Sub-Processor List [cite: 399]

SFL Tech ("SFL", "we", "our", "us") engages carefully selected third-party service providers ("Sub-Processors") to support the delivery, maintenance, and improvement of our services. [cite: 401] We are committed to transparency, security, and regulatory compliance. This page identifies the categories of Sub-Processors we use and the nature of services they provide in connection with our technology, consulting, and managed services operations. [cite: 402]

This page should be read in conjunction with our: [cite: 403]

• Privacy Policy [cite: 404]
• Data Processing Addendum (DPA) and Cookie Policy [cite: 405]

1. Our Approach to Sub-Processors [cite: 406]

Before engaging any Sub-Processor, SFL Tech: [cite: 407]

• Conducts due diligence and risk assessment [cite: 408]
• Reviews security certifications (e.g., ISO 27001, SOC 2 where applicable) [cite: 409]
• Ensures contractual data protection obligations are in place [cite: 410]
• Requires confidentiality commitments [cite: 411]
• Implements appropriate safeguards for international data transfers [cite: 412]

All Sub-Processors are contractually required to process personal data only for specified business purposes and in compliance with applicable data protection laws. [cite: 413]

2. Categories of Sub-Processors [cite: 414]

Below are the categories of Sub-Processors used by SFL Tech in support of its services. [cite: 415]

A. Cloud Infrastructure & Hosting Providers [cite: 416]

Purpose: Secure hosting, storage, compute services, and infrastructure management. [cite: 417, 418]

Data Processed May Include: [cite: 419]

• Customer system data [cite: 420]
• Contact information [cite: 421]
• Application logs [cite: 422]
• Operational datasets [cite: 423]

Examples of Services Provided: [cite: 424]

• Infrastructure-as-a-Service (laaS) [cite: 425]
• Backup and disaster recovery [cite: 426]
• Virtual server hosting [cite: 427]
• Database hosting [cite: 428]

Data may be processed in regional data centers depending on client configuration. [cite: 429]

B. Email & Communication Service Providers [cite: 430]

Purpose: Transactional emails, customer communications, internal collaboration. [cite: 431, 432]

Data Processed May Include: [cite: 433]

• Names [cite: 434]
• Email addresses [cite: 435]
• Communication content [cite: 436]
• Metadata [cite: 437]

These providers support operational notifications, support communications, and marketing communications where applicable. [cite: 438]

C. Analytics & Performance Monitoring Providers [cite: 439]

Purpose: Website performance monitoring, usage analytics, system diagnostics. [cite: 440, 441]

Data Processed May Include: [cite: 442]

• IP addresses [cite: 443]
• Browser/device information [cite: 444]
• Usage data [cite: 445]
• Log files [cite: 446]

These tools help improve system stability, security, and user experience. [cite: 447]

D. Customer Support & Helpdesk Platforms [cite: 448]

Purpose: Ticketing, issue tracking, customer service management. [cite: 449, 450]

Data Processed May Include: [cite: 451]

• Customer contact details [cite: 452]
• Support tickets [cite: 453]
• Communication records [cite: 454]
• Technical logs [cite: 455]

These platforms support SFL's managed services and CARE support operations. [cite: 456]

E. CRM & Marketing Automation Platforms [cite: 457]

Purpose: Customer relationship management, communications, marketing engagement. [cite: 458, 459]

Data Processed May Include: [cite: 460]

• Business contact information [cite: 461]
• Job title [cite: 462]
• Company details [cite: 463]
• Interaction history [cite: 464]

These systems are used strictly for legitimate business communications and marketing activities in accordance with GDPR and CCPA/CPRA. [cite: 465]

F. IT Security & Monitoring Providers [cite: 466]

Purpose: Threat detection, endpoint security, vulnerability monitoring. [cite: 467, 468]

Data Processed May Include: [cite: 469]

• Log data [cite: 470]
• System access records [cite: 471]
• Security alerts [cite: 472]

These providers support cybersecurity posture and incident response capabilities. [cite: 473]

G. Professional Services & Advisory Partners [cite: 474]

Purpose: Legal, accounting, compliance, and advisory support. Access to personal data (if any) is limited and controlled, and only where necessary for compliance or contractual obligations. [cite: 475, 476, 477]

3. International Data Transfers [cite: 478]

Where Sub-Processors operate outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions: [cite: 479]

• Standard Contractual Clauses (SCCs) or equivalent safeguards are implemented. [cite: 480]
• Transfers comply with GDPR Chapter V requirements. [cite: 481]
• Additional technical and organizational measures may apply where necessary. [cite: 482]

4. Sub-Processor Updates [cite: 483]

SFL Tech may update this list periodically. If you are a customer and wish to: [cite: 484, 485]

• Receive notice of new Sub-Processors [cite: 486]
• Object to a proposed Sub-Processor (where contractually permitted) [cite: 487]
• Request further information regarding safeguards [cite: 488]

Please contact: connectwithus@sfltech.ai [cite: 489]

5. Security & Compliance Standards [cite: 490]

All Sub-Processors must: [cite: 491]

• Maintain appropriate technical and organizational security measures [cite: 492]
• Limit access to authorized personnel [cite: 493]
• Notify SFL Tech of security incidents without undue delay [cite: 494]
• Comply with applicable data protection laws [cite: 495]

SFL Tech remains responsible for ensuring that Sub-Processors meet contractual and regulatory obligations. [cite: 496]