Data Subprocessors Policy
Policy update: November 25, 2024
1. Ownership and control of your service data
B2Chat employs certain subprocessors to facilitate the delivery of the services described in the Terms of Service. Defined terms used in this document shall have the same meaning as established in those Terms of Service.
This includes information about your customers and employees (if you act as a data controller), or data you hold and use on behalf of third parties for a specific purpose, such as a customer to whom you provide services (if you act as a data processor). Data may be stored on our servers while you use our services. All information entrusted to B2Chat is collectively referred to as “Service Data”.
We acknowledge that you are the owner of your Service Data. We grant you full control over it, offering you the ability to: (i) access your Service Data, (ii) share it through compatible third-party integrations, and (iii) request the export or deletion of such data.
2. Subprocessor definition
A subprocessor is a third party engaged by B2Chat to process data on our behalf. These subprocessors may receive Service Data (which may include Personal Data) from B2Chat for the purpose of supporting the delivery of the services we offer to our customers. This processing is carried out following the specific instructions of our customers and under the terms of a written agreement with the subprocessor.
B2Chat uses different types of subprocessors to carry out various functions essential to its services. These subprocessors and their specific functions are described in the tables presented below.
3. Due diligence
B2Chat commits to using a commercially reasonable selection process by which it evaluates the security, privacy, and confidentiality practices of proposed subprocessors.
B2Chat contractually requires its subprocessors to accept and comply with obligations equivalent to those that B2Chat assumes as a Data Processor, as established in its Data Processing Agreement (DPA). These obligations include, at a minimum, the following:
- Processing in accordance with instructions: Subprocessors must process Personal Data solely in accordance with the documented instructions of the data controller (i.e., the Subscriber), as communicated in writing through B2Chat.
- Reliable and trained personnel: Subprocessors must ensure that personnel involved in processing activities are reliable and subject to binding contractual obligations to respect data privacy and security, in accordance with applicable data protection laws.
- Security training: Periodic training must be provided to personnel with access to Personal Data to ensure the security and protection of such data.
- Security measures and audits: Subprocessors must implement and maintain appropriate technical and organizational measures, equivalent to those B2Chat is contractually obligated to comply with, to the extent they are relevant to the processing of Personal Data. In addition, they must provide an annual certification demonstrating their compliance. If such certification is not provided, B2Chat reserves the right to audit the subprocessor.
- Incident notification: Subprocessors are required to immediately notify B2Chat of any security breach, whether actual or potential.
- Cooperation with requests: Subprocessors must cooperate with B2Chat in addressing requests from data controllers, data subjects, or data protection authorities, as applicable.
Subprocessors that incidentally access Your Service Data in the Innovation Services and are used to provide specific product features or components outside the primary hosting of Service Data (“Innovation Service-Specific Subprocessors”) are periodically reviewed by B2Chat to ensure they work to implement each of the standards described in this Section. However, Innovation Service-Specific Subprocessors may not currently meet all of the measures identified above.
This policy does not grant subscribers any additional rights or remedies and should not be construed as a binding agreement. Its purpose is solely to illustrate B2Chat’s subprocessor selection and engagement process. It also provides the updated list of third-party subprocessors used by B2Chat S.A.S. in the delivery and support of its services.
4. Information Security Measures
Our Subprocessors, when processing Service Data on behalf of the Subscriber in connection with the Business Services, will implement and maintain the following technical and organizational security measures for the Processing of such Service Data:
- Physical access controls: Our subprocessors will take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to service data.
- System access controls: Our subprocessors will take reasonable measures to prevent service data from being used without authorization. These controls will vary depending on the nature of the processing performed and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or access logging at multiple levels.
- Data access controls: Our subprocessors will take reasonable measures to ensure that service data is accessible and manageable only by duly authorized personnel, that direct database query access is restricted, and that application access rights are established and enforced to ensure that persons entitled to access Service Data only have access to the Service Data to which they have access privilege; and that Service Data cannot be read, copied, modified, or deleted without authorization in the course of processing. The Provider will implement and maintain an access policy under which access to its system environment, data processing systems, Service Data, and other resources is controlled.
- Transmission controls: Our subprocessors will take reasonable measures to ensure that it is possible to verify and establish to which entities the transfer of Service Data is intended via data transmission facilities, so that Service Data cannot be read, copied, modified, or deleted without authorization during electronic transmission or transport.
- Input controls: Our subprocessors will take reasonable measures to ensure that it is possible to verify and establish whether service data has been entered into data processing systems, modified or deleted, and by whom; and that any transfer of Service Data to an external service provider is carried out through a secure transmission.
- Data protection: Our subprocessors will take reasonable measures to ensure that service data is protected against accidental destruction or loss. Our Subprocessors will ensure that, when hosted by the Subprocessor, backups are completed regularly, are secure and encrypted, to ensure that Service Data is protected. Our subprocessors will implement and maintain a managed security program to identify risks and implement preventive technology and processes for the mitigation of common attacks.
Logical separation: Our subprocessors will logically separate service data from the data of other parties in their systems to ensure that service data can be processed separately.
5. Process for engaging new subprocessors
B2Chat maintains a commitment to transparency with its customers regarding the subprocessors it uses to deliver its services. For all customers, updates to the list of subprocessors used or proposed will be notified through this policy. Likewise, this list will be kept regularly updated so that customers are informed of any changes related to data processing in the context of the services provided.
In accordance with the DPA, customers have a period of thirty (30) days from the publication of any update to object in writing to the use of a new subprocessor. The objection must include the legitimate grounds justifying the request. If no objection is received within the established period, the customer will be deemed to have accepted the use of the new subprocessor.
In the event that a customer objects to the use of a new subprocessor, B2Chat will assess the situation and take one of the following actions, at its sole discretion:
- Exclude the subprocessor for that customer: Stop the use of the subprocessor with respect to the affected customer’s personal data.
- Apply corrective measures: Implement the measures suggested by the customer in their objection, provided that such measures are feasible and resolve the concerns raised, allowing the use of the subprocessor.
- Adjust the service: Suspend or discontinue (temporarily or permanently) the service functionality that requires the use of the subprocessor in question, in agreement with the customer.
Any right of termination or modification of the contract will apply in accordance with what is stipulated in the DPA.
B2Chat is committed to ensuring the security and confidentiality of personal data processed by its subprocessors, who are selected under strict legal and technical compliance criteria.
6. Infrastructure subprocessors: service data storage and processing
B2Chat owns or controls access to the infrastructure that the solution uses to host and process service data submitted to the Services, except as set forth in this document. Currently, B2Chat’s production systems used to host Service Data for the Services are located at the Infrastructure Subprocessors listed below.
The following is an updated list (as of the date of this policy) of the names, purpose, and locations of B2Chat’s Subprocessors.
| Entity name | Purpose | Data hosting location |
| Amazon Web Services, Inc. | Cloud service provider for all B2Chat features and functionalities | United States |
| Google Cloud Platform | Cloud service provider for data storage management | United States |
7. Service-specific subprocessors
B2Chat works with certain third parties to provide specific features within the Services. These providers, referred to as Subprocessors, access and process Service Data exclusively to provide the relevant functionality. Their use is strictly limited to the Services indicated below.
The following is an updated list (as of the date of this policy) of the names, purpose, and locations of B2Chat’s Subprocessors.
| Entity name | Purpose | Data hosting location |
| Zoho Analytics | Data analytics and report generation | United States |
| Looker | Data visualization and advanced analytics | United States |
| HubSpot | Customer relationship management (CRM) and marketing automation | United States |
| CloudAMQP | Message queue management for real-time services | United States |
| Alegra | Billing and finance management | Colombia |
| Telegram | Instant messaging integration for business communication | Global |
| Meta | Instant messaging and social media integration for business communication | Global |
| Anthropic | Anthropic provides generative artificial intelligence (“AI”) and natural language processing services | Global |
| Shopify | E-commerce management and sales platforms | Global |
| OpenAI | Provides generative artificial intelligence (“AI”) and natural language processing services | Global |
| Zapier | Workflow automation between applications | United States |
| Freshdesk | Support ticket management and customer service | Global |
| Zendesk | Customer support tool and communications management | Global |
| Evertec | Payment processing services and business solutions | Global |
Notes:
- Data location may vary depending on the data centers selected by each provider.
- The subprocessors mentioned comply with applicable privacy regulations, and their services are restricted to the purposes indicated.