Subprocessors

Sweeperoo uses trusted third-party service providers ("Subprocessors") to help us deliver our services. All Subprocessors are carefully selected and bound by data processing agreements that ensure they:

• Process data only as instructed by us
• Implement appropriate security measures
• Maintain confidentiality of all data
• Assist with data subject rights requests
• Notify us of any data breaches

We will notify business users of any intended changes to our Subprocessors (additions or replacements) at least 30 days in advance via:

• Email notification to your account email address
• Platform notification in your dashboard
• Updates to this page

If you object to a new Subprocessor on reasonable data protection grounds, you may notify us within 30 days. If we cannot accommodate your objection, you may terminate the affected services without penalty.

All Subprocessors are required to:

• Sign Data Processing Agreements: Each Subprocessor is bound by written agreements with data protection obligations equivalent to our DPA
• Implement Security Measures: Appropriate technical and organizational measures to protect personal data
• Maintain Confidentiality: All personnel with access to data are bound by confidentiality obligations
• Assist with Rights Requests: Help us respond to data subject rights requests
• Report Breaches: Notify us immediately of any data breaches
• Allow Audits: Permit audits and inspections as required

Most of our Subprocessors are located in the United States. For transfers of personal data from the European Economic Area (EEA) or United Kingdom, we rely on:

• Standard Contractual Clauses (SCCs): Approved by the European Commission
• UK International Data Transfer Agreement (IDTA): For UK data subjects
• Additional Safeguards: Encryption, access controls, and contractual protections

Our primary data storage is in Canada, which is recognized as an adequate jurisdiction under GDPR.