Sub-Processors Register
RapidLaunch uses third-party sub-processors to deliver our services. Each sub-processor has been vetted for appropriate security measures and data protection safeguards. A Data Processing Agreement (DPA) is in place with each sub-processor.
We review this register annually and whenever a new sub-processor is added. Clients will be notified via email at least 30 days before any new sub-processor is engaged.
| Name | Location | Service | Data Accessed | Safeguards | DPA Status |
|---|---|---|---|---|---|
| HostArmada | Ireland (Dublin data centre) | Server hosting and infrastructure | All client website files, databases, email data, server access logs, backups | SOC 2 Type II compliant, ISO 27001 certified, encrypted storage, access controls, 24/7 physical security | Signed DPA in place (30 April 2026) |
| Stripe | Ireland (headquarters) / United States (processing) | Payment processing and billing | Billing name, billing address, payment card token (no raw card numbers stored by us) | PCI DSS Level 1 certified, tokenisation, encryption in transit and at rest, annual SOC 2 audits | Signed DPA in place via Stripe standard terms (GDPR compliant) |
| Google (Fonts CDN) | Ireland (serving from EU data centres) | Content delivery for Google Fonts | IP address (temporarily processed to serve font files; no cookies set) | Privacy Shield certified, EU data protection terms, Google does not log font requests persistently | Covered by Google's DPA with EU Standard Contractual Clauses |
| GitHub Inc. | United States (San Francisco, CA) | Code hosting and version control for RapidLaunch platform and generated client sites | Source code and configuration files. Does not include live customer personal data. May include deployment credentials for automated pipelines. | SOC 2 Type II certified, ISO 27001 certified, encryption at rest (AES-256) and in transit (TLS), access controls with 2FA, DPA with Standard Contractual Clauses | Covered by GitHub's DPA (Controller-Processor SCCs) |
How We Vet Sub-Processors
Before engaging any sub-processor, we conduct a data protection impact assessment that evaluates:
- Data protection compliance and certifications (SOC 2, ISO 27001, PCI DSS)
- Data processing location and international transfer safeguards
- Security measures (encryption, access controls, audit logging)
- Contractual protections (DPA terms, liability, data breach notification)
- Right to audit provisions
Objection Right
If you object to a sub-processor, you may terminate your contract without penalty, provided you notify us within 14 days of receiving the sub-processor notification.
Contact
For inquiries about our sub-processors, contact dpo@rapidlaunch.ie with subject "Sub-Processor Inquiry".