personr

Sub-processors and Third-Party Providers

Introduction

Personr Pty Ltd (“Personr”) and its affiliates may engage trusted third-party service providers (the “sub-processors”) to support certain functions necessary for the delivery of our services and operation of our business. These sub-processors may process personal information on our behalf, in accordance with our contractual obligations and applicable privacy laws, including:

The Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs); 

The General Data Protection Regulation (EU/UK GDPR); 

The California Consumer Privacy Act (CCPA); and

The Biometric Information Privacy Act (BIPA).

Purpose and Scope

When acting as a data processor (under the GDPR), agent (under the Australian Privacy Principles), or service provider (under the CCPA), Personr ensures that any sub-processor it engages:

Acts only on documented instructions from Personr or its clients;

Processes personal information strictly for the purpose of delivering the contracted services; and

Is bound by written agreements that impose obligations equivalent to those set out in Personr’s own data protection commitments.

Sub-processors may access personal information from individuals undergoing verification or via our clients, but only to the extent necessary to fulfil their assigned roles. Where biometric or sensitive data is involved (eg. identity verification), sub-processors are required to meet heightened standards consistent with BIPA and Article 9 of the GDPR.

Sub-Processor Selection and Oversight

Before engaging a sub-processor, Personr conducts robust due diligence to evaluate:

Security and privacy controls;

Legal and regulatory compliance (including cross-border safeguards); and

Their ability to meet contractual, operational, and technical standards.

All sub-processors are subject to data processing agreements that include confidentiality obligations, access limitations, data handling protocols, breach notification requirements, and, where applicable, international data transfer mechanisms such as Standard Contractual Clauses (SCCs) or the UK Addendum.

Engagement and Disclosure

Sub-processors may be engaged globally depending on the specific Personr product or service in use, and not all sub-processors are involved in every client relationship. Personr maintains a list of active sub-processors along with a description of the services they provide and will update this list as needed.

We do not provide individual notice to clients when we add, remove, or replace sub-processors. Instead, we:

Maintain a list of sub-processors on our website;

Encourage clients to monitor the list regularly for updates; and

Consider a client’s continued use of our services as acceptance of the use of listed and future sub-processors.

By continuing to use Personr services, you acknowledge and agree to the engagement of these sub-processors under the terms of this policy.

Cross-Border Data Transfers

Where sub-processors are located outside of the jurisdiction where the data subject resides (eg. transfers from the EU/UK to Australia or the U.S), Personr ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR or APP 8 under the Australian Privacy Act. This includes the use of SCCs, UK Addendum, or reliance on adequacy decisions where applicable.

A list of sub-processors, including the services they support and descriptions of their processing activities, can be found below.