Skip to main content

Sub-Processors

Agile Lab maintains transparency about all sub-processors involved in delivering the Witboost platform.

Sub-Processor Policy

Agile Lab applies strict controls to sub-processor management:

Data Processing Agreements

All sub-processors are bound by Data Processing Agreements that impose equivalent data protection obligations, including:

  • Process personal data only on documented instructions from the controller
  • Confidentiality commitments for all personnel with access to personal data
  • Appropriate technical and organisational measures (Art. 32 GDPR)
  • Assistance with data subject rights and breach notification
  • Deletion or return of all personal data upon termination

Prior Approval (Opt-In)

Agile Lab operates an opt-in procedure for sub-processor changes:

  • Any new or replacement sub-processor requires explicit prior written approval from the customer
  • Full information provided: identity, location, scope of processing, security measures
  • Minimum 14 business days review period
  • No change takes effect without documented customer consent

Extraordinary Termination Right

The customer has an extraordinary termination right in the event of a sub-processor change that is not approved:

  • Agile Lab notifies the customer at least 30 days in advance
  • If the customer objects with legitimate data-protection grounds, Agile Lab will withdraw the change or offer an alternative
  • If no resolution is reached, the customer may terminate the affected service component

Access Controls for Sub-Processor Personnel

All access by sub-processor personnel is governed by:

  • Auditable access management — All grants and revocations are logged with timestamps, requester identity, and approver identity
  • Periodic access reviews — Permissions are reviewed regularly to ensure minimum-necessary access
  • Audit availability — Access logs are retained and available for customer audit upon request

Third-Country Sub-Processors

For any sub-processor located outside the EU/EEA:

SafeguardImplementation
Standard Contractual ClausesEU SCCs per Decision (EU) 2021/914
Supplementary MeasuresEncryption, pseudonymisation, access controls
Traceable ControlsFour-eyes principle, auditable access logs

OAuth2 Provider Clarification

The customer's identity provider (e.g., Entra ID, Okta) is not a sub-processor of Agile Lab:

  • It is the customer's own system, managed by the customer or their IT service partner
  • Agile Lab does not select, control, or operate the identity provider
  • It does not qualify as a sub-processor under GDPR Article 28

The current sub-processor list is available upon request. Contact security@agilelab.it.