Like most online platforms, Synap is a data processor and engages certain onward subprocessors that may process personal data submitted to Synap's services by the Customer. These subprocessors are listed below, with a description of the service and the location where data is hosted. This list may be updated by Synap from time to time.

Procedure for Appointing New Subprocessors

Synap takes great care when appointing new subprocessors - particularly if that subprocessor is going to be handling End-User or Customer Data. On the whole, our preference is to look for in-house solutions which can be housed directly in our existing AWS infrastructure, so that we are minimising the extent to which data is transferred between different providers.

When Synap is considering the appointment of a new subprocessor, the following criteria should be met:

1. The need for using a subprocessor should be established, and a case must be made why the desired functionality cannot be achieved, or would not be commercially viable, using Synap's own infrastructure.

2. The types and volume of data that the subprocessor would be processing should be established - this should include at a minimum, whether the subprocessor would be processing personal data of our customers or their end-users, the confidential information / intellectual property of our customers, and/or any 'special category' data.

3. The proposed subprocessor should be evaluated by Synap's Data Protection Manager, to determine whether such processing would be lawful (in accordance with the General Data Protection Regulation and Data Protection Act 2018), and in line with industry best practice. Specifically, we would look to ascertain:

   1. Does the subprocessor encrypt data, in-transit and at-rest, and are these measures in line with current industry standards?

   2. Is the subprocessor a valid legal entity, operating in a country with equivalent comparable data protection standards to the United Kingdom / European Union? If the subprocessor is not based in the UK/EU, do they warrant that data from EU customers on their platform, will be processed in accordance with the GDPR?

   3. What can be ascertained and verified about the subprocessor's reputation and standing within the industry? For example, are they a recognised market leader, are they used by other reputable companies, and do they have a history of publicised data breaches?

   4. What other options are available for tools of this category? Who are the subprocessor's competitors and are there any significant differences between them, from a data security perspective?

   5. What subprocessors does the proposed subprocessor use themselves, and do these meet the above criteria?

   6. What would be the impact on business continuity and our customers' data if the subprocessor were, either temporarily or permanently, taken offline, or if they suffered a data breach?

Synap's Data Protection Manager should use the above information to determine the risks and benefits of using the proposed subprocessor, along with an opinion on whether or not they meet the standard we require.

Review of Existing Subprocessors

Synap regularly reviews the use of, and agreements we have in place with our subprocessors. This takes place at a minimum every 12 months, however in practice this is more frequent given the evolving nature of cloud services and data protection law.

When re-evaluating an existing subprocessor, the same general principles as outlined in the 'Appointment' section above should be followed.

Subprocessor List

For All Synap Service Users

We use the following subprocessors for all Synap Users - including End-Users (e.g. Students/Candidates) as well as Admin Users.

• Amazon Web Services EMEA (EU) - AWS are a leading provider of cloud hosting services. We use their infrastructure to deliver the Synap platform. DPA.

• MongoDB (EU) - MongoDB provide cloud database solutions, we license their technology for use in on AWS infrastructure. DPA.

• Sendgrid (US) - Owned and operated by Twilio, Sendgrid is a leading provider of email delivery services. We use Sendgrid to send automated emails from the Synap platform (e.g. password resets requests, welcome emails and other notification-related emails). Info.

Optional Subprocessors

The following subprocessors are used on an opt-in basis, e.g. if you explicitly choose to use a certain part of the Synap platform

• Rosalyn Inc (US) - Rosalyn is a provider of live, AI-powered proctoring services. We integrate with their platform to offer a seamless proctored exam experience. Where Rosalyn is used, this is clearly indicated on your platform so you have the option of using or not using Rosalyn as you deem appropriate. Privacy Policy.

For Synap Admin Users Only

For Admin users of a Synap Service, we use additional subprocessors so that we can provide you with appropriate support and other services.

• Intercom (US) - A web-based chat and customer support provider

• Vitally (US) - A CRM tool that allows our team to administer training, onboarding and general support to our Customers (e.g. admin users of the Synap platform)

• Segment (US, with EU data center) - A customer data infrastructure tool that helps us to keep our customer data in sync and secure across different tools that we use

• Calendly (US) - A meeting-booking tool that helps our team to easily schedule meetings with our customers for training, support and account management purposes

• Stripe (US) - Payment processor used to process Credit/Debit card payments for Synap Customers

• GoCardless (US) - Payment processor used to process Direct Debit payments for Synap Customers

• Chargebee (US) - Subscription management tool that helps us to manage our Customer information and issue invoices and receipts

• Copper (US) - A CRM tool that allows our sales team to manage sales enquiries

• Mixpanel (US) - A web platform analytics tool for analysing how logged-in (admin) users interact with the Synap platform

• FullStory (US) - A session recording tool that helps us to understand how admin users are interacting with the Synap platform, and to identify common issues

Affiliates List

Synap's Data Processing Agreement makes reference to Synap Affiliates, defined as organisations controlled by, controlling or under common control in relation to Synap Learning Limited. At the time of writing, Synap does not have any Affiliate companies. If this changes in future (e.g. in the event Synap is acquired by, or acquires another company, or Synap establishes a a company in another jurisdiction), then notice will be given in accordance with our DPA and the Affiliate company will be listed here.