“Privacy Shields”). We commit to periodically review and verify the accuracy of our policies and our compliance with the Privacy Shields. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

Source: https://www.cloudflare.com/en-gb/privacypolicy/
Source: https://www.cloudflare.com/en-gb/gdpr/introduction/


HelloSign Service (JN Projects, Inc.)

Activity: Legal

Data processed: Name, email, address, signature

App data processed: None

Data locations: US, Multiple

Around the world – To provide you with the Services, we may store, process and transmit data in the United States and locations around the world – including those outside your country. Data may also be stored locally on the devices you use to access the Services.

Data Transfers. When transferring data from the European Union, the European Economic Area, the United Kingdom and Switzerland, HelloSign relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, Standard Contractual Clauses and the European Commission’s adequacy decisions about certain countries, as applicable.

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. HelloSign complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data transferred from the European Union, the European Economic Area, the United Kingdom and Switzerland to the United States, although HelloSign does not rely on the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield Frameworks as a legal basis for transfers of personal data. HelloSign has certified to the Department of Commerce that it adheres to the Privacy Shield principles with respect to such data. You can also learn more about Privacy Shield at www.privacyshield.gov.

Source: https://gb.hellosign.com/privacy


Hubspot

Activity: Marketing, Support, Communications

Data processed: Contact details (name, email, phone, address etc.), company details and communication records

App data processed: Name, email, organisation

Data locations: US, IE

To facilitate our global operations, we transfer information to either Ireland or the United States and allow access to that information from countries in which the HubSpot affiliated entities have operations for the purposes described in this policy.

This Privacy Policy shall apply even if we transfer Personal Information to other countries. We have taken appropriate safeguards to require that your Personal Information will remain protected. When we share information about you within and among HubSpot’s affiliated entities, we make use of standard contractual data protection clauses, which have been approved by the European Commission, and we have also certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to help safeguard the transfer of information we collect from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. Please see our Privacy Shield notice below for more information.

Source: https://legal.hubspot.com/privacy-policy


Livestorm Inc.

Activity: Webinars

Data processed: Name, email

App data processed: None

Data locations: EU

Livestorm collects and processes some of the User’s personal data (the “Data”), under the conditions provided for by the schedule to these General Conditions of Sale related to Privacy policy, accessible through this link: https://livestorm.co/privacy-policy. As such, Livestorm has the capacity as SubContractor and the Client has the capacity as Data Controller, within the meaning of the GDPR.

Livestorm assures the Client that the Users Data will be collected and processed in compliance with the provisions of the modified law no. 78-17 of 6 January 1978 on Information Technology, Data Files and Liberties (the “IT and Freedoms Law”) and Regulation (EU° no. 2016/679 of the European Parliament and Council dated 27 April 2016 (the “Regulation”).

Source: https://livestorm.co/general-conditions-of-sale


Contact

Questions, comments and requests regarding this policy are welcomed and should be addressed via our contact page here.


Change log

22 July 2021 – Updated to add Hubspot privacy policy. Removed information about Pipedrive and Calendly.
13 August 2021 – Removed references to Olark and GrooveHq.
19 November 2021 – Removed references to Campaign Monitor.
14 December 2021 – Added Name, email, organisation to data that Hubspot processes
26 April 2022 – Added reference to Livestorm
10 March 2023 – Removed references to SoPro, Tribe and Twilio

GRIDtalk • MAPS Digital Playbook with Arup •
30th June 1pm
Register for our Praxis Grid Talk