+44 800 779 7322
Legal

Subprocessor List

Rebasoft Limited

Registered Office: Albany House, 14 Shute End, Wokingham, Berkshire, RG40 1BJ
Company Number: 06914233
Website: www.rebasoft.net
Email: legal@rebasoft.net
Telephone: 0800 779 7322

Subprocessor List

Version: 4.0
Effective Date: 26 March 2026
Last Reviewed: 26 March 2026
Next Review Date: March 2027

1. Introduction

This Subprocessor List identifies the third-party service providers (“Subprocessors”) engaged by Rebasoft Limited (“Rebasoft”, “we”, “us”, or “our”) to process personal data on behalf of customers.

This document forms part of the Rebasoft Data Processing Addendum (DPA) and is provided in accordance with Article 28 UK GDPR.

Rebasoft supports multiple deployment models:

  • SaaS (Rebasoft-hosted)

  • On-premise

  • Hybrid

Subprocessor usage varies depending on deployment and is defined below.

2. Our Approach to Subprocessors

Rebasoft applies a structured and risk-based approach to Subprocessor management.

We:

  • Conduct security, legal, and compliance due diligence prior to engagement

  • Enter into Article 28-compliant agreements with all Subprocessors

  • Apply equivalent data protection and confidentiality obligations

  • Ensure Subprocessors implement appropriate technical and organisational measures (TOMs)

  • Continuously monitor performance, security posture, and risk

Rebasoft remains fully liable for the acts and omissions of all Subprocessors.

3. Subprocessor Categories

Subprocessors are grouped as follows:

  • A. Standard Subprocessors (SaaS environments)

  • B. Deployment-Dependent Subprocessors

  • C. Website and Analytics Subprocessors

4. Standard Subprocessors (SaaS Environments)

These Subprocessors are used where Rebasoft provides a hosted (SaaS) deployment.

Subprocessor Service Data Processed Region Safeguards
Microsoft Azure Cloud hosting & infrastructure Customer data, system data, logs UK South / EU West UK GDPR compliant, IDTA, SCCs

These Subprocessors are always used in Rebasoft-hosted environments.

5. Deployment-Dependent Subprocessors

These Subprocessors are used only where required by customer architecture, configuration, or service selection.

Subprocessor Service Data Processed Region Safeguards When Used
Amazon Web Services (AWS) Optional cloud infrastructure Customer data, logs UK / EU / US SCCs, UK Addendum Specific customer deployments
Microsoft 365 Email & collaboration Contact data, communications UK / EU UK GDPR compliant Operational communications
SendGrid Email delivery Contact data EU / US SCCs Notification services (if enabled)

👉 These Subprocessors are:

  • Not universally used

  • Explicitly controlled per deployment

  • Configured in line with customer requirements

6. Website and Analytics Subprocessors

These Subprocessors apply only to website usage and not to the Rebasoft platform.

Subprocessor Service Data Processed Region Safeguards
Google Analytics Website analytics Pseudonymised usage data EU / US SCCs, IP anonymisation enabled

Applies only to:

  • Website visitors

  • Marketing and analytics activities

Does not apply to customer platform data

7. International Data Transfers

Where Subprocessors operate outside the UK:

Rebasoft ensures that transfers are protected by:

  • UK International Data Transfer Agreement (IDTA)

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions (where applicable)

All transfers are:

  • Subject to transfer risk assessments

  • Implemented with appropriate safeguards

  • Aligned with UK ICO guidance

8. Change Management and Notifications

Rebasoft will:

  • Provide at least 14 days’ advance notice of any new Subprocessors

  • Notify customers via:

    • Email to registered contacts

    • Website updates

Customers may:

  • Object to new Subprocessors on reasonable data protection grounds

  • Request additional information

Where an objection is valid and cannot be resolved:

  • Rebasoft will work in good faith to provide an alternative solution

  • Where no alternative is feasible, customers may exercise contractual remedies under the DPA

9. Customer Rights

Customers may:

  • Request full details of Subprocessors

  • Request security, compliance, and due diligence information

  • Object to Subprocessors in accordance with the DPA

Contact: legal@rebasoft.net

10. Security and Assurance

All Subprocessors are subject to:

  • Formal security due diligence

  • Contractual data protection obligations

  • Confidentiality requirements

  • Ongoing monitoring and review

Rebasoft ensures alignment with:

  • Article 32 UK GDPR

  • Industry best practice for security controls

11. Data Residency

Where applicable:

  • Primary hosting is located in UK and/or EU regions

  • Data residency is aligned with customer deployment requirements

Rebasoft does not transfer customer data outside agreed regions without:

  • Appropriate safeguards

  • Legal transfer mechanisms

12. Updates to This List

This Subprocessor List may be updated from time to time.

Material changes will be communicated in accordance with Section 8.

13. Contact

For all enquiries relating to Subprocessors:

Email: legal@rebasoft.net