Subprocessors.
This is the policy we operate by. We publish it openly so prospective clients and partners can see how we work before they engage us. Final binding terms are negotiated and attached to each engagement.
What this page is.
This is the public inventory of third parties that SUMMIT REACH uses, or may engage, to process personal data on our behalf. It is published per GDPR Article 28(2) and is the canonical answer to the "who else touches our data?" question that comes up in every enterprise procurement review.
If we add a subprocessor that processes personal data, the list below is updated and a notice is posted at least 30 days before the new processor begins processing. Clients with an active DPA may object inside that window per the DPA's subprocessor clause.
Current subprocessors — corporate operations.
Used to run our own business. Not engagement-specific.
| Vendor | Purpose | Data category | Location |
|---|---|---|---|
| Google Workspace | Email, calendar, document collaboration | Contact + correspondence | US, EU (DPF) |
| 1Password Business | Credential vault | Team credentials only (not client data) | Canada, US |
| GitHub (Microsoft) | Source-code hosting + CI | Engineering metadata; client source under per-engagement DPA | US |
| Linear / Notion | Project tracking, internal docs | Engagement metadata; no production data | US |
| Stripe Atlas / payroll provider | Corporate finance & payroll | Internal HR — not client data | US |
Current subprocessors — site infrastructure.
Used to operate summitreachsoft.com itself.
| Vendor | Purpose | Data category | Location |
|---|---|---|---|
| Hosting provider | Serves the site over HTTPS | IP, user-agent, request logs (90 day max) | US (primary) |
| Cloudflare | CDN, DDoS protection, DNS | IP, user-agent, request logs | Global edge |
| Bunny Fonts | Font CDN (replaces Google Fonts) | Ephemeral edge logs only; no IP retention | EU (Slovenia) |
Engagement-specific subprocessors.
Each client engagement adds the subprocessors that engagement needs — typically the client's own cloud account (AWS, GCP, Azure), their own observability stack, and any third-party APIs they have asked us to integrate with. These are listed inside the per-engagement DPA and are not duplicated here, because they belong to the client and we are not the controller.
Professional advisors.
Accounting and legal counsel may receive personal data incidental to invoicing, dispute resolution, or compliance. They are bound by professional-confidentiality duty in addition to a signed NDA. They do not appear in the table above because their access is exception-only and event-driven, not continuous processing.
Recently removed.
None in the last twelve months. When a vendor is removed, the entry is annotated here with the removal date for at least one year before it is dropped from this page.
Change-notification commitment.
Material changes to this list are notified via:
- A revised version stamp at the top of this page.
- Direct email to the technical contact on every active client engagement.
- A 30-day window before the new subprocessor begins processing.
Questions.
Email privacy@summitreachsoft.com with a specific vendor name and we will tell you exactly what we send them and why.
Questions about this policy?
The text above describes how SUMMIT REACH LLC operates, in plain English. The final binding agreement between you and SUMMIT REACH LLC is whatever is signed at the bottom of your engagement, alongside this policy.
Questions or proposed changes? Email legal@summitreachsoft.com.