About This Document
This document lists all sub-processors engaged by Smartplace Pty Ltd, trading as Smartta AI to provide services in connection with our workforce management platform. As required by data protection laws including GDPR, CCPA, and the Australian Privacy Act, we maintain this comprehensive list to ensure transparency about data processing activities.
All sub-processors listed have signed Data Processing Agreements (DPAs) with appropriate security and privacy safeguards. We conduct regular reviews of sub-processor compliance and security practices.
1. Sub-processor Categories
Our sub-processors are categorized based on their role in our service delivery:
- Essential Services: Critical infrastructure and core platform functionality
- Infrastructure: Cloud hosting, databases, and technical infrastructure
- Analytics & Monitoring: Performance monitoring and error tracking (locally hosted)
- Security Services: Payment processing and security tools
- Development Tools: Software development and deployment services
2. Current Sub-processor List
Last Reviewed: September 1, 2025
| Service Provider | Service Description | Data Processing Purpose | Data Location | Status | Added Date |
|---|---|---|---|---|---|
| Essential Services | |||||
| Amazon Web Services (AWS) Amazon.com, Inc. Seattle, WA, USA |
Cloud infrastructure, computing, storage, and networking services | All application data storage, processing, and hosting services | Sydney, Australia (ap-southeast-2) |
Active | 2023-01-01 |
| Auth0 by Okta Okta, Inc. San Francisco, CA, USA |
Identity and access management, user authentication | User authentication, session management, identity verification | Australia & United States | Active | 2023-02-15 |
| Cloudflare Cloudflare, Inc. San Francisco, CA, USA |
Content delivery network, DDoS protection, web security | Performance optimization, security filtering, traffic analytics | Global network (Australia edge) |
Active | 2023-01-15 |
| SendGrid by Twilio Twilio Inc. San Francisco, CA, USA |
Transactional email delivery and management | User notifications, system alerts, transactional communications | United States (Global delivery) |
Active | 2023-03-01 |
| Twilio SMS Twilio Inc. San Francisco, CA, USA |
SMS delivery and two-factor authentication | Security notifications, 2FA codes, system alerts | Global with Australian local numbers | Active | 2023-03-01 |
| Delivery & Integration Partners | |||||
| Faaro Global Faaro Global Sydney, NSW, Australia |
Authorised delivery partner — implementation, support, and customer management | Customer onboarding, solution configuration, ongoing support, account management | Australia | Active | 2025-09-01 |
| NoahFace NoahFace Pty Ltd Sydney, NSW, Australia |
Facial recognition time and attendance hardware and software | Employee clock-in/out via facial recognition, time and attendance data processing | Australia | Active | 2025-09-01 |
| Infrastructure Services | |||||
| Database and caching services are locally hosted on Smartta AI infrastructure - no database sub-processors are engaged. | |||||
| Analytics & Monitoring | |||||
| Analytics and monitoring services are locally hosted on Smartta AI infrastructure - no monitoring sub-processors are engaged. | |||||
| Security & Payment Services | |||||
| Stripe Stripe, Inc. San Francisco, CA, USA |
Payment processing, subscription billing | Payment transactions, billing information, financial records | Global (Stripe Payments Australia) |
Active | 2023-02-01 |
| Xero Xero Limited Wellington, New Zealand |
Accounting software integration | Financial data synchronization, invoice processing | Australia & New Zealand | Active | 2023-05-01 |
| Development & Deployment | |||||
| GitHub GitHub, Inc. San Francisco, CA, USA |
Source code management, CI/CD, software development | Development workflows, deployment logs (no customer data) | United States | Active | 2023-01-01 |
| Docker Hub Docker, Inc. Palo Alto, CA, USA |
Container registry and image management | Application deployment images (no customer data) | United States | Active | 2023-01-01 |
| Atlassian Atlassian Pty Ltd Sydney, NSW, Australia |
Project management, issue tracking, team collaboration | Development workflows, project metadata (no customer data) | Australia | Active | 2025-09-01 |
Data Protection Safeguards
All sub-processors listed above are subject to:
- Data Processing Agreements (DPAs) with equivalent protection to our customer agreements
- Security Requirements including encryption, access controls, and monitoring
- Compliance Obligations under applicable data protection laws
- Regular Audits and security assessments
- Confidentiality and non-disclosure agreements
- Incident Response procedures and breach notification requirements
3. Data Transfer Mechanisms
For sub-processors located outside Australia, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU Commission-approved clauses for GDPR compliance
- Adequacy Decisions: Where available for specific jurisdictions
- Certification Programs: Privacy Shield successor frameworks and equivalent mechanisms
- Binding Corporate Rules: For multinational sub-processors
- Additional Safeguards: Technical measures like encryption and pseudonymization
4. Sub-processor Management Process
4.1 Due Diligence
Before engaging any sub-processor, we conduct comprehensive due diligence including:
- Security and privacy compliance assessment
- Financial stability and business continuity evaluation
- Technical capability and performance review
- Legal and regulatory compliance verification
- Reference checks and industry reputation analysis
4.2 Ongoing Monitoring
We continuously monitor sub-processor performance through:
- Regular security assessments and audits
- Compliance monitoring and reporting
- Performance metrics and SLA tracking
- Incident response and resolution monitoring
- Annual contract and relationship reviews
Change Management
Customer Notification: We notify customers at least 30 days in advance of:
- Adding new sub-processors
- Changing existing sub-processor services
- Modifying data processing locations
- Updating security or compliance requirements
Objection Rights: Customers may object to new sub-processors. If objections cannot be resolved, customers may terminate the affected services without penalty.
5. Removed Sub-processors
The following table shows sub-processors that have been discontinued:
| Service Provider | Service Description | Removal Date | Reason | Data Handling | Replacement |
|---|---|---|---|---|---|
| No sub-processors have been removed to date. | |||||
6. Regional Compliance
6.1 GDPR Compliance (EU)
- All sub-processors sign EU Standard Contractual Clauses
- Data minimization principles applied to all transfers
- Right to object to new sub-processors
- Regular compliance audits and assessments
6.2 CCPA/CPRA Compliance (California)
- Sub-processors restricted from selling personal information
- Consumer rights requests supported across all sub-processors
- Opt-out mechanisms for targeted advertising
- Annual compliance certifications required
6.3 Australian Privacy Act Compliance
- Cross-border disclosure requirements met
- Reasonable steps to ensure sub-processor compliance
- Notification of overseas disclosures to data subjects
- Australian Privacy Principles adherence
Questions and Updates
For questions about our sub-processors or to request updates:
- Privacy Team: privacy@smartplace.ai
- Data Protection Officer: dpo@smartplace.ai
- Security Team: security@smartplace.ai
- Legal Team: legal@smartplace.ai
This document is reviewed quarterly and updated as needed to maintain accuracy.