Sub-processor List
Last updated: 3 July 2026 · Rubberdesk Pty Ltd · ABN: 18 163 716 247
1. About this Document
This sub-processor list sets out the third-party service providers that Rubberdesk engages to process Subscriber Personal Data in connection with the bolta.space platform. It is published in accordance with clause 9.5 of the Terms and Conditions, clause 7 of the Data Processing Addendum, Article 28 of the UK GDPR, and Australian Privacy Principle 8.
2. How We Notify You of Changes
Rubberdesk provides Subscribers with at least thirty (30) days’ prior written notice before engaging any new sub-processor. Notice is given by email to the administrative or billing contact for the Subscriber’s Account, by updating this published list (with the new sub-processor marked as “upcoming” until the effective date), and/or by in-product notification.
Subscribers may object to the engagement of a new sub-processor on reasonable data protection grounds within fifteen (15) days of receiving notice, by writing to privacy@bolta.space. The objection process is set out in clause 7.3 of the DPA.
3. Current Sub-processors
| Sub-processor | Category | Purpose | Location | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting, infrastructure, and email delivery | Hosting of the Platform, application servers, databases (RDS), object storage, content delivery, and transactional email delivery (Amazon SES) | Australia, United Kingdom, United States | SCCs / IDTA for US transfers |
| Cloudflare, Inc. | Content delivery, edge security, and DDoS protection | Content delivery network, edge caching, web application firewall, and protection against denial-of-service attacks | Australia, United Kingdom, United States | SCCs / IDTA for US transfers |
| Stripe Payments Australia Pty Ltd | Payment processing | Subscription billing, multi-currency payment processing, card storage for recurring billing, invoicing, and tax calculation (Stripe Tax) | Australia, United States | SCCs for US processing |
| Twilio Inc. | SMS and voice communications | SMS delivery for phone verification, multi-factor authentication, and user-configured alerts (including shortlist updates and deal activity notifications) | United States | SCCs / IDTA |
| Anthropic PBC | Artificial intelligence | AI-assisted document extraction, property matching and shortlisting suggestions, market insight generation, and conversational AI assistance via the Claude API | United States | SCCs / IDTA |
| Google LLC | Mapping and geocoding | Geocoding of property addresses and deal search areas, interactive and static maps displayed in the Platform and in notices, address autocomplete, and timezone resolution (Google Maps Platform) | United States | SCCs / IDTA |
| Functional Software, Inc. (Sentry) | Error monitoring and analytics | Application error tracking, performance monitoring, diagnostic logging, and product analytics | Germany (European Union) | UK adequacy decision (EU); SCCs for AU–EU transfers |
Amazon SES is provided as part of Amazon Web Services and is included within the AWS entry above.
4. Categories of Data Processed
Depending on their function, sub-processors may process the following categories of Subscriber Personal Data: identification data (names, job titles, employers); contact data (email addresses, phone numbers, business addresses); account credentials (hashed or encrypted); professional data; property requirement and listing data (deals, shortlists, listings, attachments); communication content (messages, notes, support correspondence); technical data (IP addresses, device information, log data); and payment-related data (billing addresses, transaction records — card details are processed directly by Stripe and are not held by Rubberdesk).
No sub-processor receives Special Categories of Personal Data (UK GDPR) or Sensitive Information (Privacy Act 1988 (Cth)) under normal Platform operations.
5. International Data Transfers
Where a sub-processor processes data outside Australia or the United Kingdom, Rubberdesk relies on the safeguards set out in clause 11 of the DPA, including APP 8 reasonable steps for Australian transfers and the IDTA (or the EU SCCs UK Addendum) for UK GDPR transfers to countries without an adequacy decision.
6. Upcoming Changes
There are no upcoming sub-processor changes at the date of this list. When a new sub-processor is to be engaged, this page will be updated with the sub-processor’s name, category, purpose, location, transfer mechanism, and effective date, at least thirty (30) days before the engagement takes effect.
7. Contact
For questions about this list, or to raise an objection to a new sub-processor, contact the Privacy Officer at privacy@bolta.space.