Dataspike (Right and Data Ltd) engages certain third-party service providers ("Subprocessors") to assist in delivering its identity verification (KYC) and AML compliance services. These Subprocessors may process personal data on behalf of Dataspike's customers ("Controllers") as part of the Service. This policy is published in accordance with Article 28 of the EU GDPR and UK GDPR, and forms part of Dataspike's Data Processing Agreement ("DPA"), available at https://dataspike.io/subprocessor-policy.

Subprocessor	Country	Purpose	Data Processed
Amazon Web Services (AWS)	EU (Stockholm; region depends on Client configuration)	Cloud infrastructure, data storage and processing	All personal data processed through the Service, including identity documents, biometric data, and verification results
Cloudflare	USA / EU	CDN, DDoS protection, traffic proxying	IP addresses, technical data, device information
Dojah	Nigeria	Identity data validation (Nigeria)	National identification number
IDScan	USA	Identity data validation (USA)	National identification number

Non-document verification providers (Dojah, IDScan) are engaged only where the Customer has explicitly enabled the relevant verification check. These checks are not active by default. Where Subprocessors are located outside the EEA or UK, Dataspike ensures that appropriate transfer safeguards are in place, as described in Section 4 below.

Dataspike ensures that all Subprocessors are bound by data protection obligations consistent with applicable law and no less protective than those set out in the DPA. In particular, Dataspike:

• conducts due diligence on all Subprocessors prior to engagement;
• enters into written data processing agreements with each Subprocessor;
• ensures appropriate safeguards are in place for any international data transfers, including Standard Contractual Clauses (SCCs) where required;
• regularly reviews Subprocessor compliance with applicable data protection obligations.

Where a Subprocessor is located outside the EEA or UK, Dataspike ensures that appropriate transfer mechanisms are in place, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission; or
• UK International Data Transfer Agreements (IDTAs) where applicable; or
• transfers to countries covered by an adequacy decision.

Dataspike may add or replace Subprocessors from time to time. Where such changes are made, Dataspike will:

• update this page at least thirty (30) days prior to the change taking effect;
• notify active Customers via email where the change may materially affect the processing of their data.

Customers who have entered into a DPA with Dataspike may object to a new Subprocessor within fourteen (14) days of receiving notice. If the objection cannot be resolved, the Customer may terminate the relevant part of the Service without penalty in accordance with the DPA.