docs/src/content/docs/legal/subprocessors.md

title

title
Data Subprocessors

TRANSPARENCY IN DATA PROCESSING RELATIONSHIPS

1. INTRODUCTION AND OVERVIEW

1.1. Purpose and Scope

This document provides comprehensive information about third-party entities that process personal data on behalf of NHCarrigan ("we," "us," "our," or "the Company"). By using our services, you acknowledge that your data may be processed by these subprocessors in accordance with their respective privacy policies and our contractual agreements.

1.2. Legal Framework

This disclosure is provided in accordance with:

(a) Data protection regulations requiring transparency about third-party processing;

(b) Our commitment to user privacy and informed consent;

(c) Contractual obligations with our users regarding data processing;

(d) Industry best practices for data processing transparency.

1.3. Data Processing Principles

All subprocessor relationships are governed by:

(a) Purpose Limitation: Data processing is limited to specified, legitimate purposes;

(b) Data Minimisation: Only necessary data is shared with subprocessors;

(c) Security Requirements: All subprocessors must maintain appropriate security measures;

(d) Contractual Protection: Formal agreements govern all data processing relationships.

1.4. User Rights and Protections

Your rights regarding subprocessor data processing include:

(a) Transparency: Full disclosure of all entities processing your data;

(b) Consent: Your continued use constitutes consent to the processing described;

(c) Control: Rights to access, correct, and delete data processed by subprocessors;

(d) Notice: Advance notification of changes to subprocessor arrangements.

2. PRIMARY SUBPROCESSORS

2.1. Definition and Role

Primary subprocessors are third-party entities that directly process, store, or manage data on our behalf as part of our core service delivery. These relationships involve direct contractual arrangements and technical integrations.

2.2. Primary Subprocessor Details

2.2.1. Anthropic

Data Processing Role: Artificial Intelligence and Natural Language Processing

Types of Data Processed:

• Messages and commands sent to and from applications utilising AI integration services
• User interactions with AI-powered features
• Content analysis for service improvement and safety

Processing Purpose:

• Providing AI-powered responses and functionality
• Natural language understanding and generation
• Content moderation and safety filtering
• Service improvement and optimisation

Data Transfer Mechanism: Encrypted API communications

Retention Period: As specified in Anthropic's data retention policies

Security Measures: Industry-standard encryption and access controls

Location: United States

Privacy Policy: https://www.anthropic.com/privacy

2.2.2. DigitalOcean

Data Processing Role: Infrastructure and Hosting Services

Types of Data Processed:

• All data transmitted over networks to and from our applications
• System logs and performance metrics
• Backup data and system configurations
• Network traffic metadata

Processing Purpose:

• Providing cloud infrastructure and hosting services
• Ensuring system availability and performance
• Maintaining security and monitoring systems
• Data backup and disaster recovery

Data Transfer Mechanism: Encrypted network transmission

Retention Period: As required for service provision and legal compliance

Security Measures: SOC 2 Type II compliance, encryption, access controls

Location: Multiple global data centres (primarily United States and Europe)

Privacy Policy: https://www.digitalocean.com/legal/privacy-policy

2.2.3. MongoDB

Data Processing Role: Database Management and Storage

Types of Data Processed:

• All structured data provided to our applications through user interactions
• User account information and preferences
• Application data and user-generated content
• System configuration and metadata

Processing Purpose:

• Providing database hosting and management services
• Ensuring data availability and integrity
• Facilitating data backup and recovery
• Supporting application functionality

Data Transfer Mechanism: Encrypted database connections

Retention Period: As configured in our data retention policies

Security Measures: Encryption at rest and in transit, access controls, audit logging

Location: Configurable global regions (primarily United States)

Privacy Policy: https://www.mongodb.com/legal/privacy-policy

2.2.4. Stripe

Data Processing Role: Payment Processing and Identity Verification

Types of Data Processed:

• Payment information including credit card details and billing addresses
• Identity verification information for age and identity confirmation
• Transaction history and payment method data
• Information necessary for regulatory compliance (KYC/AML)

Processing Purpose:

• Processing payments and managing billing
• Verifying user identity and age for service access
• Preventing fraud and ensuring regulatory compliance
• Managing subscriptions and recurring payments

Data Transfer Mechanism: PCI DSS compliant encrypted transmissions

Retention Period: As required by payment regulations and Stripe policies

Security Measures: PCI DSS Level 1 compliance, tokenisation, fraud detection

Location: Global processing infrastructure with data residency options

Privacy Policy: https://stripe.com/privacy

3. SECONDARY SUBPROCESSORS

3.1. Definition and Role

Secondary subprocessors are platforms and services that users interact with directly to access our services. While we do not have direct contractual control over these entities, user interaction with our services through these platforms may result in data processing by these entities under their own terms and policies.

3.2. Platform Integration Notice

When you access our services through third-party platforms, your interactions are subject to both our privacy policy and the privacy policies of these platforms. We recommend reviewing the privacy policies of all platforms you use to access our services.

3.3. Secondary Subprocessor Platforms

3.3.1. Discord

Relationship Type: Community Platform Integration

Data Processing Context:

• User interactions in Discord servers managed by or affiliated with NHCarrigan
• Bot services and integrations provided through Discord
• Community management and moderation activities

User Responsibility: Review Discord's Privacy Policy and Terms of Service

Privacy Policy: https://discord.com/privacy

3.3.2. GitHub

Relationship Type: Development Platform and Code Repository

Data Processing Context:

• Contributions to open-source projects
• Issue reporting and feature requests
• Code repository access and version control
• Development collaboration activities

User Responsibility: Review GitHub's Privacy Statement and Terms of Service

Privacy Policy: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement

3.3.3. PayPal

Relationship Type: Alternative Payment Processing

Data Processing Context:

• Payment processing for services and donations
• Transaction history and payment verification
• Dispute resolution and customer service

User Responsibility: Review PayPal's Privacy Statement and User Agreement

Privacy Policy: https://www.paypal.com/us/legalhub/privacy-full

3.3.4. Twitch

Relationship Type: Live Streaming Platform Integration

Data Processing Context:

• Live streaming services and chat interactions
• Channel management and viewer analytics
• Content delivery and broadcasting services

User Responsibility: Review Twitch's Privacy Notice and Terms of Service

Privacy Policy: https://www.twitch.tv/p/legal/privacy-notice

4. SUBPROCESSOR MANAGEMENT AND GOVERNANCE

4.1. Due Diligence Process

Before engaging any primary subprocessor, we conduct comprehensive due diligence including:

(a) Security Assessment: Evaluation of data security measures and certifications;

(b) Privacy Review: Analysis of privacy policies and data processing practices;

(c) Compliance Verification: Confirmation of regulatory compliance and certifications;

(d) Contract Negotiation: Establishment of data processing agreements with appropriate protections.

4.2. Ongoing Monitoring

We maintain ongoing oversight of subprocessor relationships through:

(a) Regular Audits: Periodic review of subprocessor security and privacy practices;

(b) Performance Monitoring: Assessment of service quality and compliance;

(c) Incident Management: Coordination on security incidents and data breaches;

(d) Contract Management: Regular review and update of contractual terms.

4.3. Data Processing Agreements

All primary subprocessors are bound by data processing agreements that include:

(a) Purpose Limitation: Specific restrictions on data use and processing purposes;

(b) Security Requirements: Mandatory security controls and incident response procedures;

(c) Confidentiality: Strict confidentiality and non-disclosure obligations;

(d) Audit Rights: Our right to audit subprocessor data processing practices.

4.4. Subprocessor Change Management

Changes to subprocessor arrangements are managed through:

(a) Impact Assessment: Evaluation of privacy and security implications;

(b) User Notification: Advance notice to users of significant changes;

(c) Transition Planning: Careful planning to minimise service disruption;

(d) Documentation Updates: Timely updates to this disclosure document.

5. DATA TRANSFER AND SECURITY

5.1. International Data Transfers

When data is transferred internationally to subprocessors, we ensure appropriate safeguards through:

(a) Adequacy Decisions: Reliance on jurisdictions with adequate data protection laws;

(b) Standard Contractual Clauses: Implementation of EU Standard Contractual Clauses where applicable;

(c) Certification Schemes: Use of subprocessors with recognised privacy certifications;

(d) Binding Corporate Rules: Acceptance of subprocessors with approved internal data transfer rules.

5.2. Security Requirements

All primary subprocessors must maintain security measures including:

(a) Encryption: Data encryption both in transit and at rest;

(b) Access Controls: Role-based access controls and multi-factor authentication;

(c) Monitoring: Continuous monitoring for security threats and incidents;

(d) Incident Response: Established procedures for responding to security incidents.

5.3. Compliance and Certifications

We prefer subprocessors with recognised compliance certifications such as:

(a) SOC 2 Type II: System and Organisation Controls for service organisations;

(b) ISO 27001: International standard for information security management;

(c) PCI DSS: Payment Card Industry Data Security Standard (for payment processors);

(d) GDPR Compliance: Demonstrated compliance with General Data Protection Regulation.

5.4. Data Breach Response

In the event of a data breach involving a subprocessor:

(a) Immediate Notification: Subprocessors must notify us within 24 hours;

(b) Impact Assessment: Joint assessment of the scope and impact of the breach;

(c) User Notification: Prompt notification to affected users where required;

(d) Remediation: Collaborative efforts to contain and remedy the breach.

6. USER RIGHTS AND CONTROL

6.1. Transparency Rights

Users have the right to:

(a) Information: Full transparency about subprocessor data processing activities;

(b) Updates: Regular updates about changes to subprocessor arrangements;

(c) Access: Information about how to exercise rights with each subprocessor;

(d) Contact: Direct communication channels for subprocessor-related concerns.

6.2. Data Subject Rights

Regarding data processed by subprocessors, users may:

(a) Request Access: Obtain information about data processing activities;

(b) Seek Rectification: Request correction of inaccurate data;

(c) Demand Erasure: Request deletion of personal data in certain circumstances;

(d) Restrict Processing: Limit how data is processed by subprocessors.

6.3. Exercise of Rights

To exercise rights regarding subprocessor data processing:

(a) Primary Contact: Contact us at privacy@nhcarrigan.com for coordination;

(b) Direct Contact: Contact subprocessors directly using their provided channels;

(c) Documentation: Provide sufficient information to verify identity and specify requests;

(d) Response Time: Allow reasonable time for investigation and response.

6.4. Complaint Mechanisms

If you have concerns about subprocessor data processing:

(a) Internal Escalation: Raise concerns through our customer support channels;

(b) Supervisory Authorities: Contact relevant data protection authorities;

(c) Legal Remedies: Pursue legal remedies available in your jurisdiction;

(d) Alternative Resolution: Participate in mediation or arbitration where available.

7. UPDATES AND CHANGES

7.1. Change Notification Process

We will notify users of changes to subprocessor arrangements through:

(a) Email Notification: Direct notification to registered users for significant changes;

(b) Website Updates: Updates to this document with change logs;

(c) Service Notifications: In-app notifications where technically feasible;

(d) Community Announcements: Public announcements in community forums.

7.2. Types of Changes Requiring Notification

Changes requiring advance notification include:

(a) New Subprocessors: Addition of new primary subprocessors;

(b) Changed Processing: Significant changes to data processing purposes or methods;

(c) Location Changes: Changes to data processing locations or jurisdictions;

(d) Security Changes: Material changes to security measures or protections.

7.3. Objection Rights

If you object to changes in subprocessor arrangements:

(a) Notification Period: We typically provide 30 days' notice of significant changes;

(b) Objection Process: You may object within the notification period;

(c) Alternative Arrangements: We will consider reasonable alternative arrangements where possible;

(d) Service Termination: You may terminate services if objections cannot be accommodated.

7.4. Emergency Changes

In emergency situations requiring immediate subprocessor changes:

(a) Immediate Implementation: Changes may be implemented without prior notice;

(b) Prompt Notification: Users will be notified as soon as reasonably possible;

(c) Explanation: Full explanation of the circumstances requiring emergency changes;

(d) Remediation Options: Information about available remediation options.

8. CONTACT INFORMATION AND SUPPORT

8.1. Primary Contact

For questions about subprocessor data processing:

Email: privacy@nhcarrigan.com

Subject Line: Subprocessor Data Processing Inquiry

Response Time: Within 7-10 business days for standard inquiries

8.2. Rights Requests

For exercising data subject rights regarding subprocessor processing:

Email: privacy@nhcarrigan.com

Subject Line: Data Subject Rights - Subprocessor

Required Information: Please include your full name, account information, and specific request details

8.3. Complaints and Concerns

For complaints about subprocessor data processing:

Email: privacy@nhcarrigan.com

Subject Line: Subprocessor Complaint

Alternative: Contact relevant supervisory authorities in your jurisdiction

8.4. Technical Support

For technical issues related to third-party platform integrations:

Email: support@nhcarrigan.com

Discord Community: https://chat.nhcarrigan.com

Response Time: Within 7-10 business days for technical support requests

9. COMPLIANCE AND REGULATORY INFORMATION

9.1. Regulatory Framework

This subprocessor disclosure is maintained in compliance with:

(a) General Data Protection Regulation (GDPR): EU data protection requirements;

(b) California Consumer Privacy Act (CCPA): California privacy law requirements;

(c) Other Applicable Laws: Additional data protection laws in relevant jurisdictions;

(d) Industry Standards: Best practices for data processing transparency.

9.2. Regular Review

This document is reviewed and updated:

(a) Quarterly: Regular quarterly review for accuracy and completeness;

(b) Change-Triggered: Updates following any changes to subprocessor arrangements;

(c) Annual Audit: Comprehensive annual audit of all subprocessor relationships;

(d) Regulatory Updates: Updates following changes in applicable laws or regulations.

9.3. Documentation Standards

We maintain documentation standards including:

(a) Version Control: Clear versioning and change tracking for all updates;

(b) Audit Trail: Complete records of all changes and their justifications;

(c) Legal Review: Review by qualified legal counsel before publication;

(d) Stakeholder Input: Consideration of feedback from users and privacy advocates.

---

This document provides transparency about our data processing relationships to help you make informed decisions about using our services. By using our services, you acknowledge understanding of these subprocessor arrangements and consent to the data processing described herein. For questions or concerns about subprocessor data processing, please contact us at privacy@nhcarrigan.com.