Eventhub third party Data processors.

Appendix: Current Data Subprocessors

This appendix lists third-party vendors engaged to process personal data on our behalf in connection with providing our services. It supports transparency obligations under privacy laws and our Data Processing Agreement (DPA). For each subprocessor, we describe the service scope, typical data categories, processing locations, and key safeguards.

Summary Register

Subprocessor

Purpose / Service

Personal Data Categories

Primary Processing/Storage Locations

Safeguards & Notes

Stripe	Payments processing, billing, charge handling	Customer name (billing contact) Email and billing address Payment method tokens/last4 (no raw PAN stored by us)	Global infrastructure; regionalization per Stripe configuration	PCI DSS Level 1 processor DPA with SCCs where applicable
Westpac PayWay	Card payments gateway and settlement (AU)	Customer name (payer) Masked card details/token Transaction metadata (amount, currency, reference)	Australia-based processing with bank-grade infrastructure	PCI-aligned bank processor Contractual data minimization and tokenization
Mailgun	Transactional email delivery and routing	Recipient email addresses Email content (transactional templates, limited PII) Delivery metadata (timestamps, status, IP)	EU and US regions available; actual region per account setup. Eventhub uses EH	DPA with regional routing controls Content minimization; avoid sensitive data in emails
Plivo (SMS)	SMS messaging for notifications and one-time passcodes	Recipient phone numbers Message content (short notifications/OTP codes) Delivery metadata (status codes, operator route)	Global carrier network; regional hosting options vary by product	DPA and regionalization where offered Do not include sensitive data in SMS

Scope and Rationale

These subprocessors enable core payment, communication, and customer notification capabilities. We send only the minimum necessary personal data to deliver the service function, favoring tokenization and redaction to reduce exposure.

Controller vs. Processor Roles

We act as a processor for customer end-user data within our SaaS. Subprocessors act under our instructions to provide specific components (e.g., payment processing, email/SMS delivery). Where we are a controller (e.g., workforce or marketing operations), vendor engagements are governed by separate notices and agreements.

Operational Controls and Assurances

Data Processing Agreements: Executed with each vendor, including transfer safeguards (e.g., SCCs where relevant) and deletion/return commitments.
Access Minimization: Limit vendor access to least privilege via API scopes, service accounts, and scoped webhooks.
Regionalization: Prefer regional data routing/hosting options to align with customer commitments when available.
Security Evidence: Review vendor SOC 2/ISO attestations and security documentation on a periodic cadence.
Incident Integration: Include subprocessors in incident impact assessments and data subject request workflows.

Change Management

We maintain a notification process for material changes to subprocessors. Proposed additions or scope changes undergo risk and legal review prior to onboarding, with customer notifications per our DPA.

Owner and Contacts

Policy Owner: Data Protection Lead provacy@eventhub.com.au | Security/Compliance Co-owner: security@eventhub.com.au

Help center