Skip to main content

Subprocessors

Effective Date: November 26, 2025
Version: 1.0
Last Updated: November 26, 2025

This Subprocessors document has been prepared for general informational purposes and does not constitute legal advice. This document should be reviewed by qualified legal counsel before implementation or execution. Mavaro Systems LLC makes no warranties regarding the legal sufficiency of this template for your specific use case.

Information in this document is subject to change without notice. For the most current information, please contact legal@mavarosystems.com.

1. Introduction

This Subprocessors document provides transparency regarding third-party service providers ("Subprocessors") that Mavaro Systems LLC ("Mavaro") engages to process Personal Data on behalf of our customers. This document is maintained in accordance with applicable data protection laws and our Data Processing Addendum.

2. Update Notification Policy

2.1 Notification Timeline

  • New Subprocessors: 30 days advance notice via email to registered customer contacts
  • Subprocessor Changes: 30 days advance notice for material changes to data processing
  • Emergency Changes: Notification within 72 hours when legally required for urgent compliance matters

2.2 Customer Rights

  • Customers may object to new Subprocessors within 15 days of notification
  • Objections must be based on reasonable data protection concerns
  • Mavaro will work with customers to address concerns or provide alternative solutions
  • Continued use constitutes acceptance of new Subprocessor arrangements

2.3 Notification Methods

  • Email to primary customer contact and privacy officer (if designated)
  • Updates to this public document
  • In-app notifications for customers using our platform interfaces

3. Critical Vendor Requirements

3.1 Security Standards

All Subprocessors must meet or exceed:

  • SOC 2 Type II or equivalent security certification
  • ISO 27001 certification or equivalent information security management
  • GDPR compliance and adherence to Standard Contractual Clauses for international transfers
  • Regular security audits and penetration testing
  • Incident response capabilities aligned with industry standards

3.2 Due Diligence Process

Prior to engagement, all Subprocessors undergo:

  • Security assessment including review of security certifications and practices
  • Financial stability review to ensure long-term viability
  • Legal compliance verification including data protection and privacy laws
  • Reference checks with existing customers and industry contacts
  • Contractual review to ensure data protection obligations are met

3.3 Ongoing Monitoring

  • Annual security assessments of all Subprocessors
  • Quarterly business reviews for critical vendors
  • Incident monitoring and immediate notification of security events
  • Contract compliance audits on a rotating schedule
  • Renewal assessments for expiring vendor agreements

4. Current Subprocessors

4.1 Infrastructure and Hosting Providers

VendorServiceData TypesRegionSecurity AttestationsLast Review Date
Amazon Web Services (AWS)Cloud Infrastructure & HostingAll customer data, user accounts, usage analyticsUS, EU, APACSOC 2 Type II, ISO 27001, FedRAMPNovember 2025
Google Cloud PlatformData Analytics & Machine LearningAnonymized usage data, performance metricsUS, EUSOC 2 Type II, ISO 27001, ISO 27017November 2025
Microsoft AzureBackup & Disaster RecoveryCustomer data backups, system logsUS, EUSOC 2 Type II, ISO 27001, ISO 27018November 2025

4.2 Communication and Support Services

VendorServiceData TypesRegionSecurity AttestationsLast Review Date
SendGrid (Twilio)Transactional Email ServicesCustomer contact information, notification contentUS, EUSOC 2 Type II, ISO 27001, GDPR compliantNovember 2025
TwilioSMS/Voice CommunicationsPhone numbers, communication metadataUS, EU, APACSOC 2 Type II, ISO 27001, HIPAA eligibleNovember 2025
IntercomCustomer Support ChatCustomer support inquiries, chat transcriptsUS, EU, APACSOC 2 Type II, ISO 27001, GDPR compliantNovember 2025

4.3 Payment and Financial Services

VendorServiceData TypesRegionSecurity AttestationsLast Review Date
StripePayment ProcessingPayment information (tokenized), billing addressesUS, EU, APACPCI DSS Level 1, SOC 2 Type II, ISO 27001November 2025
PayPalAlternative Payment ProcessingPayment information (tokenized), transaction dataGlobalPCI DSS Level 1, SOC 2 Type II, ISO 27001November 2025

4.4 Development and Monitoring Tools

VendorServiceData TypesRegionSecurity AttestationsLast Review Date
GitHubSource Code ManagementCode repositories, developer access logsUS, EUSOC 2 Type II, ISO 27001, FedRAMPNovember 2025
DataDogApplication MonitoringPerformance metrics, error logs, infrastructure dataUS, EUSOC 2 Type II, ISO 27001, GDPR compliantNovember 2025
SentryError TrackingApplication error logs, performance dataUS, EUSOC 2 Type II, ISO 27001November 2025

4.5 Analytics and Business Intelligence

VendorServiceData TypesRegionSecurity AttestationsLast Review Date
Google AnalyticsWeb AnalyticsWebsite usage data, anonymized user behaviorUS, EUISO 27001, GDPR compliant, Privacy Shield certifiedNovember 2025
MixpanelProduct AnalyticsUser interaction data, feature usage analyticsUS, EUSOC 2 Type II, ISO 27001, GDPR compliantNovember 2025
VendorServiceData TypesRegionSecurity AttestationsLast Review Date
OneTrustPrivacy ManagementPrivacy policy data, compliance assessmentsUS, EUSOC 2 Type II, ISO 27001, GDPR compliantNovember 2025
OktaIdentity ManagementUser authentication data, access logsUS, EU, APACSOC 2 Type II, ISO 27001, FedRAMPNovember 2025

5. Subprocessor Categories and Risk Assessment

5.1 Critical Infrastructure (High Risk)

Vendors: AWS, Google Cloud, Microsoft Azure
Risk Factors: Comprehensive data access, global data residency
Mitigations:

  • Encryption of all data at rest and in transit
  • Strict access controls and monitoring
  • Regular security audits and penetration testing
  • Business continuity and disaster recovery testing

5.2 Payment Processing (High Risk)

Vendors: Stripe, PayPal
Risk Factors: Financial data handling, PCI compliance requirements
Mitigations:

  • Tokenization of payment data
  • PCI DSS Level 1 compliance verification
  • Separate security monitoring and incident response
  • Regular compliance audits

5.3 Communication Services (Medium Risk)

Vendors: SendGrid, Twilio, Intercom
Risk Factors: Customer communication data, potential content analysis
Mitigations:

  • Limited data scope and retention periods
  • Content encryption where applicable
  • Customer consent mechanisms
  • Regular privacy impact assessments

5.4 Development Tools (Low-Medium Risk)

Vendors: GitHub, DataDog, Sentry
Risk Factors: Code access, operational data
Mitigations:

  • Code review processes for sensitive information
  • Access logging and monitoring
  • Restricted access to production environments
  • Regular security training for developers

5.5 Analytics Services (Low Risk)

Vendors: Google Analytics, Mixpanel
Risk Factors: Behavioral data, potential cross-service tracking
Mitigations:

  • Anonymization and pseudonymization
  • Limited data retention periods
  • Opt-out mechanisms for customers
  • Regular privacy reviews

6. Customer Notification Procedures

6.1 Notification Channels

  1. Email Notification: Primary method to registered customer contacts
  2. Platform Notifications: In-app notifications for active users
  3. Public Documentation: Updates to this document on our website
  4. Customer Portal: Notification through customer account portal (when available)

6.2 Notification Content

Each notification includes:

  • Subprocessor name and contact information
  • Services being provided
  • Categories of Personal Data processed
  • Data residency locations
  • Security certifications and compliance
  • Effective date of change
  • Customer objection procedures

6.3 Objection Process

  1. Submit Objection: Email to legal@mavarosystems.com within 15 days
  2. Review Period: Mavaro has 15 days to respond to objections
  3. Resolution Options:
    • Address customer concerns
    • Provide alternative vendor solutions
    • Negotiate enhanced security measures
    • Document legitimate business justification

7. Security Assurance

7.1 Contractual Protections

All Subprocessor agreements include:

  • Data Processing Addendum with equivalent protections to our DPA
  • Standard Contractual Clauses for international transfers
  • Security breach notification requirements (24-72 hours)
  • Audit rights and compliance verification
  • Insurance requirements including cyber liability coverage

7.2 Technical Safeguards

  • Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication, role-based access
  • Network Security: Firewalls, intrusion detection, network segmentation
  • Monitoring: 24/7 security monitoring and incident response

7.3 Regular Assessment

  • Annual vendor risk assessments
  • Quarterly security reviews
  • Monthly compliance check-ins
  • Real-time incident monitoring

8. Contact Information

For questions about this Subprocessors document or to submit objections:

Mailing Address: Mavaro Systems LLC
Legal Department
[Address to be provided]

9. Document Control

  • Document Owner: Chief Privacy Officer
  • Review Frequency: Quarterly
  • Next Review Date: February 26, 2026
  • Classification: Public
  • Approval Authority: Chief Executive Officer

Last Updated: November 26, 2025
Next Scheduled Update: February 26, 2026

This document is maintained to ensure transparency and compliance with applicable data protection laws. Customers are encouraged to review this document regularly for updates to our Subprocessor arrangements.