Last updated on 5 July, 2025
This page lists all sub-processors and third-party service providers that Colloquial Solutions Pty Ltd ("Colloquial") engages to process personal data in connection with our services. This information is provided in accordance with our Data Processing Addendum (DPA) and ISO27001 compliance requirements.
All sub-processors listed below are engaged under written agreements that include appropriate data protection obligations consistent with our DPA and applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant privacy legislation.
The table below provides details about each sub-processor, including their function, data processing location, and relevant compliance information.
| Sub-processor | Purpose | Location | Data Processed | Legal Basis | Additional Details |
|---|---|---|---|---|---|
 Airwallex | International payments and banking services | Australia/Global | Payment data, banking information, transaction records | Contract Performance | ISO 27001, PCI DSS certified. Global financial services compliance |
 Azure | Cloud infrastructure and hosting services | Global (Multiple Regions) | Application data, user data, system logs | Contract Performance | SOC 1/2/3, ISO 27001, GDPR compliant. Data residency controls available |
 Drata | Compliance and security monitoring | United States | Security logs, compliance data, audit trails | Legitimate Interest | SOC 2 Type II, ISO 27001 certified. Continuous monitoring |
 GitHub | Source code repository and development collaboration | United States | Source code, development data, user identifiers | Contract Performance | SOC 2 Type II, ISO 27001 certified. Enterprise security features |
 LaunchDarkly | Feature flag management and A/B testing | United States | Feature usage data, user identifiers, application metrics | Legitimate Interest | SOC 2 Type II certified. Data retention: 30 days |
 Pipedrive | Customer relationship management | Estonia (EU) | Customer contact data, sales information | Contract Performance | ISO 27001, GDPR compliant. EU-based data processing |
 Postmark | Transactional email delivery | United States | Email addresses, email content, delivery metrics | Contract Performance | SOC 2 Type II certified. GDPR compliant email processing |
 Sentry | Application performance monitoring and error tracking | United States | Error logs, performance data, user identifiers | Legitimate Interest | SOC 2 Type II certified. Data retention: 90 days |
 Shortcut | Project management and issue tracking | United States | Project data, task information, user identifiers | Contract Performance | SOC 2 Type II certified. Data retention: As configured |
 Stripe | Payment processing services | United States/Global | Payment data, billing information, transaction records | Contract Performance | PCI DSS Level 1, SOC 1/2 certified. Strong encryption and security |
 Xero | Accounting and financial management | New Zealand/Global | Financial data, invoicing information, business records | Contract Performance | SOC 2 Type II, ISO 27001 certified. Multiple data center locations |
All sub-processors are required to implement appropriate technical and organisational measures to ensure the security of personal data, including:
Data subjects maintain all rights under applicable data protection laws when their data is processed by our sub-processors, including:
This list is updated regularly to reflect changes in our sub-processor relationships. Any new sub-processors will be added to this list with appropriate notice to customers as required by our DPA.
Last updated: 5 July, 2025
For questions about our sub-processors or data processing practices, please contact us:
Colloquial maintains the following certifications and compliance frameworks:
For more information about our data processing practices, please refer to our Privacy Policy and Data Processing Addendum.
