B2B Internet Solutions Limited (“B2B”) uses certain subprocessors, subcontractors and Content Delivery Networks to assist it in providing the B2B Services including those as described in The B2B Webshop software Software as a Service Agreement. Defined terms used herein shall have the same meaning as defined in the Agreement.
What is a Subprocessor:
A subprocessor is a third party data processor engaged by B2B, who has or potentially will have access to or process Service Data (which may contain Personal Data). B2B engages different types of subprocessors to perform various functions as explained in the tables below. B2B refers to third parties that do not have access to or process Service Data but who are otherwise used to provide the Services as “subcontractors” and not subprocessors.
Due Diligence:
B2B undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data.
Contractual Safeguards:
B2B requires its subprocessors to satisfy equivalent obligations as those required from B2B (as a Data Processor) as set forth in B2B’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
- process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions (as communicated in writing to the relevant subprocessor by B2B);
- in connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
- implement and maintain appropriate technical and organizational measures (including measures consistent with those to which B2B is contractually committed to adhere insofar as they are equally relevant to the subprocessor’s processing of Personal Data on B2B’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification B2B reserves the right to audit the subprocessor;
- promptly inform B2B about any actual or potential security breach; and
- cooperate with B2B in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate B2B’s engagement process for subprocessors as well as to provide the actual list of third party subprocessors, subcontractors and content delivery networks used by B2B as of the date of this policy (which B2B may use in the delivery and support of its Services).
If you are a B2B Subscriber and wish to enter into our DPA, please email us at privacy@b2binternetsolutions.co.uk.
Process to Engage New Subprocessors:
For all Subscribers who have executed B2B’s standard DPA, B2B will provide notice via this policy of updates to the list of subprocessors that are utilized or which B2B proposes to utilize to deliver its Services. B2B undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of subprocessing associated with the B2B Services.
Pursuant to the DPA, a Subscriber can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If Subscriber does not object during such time period the new subprocessor(s) shall be deemed accepted.
If a Subscriber objects to the use of a subprocessor pursuant to the process provided under the DPA, B2B shall have the right to cure the objection through one of the following options (to be selected at B2B's sole discretion):
(a) B2B will cease to use the subprocessor with regard to Personal Data;
(b) B2B will take the corrective steps requested by Subscriber in its objection (which remove Subscriber’s objection) and proceed to use the subprocessor to process Personal Data; or
(c) B2B may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of a B2B Service that would involve use of the subprocessor to process Personal Data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following is an up-to-date list (as of the date of this policy) of the names and locations of B2B subprocessors, subcontractors and content delivery networks (including members of the B2B Group and third parties):
Infrastructure Subprocessors – Service Data Storage
B2B owns or controls access to the infrastructure that B2B uses to host Service Data submitted to the Services, other than as set forth below. Currently, the B2B production systems for the Services are located in co-location facilities in the Europe. Subscriber accounts are established in one of these regions based on where the Subscriber is located; the Subscriber’s Service Data subsequently remains in that region unless agreed between Subscriber and B2B, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged in the storage of Service Data by B2B.
| Entity Name | Entity Type | Entity Country |
| Amazon Data Services Ireland Ltd ("AWS") | Cloud Service Provider | Ireland |
Service Specific Subprocessors
B2B works with certain third parties to provide specific functionality within the Services. These providers are the Subprocessors set forth below. In order to provide the relevant functionality these Subprocessors access Service Data. Their use is limited to the indicated Services.
| Entity Name | Purpose | Applicable Services | Entity Country |
| Postcode Anywhere trading as PCA Predict (Europe) Ltd, company registration number 03347926. |
Delivery and invoice Address search capabilities are provided by Postcode Anywhere. Postcode Anywhere provides the APIs from which B2B's services get relevant address information when Users request address searches based on postcode and / or house number. Provision of any service by Postcode Anywhere (Europe) Ltd is subject to the company's Terms and Conditions and its respective third party data licensors' terms, which are available on request. Postcode Anywhere receives data provided interactively by the User if the User chooses to use the address searching service, e.g. Postcode, in order to show the User address information related to their request |
B2B Webshop software SaaS |
United Kingdom |
| AWS |
AWS provides email and SMS send services to enable emails and SMS messages to be sent to Users for the sole purpose of Order Confirmations and updates (as appropriate), Registration (as appropriate), Email Address verification and password reset. In connection with providing their services, AWS has access to the following types of data: Service Data contained in the messages and User email address and mobile number, email and SMS content. |
All | United States |
| AWS |
AWS provides CloudFront, a Content Delivery Network (CDN) which is used to speed up delivery of the service to end users. All requests for the Service pass through CloudFront, the results of some of which are stored for a finite amount of time to speed up future requests. None of the information stored is specific to an end user or specific end user request. CloudFront stores content such as images and documents that can be downloaded or viewed using the Service. |
All | United States |
| FastSMS |
FastSMS provides SMS send services to enable SMS messages to be sent to Subscribers for the sole purpose of SMS Mobile Number verification and Order updates (as appropriate). In connection with providing their services, FastSMS has access to the following types of data: Mobile number and content of the SMS messages. |
B2B Webshop software SaaS | United Kingdom |
| Sage Pay Europe Limited |
For security and compliance reasons B2B outsource card payments out to SagePay. For more information about Sage Pay's Security Policy Click here. B2B do not capture or store any payment card related information. B2B hold card transaction result information related to specific orders purely to ascertain whether or not payment has been successful. Card invoice address information is entered onto a page on a B2B managed server which is then passed, without being stored, over an encrypted link to the SagePay payment system so that payment can be made. The results of any payment attempts are the only data transferred back to and stored within a B2B database. |
B2B Webshop software SaaS | United Kingdom |
|
|
|||
| SageOne |
SageOne is used solely for general accounting purposes for the running of the B2B Business and not in connection with any services to it's customers. The only Customer related data is used for invoicing and related purposes. Data held includes main Customer contract, Customer business address, invoice, credit note and payment method, amounts and dates. |
Internal B2B Accounting purposes |
Subcontractors
As explained above, B2B also uses certain “subcontractors” to assist in the operations necessary to provide the B2B Services as described in the Service Agreement. The following is a list (as of the date of this policy) of the names and locations of material third-party subcontractors. Subcontractors do not have access to Service Data.
| Entity Name | Entity Type | Entity Country |
| M247 Ltd & Metronet UK Ltd trading as M24Seven | Co-location Service Provider | United Kingdom |
| Amazon Data Services Ireland Ltd ("AWS") | Cloud Service Provider | Ireland |
| iomart Hosting Ltd trading as RapidSwitch | Co-location Service Provider | United Kingdom |
Content Delivery Networks
As explained above, B2B's Services may use content delivery networks (“CDNs”) to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by B2B's Services.
| CDN Provider | Services Using CDN | CDN Location | Description of CDN Services |
| Amazon Web Services, Inc. |
All B2B Services |
Global | Public website content served to website visitors may be stored with Amazon Web Services, Inc., and transmitted by Amazon Web Services, Inc., to website visitors, to expedite transmission. |
B2B Users may subscribe to receive notifications of updates to this policy by clicking “Follow updates” at the top of this policy.
0 Comments