Joqiva Subprocessors

Last updated: 2 June 2026 This Subprocessors page identifies third-party providers that Joqiva uses to process Customer Personal Data on behalf of Joqiva customers where Joqiva acts as processor. This page forms part of the Joqiva Data Processing Agreement available. Providers listed as approved subprocessors are approved only for the processing functions described on this page. Other providers used for Joqiva's own controller-side business operations may be described in the Privacy Policy, Cookie Policy, Refund Policy, Partner Terms or other relevant notices.

Joqiva is operated by FOP Mykola Marchuk Mykolaiovych, an individual entrepreneur registered in Ukraine, trading as Joqiva. Joqiva's current legal entity details, trading name, website, country of establishment, registered business address, correspondence address, registration information, UK VAT status, contact details, privacy contact and UK/EU representative information are maintained in the Legal Notice.

This page applies to third-party providers that process Customer Personal Data for Joqiva where Joqiva acts as processor under the Joqiva DPA. Customer Personal Data means personal data contained in customer, enquiry, job, quote, invoice, file, email, payment report, reminder, audit log, document, workspace and related operational data that Joqiva processes on behalf of a Joqiva customer. This page does not list every provider used only for Joqiva's own internal business administration where that provider does not process Customer Personal Data as a subprocessor. This page also does not list providers that act only as independent controllers for their own services, unless Joqiva includes them for transparency. Where a provider processes Customer Personal Data as a subprocessor, Joqiva lists the provider on this page with its processing function, data categories, relevant location categories and transfer information.

For Customer Personal Data: (a) the Joqiva customer is normally the controller; (b) Joqiva is normally the processor; and (c) the providers listed in the "Approved subprocessors" section may act as subprocessors. For account registration, subscription billing, support, security, website operation, service administration, legal compliance, internal product analytics, service analytics and Joqiva's own business operations, Joqiva may act as an independent controller. Those controller processing activities are explained in the Joqiva Privacy Policy.

Joqiva does not process, collect, hold, transfer, settle, control or transmit money owed by End Customers to Joqiva customers. End Customers pay directly into the Joqiva customer's bank account by bank transfer. Joqiva does not initiate bank transfers, access payment accounts, or instruct banks or payment institutions to move End Customer funds. Joqiva may display bank transfer instructions, allow End Customers to indicate that they have paid, record payment reports, record owner confirmation, show overdue invoice status and send reminders. Joqiva does not use a payment processor for End Customer invoice payments. Any subscription billing provider used by Joqiva is only for Joqiva subscription fees payable by Joqiva customers to Joqiva. Subscription billing must not be mixed with End Customer invoice payment tracking.

Joqiva provides a business workflow SaaS service. Customer Personal Data may be accessed by authorised Joqiva personnel or contractors from Joqiva operating locations, the United Kingdom and other locations described in the DPA for the purposes of providing, securing, supporting and maintaining the Service. Joqiva itself is not a subprocessor of its customers. This section is included for transparency because access to Customer Personal Data from outside the United Kingdom may be treated as an international transfer under applicable data protection law. Where required, international transfers involving Joqiva are addressed in the Joqiva DPA. Valid transfer mechanisms may include adequacy arrangements, UK transfer terms, standard contractual clauses, an applicable exception, or another lawful transfer mechanism available under applicable data protection law. Transfer risk assessments, data protection tests and supplementary measures may be used to support or assess a transfer mechanism where required, but they are not standalone transfer mechanisms.

The subprocessors below are approved for the listed purposes where Joqiva has an applicable vendor agreement, data processing agreement or equivalent data protection terms in place. A provider is not approved to process Customer Personal Data as a subprocessor unless it is listed in this section or added under the DPA's urgent-change process. 6.1 Supabase Provider: Supabase, Inc., or the applicable Supabase contracting entity under Joqiva's vendor terms. Service: Core platform services for account access, workspace records, files, permissions and related Service operation. Purpose of processing: Supabase is used to support core Service operation, including account access, workspace records, files, access controls, audit-related records and related operational functionality. Types of Customer Personal Data processed: Supabase may process Customer Personal Data stored or generated in Joqiva workspaces, including: (a) workspace user and access information; (b) customer and End Customer names; (c) customer and End Customer contact details; (d) enquiry, job, quote and invoice data; (e) invoice items and quote items; (f) quote acceptance and decline records; (g) payment workflow records and payment reports; (h) bank transfer instructions provided by the Joqiva customer; (i) files, PDFs and attachments; (j) payment evidence or payment proof files; (k) inbound email records linked to workspace data; (l) audit logs; (m) access logs and technical metadata; (n) integration and operational event records where stored in the platform; and (o) other Customer Personal Data submitted to or generated in the Service. Location of processing: Primary service region: United Kingdom. Support, security and operational processing may occur in other provider locations, including locations outside the United Kingdom, as described in Supabase's applicable terms and subprocessor information. Transfer safeguards: Supabase data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved core platform provider. 6.2 Twilio SendGrid Provider: Twilio SendGrid, through the applicable Twilio contracting entity under Joqiva's vendor terms. Service: Service email delivery, inbound email processing, email event processing and related communications services. Purpose of processing: Twilio SendGrid may be used to send service emails, workspace invitation emails, quote emails, invoice emails, reminders, account-related emails, delivery events, bounce handling, inbound email processing, inbound email attachments and related email metadata. Email delivery is handled through Twilio SendGrid. SMS delivery is handled through Twilio where SMS delivery is enabled. Types of Customer Personal Data processed: Twilio SendGrid may process Customer Personal Data contained in or related to emails, including: (a) sender and recipient names; (b) sender and recipient email addresses; (c) email subject lines; (d) email body content; (e) inbound email content; (f) email attachments; (g) quote or invoice links; (h) customer-facing page links; (i) reminder content; (j) delivery events; (k) bounce events; (l) open and click events where configured and lawful; (m) IP addresses; (n) timestamps; (o) message identifiers; and (p) related technical metadata. Open and click tracking: Open and click tracking is disabled by default. If Joqiva enables open tracking, click tracking or similar email tracking later, Joqiva will assess and implement applicable privacy, PECR, consent and disclosure requirements before enabling the feature. Location of processing: Provider locations used for communications, support, security or operational services, including locations outside the United Kingdom. Transfer safeguards: Twilio data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses, approved certification or another lawful transfer mechanism where required. Status: Approved email communications provider. 6.3 Twilio Provider: Twilio Inc., or the applicable Twilio contracting entity under Joqiva's vendor terms. Service: SMS communications provider. Purpose of processing: Twilio may be used to send customer-facing quote links and related service messages by SMS and to process related SMS delivery status information. Twilio is used for SMS communications only. Twilio is not used for Joqiva SaaS subscription billing or End Customer invoice payments. Types of Customer Personal Data processed: Twilio may process Customer Personal Data needed to deliver and track SMS messages, including: (a) recipient phone number; (b) SMS message content required to deliver the customer-facing quote link or related service message; (c) SMS delivery status metadata; (d) timestamps; (e) message identifiers; and (f) related technical metadata. SMS delivery: SMS delivery is an attempted communication and may generate delivery status information. Joqiva does not promise that every SMS will be delivered. Location of processing: Provider locations used for communications, support, security or operational services, including locations outside the United Kingdom. Transfer safeguards: Twilio data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses, approved certification or another lawful transfer mechanism where required. Status: Approved SMS communications provider for customer-facing quote links and related service messages. 6.4 OpenAI Provider: OpenAI, through the applicable OpenAI contracting entity and affiliates under Joqiva's vendor terms. Service: AI-assisted processing provider. Purpose of processing: OpenAI may be used to provide AI-assisted draft enquiry extraction and related draft assistance features. AI-assisted features may help extract, classify, summarise or draft fields from emails, messages, attachments or related content submitted to the Service. AI-assisted output is draft-only. It does not create final jobs, final quotes, final invoices, final customer communications or final business decisions automatically. Types of Customer Personal Data processed: OpenAI may process Customer Personal Data submitted for AI-assisted processing, including: (a) email subject lines; (b) email body content; (c) sender and recipient details; (d) customer names; (e) business names; (f) email addresses; (g) phone numbers; (h) service addresses; (i) job descriptions; (j) enquiry details; (k) customer messages; (l) notes submitted by Joqiva users; (m) attachments where AI processing of attachments is enabled or required for the feature; (n) extracted draft fields; (o) AI-assisted output; (p) timestamps; and (q) related technical metadata. Training and model improvement: Joqiva does not authorise OpenAI to use Customer Personal Data submitted through Joqiva to train or improve general models unless Joqiva expressly states otherwise and has a lawful basis and required authorisation. Retention: OpenAI retention depends on the applicable OpenAI terms, account configuration, feature and retention controls. Joqiva will configure AI-assisted processing to minimise unnecessary retention and avoid storing AI provider responses as Joqiva business records where not needed. Location of processing: Provider locations used for AI-assisted processing, support, security or operational services, including locations outside the United Kingdom, unless a specific data residency arrangement applies. Transfer safeguards: OpenAI data processing terms, standard contractual clauses, UK transfer terms or another lawful transfer mechanism where required. Status: Approved AI service provider for AI-assisted draft enquiry extraction where the feature is enabled. 6.5 Vercel Provider: Vercel Inc., or the applicable Vercel contracting entity under Joqiva's vendor terms. Service: Frontend hosting, deployment, static asset delivery, edge delivery and related platform services. Purpose of processing: Vercel may be used to host and deliver Joqiva web pages, frontend application assets, customer-facing pages, deployment previews where approved, routing, request handling, operational logging and related platform diagnostics. Types of Customer Personal Data processed: Vercel may process limited Customer Personal Data and service metadata where it appears in requests, responses, routes, logs or diagnostics, including: (a) IP addresses; (b) browser and device information; (c) route, page and request metadata; (d) customer-facing page access metadata; (e) account or workspace identifiers where included in application requests; (f) error and diagnostic metadata; and (g) other Customer Personal Data necessarily transmitted through hosted frontend services. Location of processing: Provider locations used for hosting, edge delivery, support, security and operational services, including locations outside the United Kingdom. Transfer safeguards: Vercel data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved frontend hosting and deployment provider. 6.6 DigitalOcean Provider: DigitalOcean, LLC, or the applicable DigitalOcean contracting entity under Joqiva's vendor terms. Service: Application infrastructure, API hosting, worker hosting, networking, storage and related operational services. Purpose of processing: DigitalOcean may be used to host Joqiva application services, API services, background workers, scheduled jobs, networking, operational logs and related infrastructure required to provide, secure and maintain the Service. Types of Customer Personal Data processed: DigitalOcean may process Customer Personal Data transmitted through or stored temporarily by hosted Joqiva services, including: (a) account and workspace request metadata; (b) customer and End Customer names and contact details where processed through application services; (c) enquiry, job, quote and invoice data where processed through application services; (d) files, PDFs, email content, attachments and payment proof data where processed through application services; (e) logs, events and operational metadata; and (f) other Customer Personal Data necessary for Service operation. Location of processing: Provider locations used for infrastructure, support, security and operational services, including locations outside the United Kingdom. Transfer safeguards: DigitalOcean data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved application infrastructure provider. 6.7 Cloudflare Provider: Cloudflare, Inc., or the applicable Cloudflare contracting entity under Joqiva's vendor terms. Service: DNS, CDN, WAF, security, traffic routing, bot protection, Turnstile and related edge services. Purpose of processing: Cloudflare may be used for DNS, traffic routing, edge security, abuse prevention, web application firewall protection, DDoS protection, TLS termination, bot checks, Turnstile verification and related service reliability functions. Types of Customer Personal Data processed: Cloudflare may process limited Customer Personal Data and request metadata, including: (a) IP addresses; (b) request URLs, routes, headers and timestamps; (c) browser and device information; (d) security signals and bot-prevention tokens; (e) customer-facing page access metadata; and (f) other data necessarily transmitted through edge security and routing services. Location of processing: Provider edge, security, support and operational locations, including locations outside the United Kingdom. Transfer safeguards: Cloudflare data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved edge security, DNS and traffic protection provider. 6.8 Sentry Provider: Functional Software, Inc. dba Sentry, or the applicable Sentry contracting entity under Joqiva's vendor terms. Service: Error monitoring, performance diagnostics and operational issue triage. Purpose of processing: Sentry may be used to identify, diagnose, investigate and resolve application errors, reliability issues and security-relevant operational incidents. Types of Customer Personal Data processed: Sentry may process limited diagnostic data where it appears in error events or performance traces, including: (a) IP addresses where collected; (b) browser, device and runtime information; (c) route and request metadata; (d) user, account or workspace identifiers where configured; (e) error messages, stack traces and diagnostic context; and (f) limited Customer Personal Data accidentally included in error context despite Joqiva's minimisation controls. Location of processing: Provider locations used for monitoring, support, security and operational services, including locations outside the United Kingdom. Transfer safeguards: Sentry data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved error monitoring and diagnostics provider. 6.9 PostHog Cloud EU Provider: PostHog Cloud EU, through the applicable PostHog contracting entity under Joqiva's vendor terms. Service: Limited website and product analytics where configured. Purpose of processing: PostHog Cloud EU may be used for limited website and product analytics, usage metrics, feature usage measurement, service improvement, conversion measurement and consent-aware analytics where configured. Types of Customer Personal Data processed: PostHog Cloud EU may process limited analytics event metadata, including: (a) event names; (b) route or page groups; (c) feature names; (d) safe account, user or workspace identifiers where configured; (e) plan or subscription status; (f) timestamps; (g) browser and device information; and (h) consent or analytics-storage state. Joqiva does not intentionally send customer quote content, invoice content, payment proof content, bank details, payment instructions, AI source input or output, email bodies, customer names, customer email addresses, customer phone numbers, credentials, secrets or full URLs containing access information to PostHog Cloud EU. Location of processing: PostHog Cloud EU service locations in the European Economic Area and provider support, security or operational locations described in PostHog's applicable terms. Transfer safeguards: PostHog data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved limited analytics provider. 6.10 Paddle Billing Provider: Paddle.com Market Limited, Paddle.com Inc. or another applicable Paddle contracting entity under Joqiva's vendor terms. Service: Joqiva SaaS subscription billing, checkout, invoices, taxes, payment method handling, refunds, billing support and related billing administration. Purpose of processing: Paddle Billing may be used to process Joqiva subscription fees, manage hosted checkout, subscription status, invoices, taxes, payment attempts, payment method handling, refunds, chargebacks, billing support and billing records. Paddle Billing is not used for End Customer invoice payments or customer invoice bank-transfer payment tracking. Types of Customer Personal Data processed: Paddle Billing may process billing and subscription data, including: (a) billing contact name; (b) billing email; (c) billing address; (d) business name; (e) VAT or tax details; (f) subscription plan, renewal status and payment status; (g) payment method metadata handled by Paddle; (h) invoices, receipts, refunds and disputes; (i) safe billing-provider identifiers; and (j) related tax, anti-fraud and support metadata. Location of processing: Provider locations used for billing, tax, support, security and operational services, including locations outside the United Kingdom. Transfer safeguards: Paddle data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved Joqiva SaaS subscription billing provider. 6.11 Impact.com Provider: Impact Tech, Inc., Impact.com or the applicable Impact.com contracting entity under Joqiva's vendor terms. Service: Affiliate attribution, partner programme administration, conversion validation, fraud prevention and commission approval. Purpose of processing: Impact.com may be used to administer Joqiva partner programme applications, affiliate attribution, partner tracking links, conversion validation, fraud prevention, commission approval, reversal handling and related partner programme administration. Impact.com is not used for End Customer invoice payments, customer invoice bank-transfer payment tracking, customer invoice contents, workspace business contents or customer-facing quote/invoice data. Types of Customer Personal Data processed: Impact.com may process limited partner programme and affiliate data, including: (a) partner applicant name, business name and contact details; (b) partner website, profile or channel information; (c) affiliate click or reference identifiers; (d) conversion references; (e) eligible Joqiva SaaS subscription amount and currency; (f) plan group; (g) commission status; (h) reversal reason where applicable; and (i) fraud-prevention metadata. Location of processing: Provider locations used for partner programme, support, security and operational services, including locations outside the United Kingdom. Transfer safeguards: Impact.com data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved affiliate and partner programme provider. 6.12 Ideal Postcodes Provider: Ideal Postcodes, or the applicable Ideal Postcodes contracting entity under Joqiva's vendor terms. Service: Address lookup and postcode search services. Purpose of processing: Ideal Postcodes may be used to provide address lookup, postcode search, address selection and related address-normalisation functionality where those features are enabled. Types of Customer Personal Data processed: Ideal Postcodes may process address lookup data, including: (a) postcode or address search text; (b) selected address results; (c) service address details entered by Joqiva users; (d) IP addresses and request metadata; and (e) related technical metadata. Location of processing: Provider locations used for address lookup, support, security and operational services, including locations outside the United Kingdom. Transfer safeguards: Ideal Postcodes data processing terms or equivalent contractual terms, together with applicable transfer mechanisms such as adequacy arrangements, UK transfer terms, standard contractual clauses or another lawful transfer mechanism where required. Status: Approved address lookup provider where address lookup features are enabled.

Joqiva has appointed Euverify Ltd (UK) and Euverify Ltd (Ireland) as UK and EU GDPR Article 27 representatives. These representatives act as contact points for UK/EU GDPR matters and data protection requests where applicable. They are not Joqiva's data protection officer, controller, processor, subprocessor, UK branch, EU branch, registered office or establishment. Provider: Euverify Ltd (UK) Purpose: UK GDPR Article 27 representative and secure GDPR request portal. Location: United Kingdom Provider: Euverify Ltd (Ireland) Purpose: EU GDPR Article 27 representative for EEA individuals where EU GDPR applies and secure GDPR request portal. Location: Ireland Contact: gdpr@euverify.com Portal: https://gdpr.euverify.com/verify/280fd1c9-68eb-438f-a2cd-92302bb9129e

8.1 Analytics provider Joqiva may use an analytics provider for Joqiva's own website, product analytics and service improvement purposes, as described in the Privacy Policy and Cookie Policy. Analytics processing is normally controller-side Joqiva processing unless Joqiva expressly states that the provider processes Customer Personal Data as a subprocessor. Joqiva does not intentionally send customer quote content, invoice content, payment proof content, bank details, payment instructions, AI source input or output, email bodies, customer names, customer email addresses, customer phone numbers, credentials, secrets or full URLs containing access information to analytics providers. 8.2 Subscription billing provider Joqiva may use a billing provider or merchant of record to process Joqiva subscription fees, invoices, payment attempts, payment status, tax information, refunds and billing support information. Subscription billing is separate from End Customer invoice payments. Billing providers are not used for customer invoice bank-transfer payment tracking. Billing-provider processing is normally Joqiva controller-side processing, as described in the Privacy Policy and Refund Policy, unless Joqiva expressly states that the provider processes Customer Personal Data as a subprocessor. 8.3 Affiliate and partner programme provider Joqiva may use an affiliate network or partner programme provider to administer partner applications, attribution, conversion validation, fraud prevention and commission approval. Affiliate and partner programme processing is normally Joqiva controller-side processing, as described in the Privacy Policy and Partner Terms. Customer invoice payments are not commissionable and are not processed through Joqiva, subscription billing providers or affiliate networks. Joqiva does not intentionally disclose Customer Personal Data contained in workspace business records to affiliate networks or partner programme providers unless that processing is lawful, necessary, documented and reflected on this page where required.

Joqiva may add, replace or remove subprocessors in accordance with the DPA. Future subprocessors may include providers for core service operation, security, reliability, support, communications, file review or scanning, analytics, subscription billing, AI-assisted processing or other Service functions. A provider is not approved to process Customer Personal Data as a subprocessor unless it is listed as an approved subprocessor on this page or is added under the DPA's urgent-change process. Where Joqiva makes a material change to subprocessors that process Customer Personal Data, Joqiva will provide notice and an opportunity to object as described in the DPA.

Joqiva does not process, collect, hold, transfer, settle, control or transmit money owed by End Customers to Joqiva customers. End Customers pay directly into the Joqiva customer's bank account by bank transfer. Joqiva does not use a payment processor for End Customer invoice payments. Any subscription billing provider used by Joqiva is used only for Joqiva subscription fees and is separate from End Customer invoice payment tracking. Communications providers such as Twilio SendGrid and Twilio are not used to process End Customer invoice payments.

Before engaging a subprocessor that may process Customer Personal Data, Joqiva assesses, as appropriate: (a) the purpose of processing; (b) the categories of Customer Personal Data involved; (c) the categories of data subjects involved; (d) the provider's role and instructions; (e) security measures; (f) confidentiality obligations; (g) access controls; (h) data location and transfer safeguards; (i) retention and deletion commitments; (j) breach notification process; (k) subcontracting and onward transfer terms; (l) availability of a data processing agreement or equivalent terms; and (m) whether the provider offers sufficient guarantees to support Joqiva's obligations under the DPA.

Where Joqiva uses a subprocessor to process Customer Personal Data, Joqiva will put in place a written contract or equivalent legal terms requiring the subprocessor to protect Customer Personal Data. Those terms must require the subprocessor to: (a) process Customer Personal Data only for the documented purposes and services for which the subprocessor is engaged; (b) process Customer Personal Data only under appropriate instructions; (c) maintain appropriate confidentiality; (d) use appropriate technical and organisational measures; (e) assist with data protection obligations where applicable; (f) support deletion, return or retention controls as required by applicable law and the DPA; (g) notify Joqiva of relevant personal data breaches where required; and (h) impose substantially equivalent protections on any approved onward subprocessors where required by applicable data protection law. Joqiva remains responsible to the Joqiva customer for the performance of its subprocessors as set out in the DPA.

Joqiva and its subprocessors may process or access Customer Personal Data from countries outside the United Kingdom. Where required by applicable data protection law, Joqiva will use an appropriate transfer mechanism, which may include: (a) adequacy arrangements; (b) UK transfer terms or addenda; (c) standard contractual clauses; (d) approved certification, rules or equivalent safeguards where applicable; (e) an applicable exception where lawful and proportionate; (f) another lawful transfer mechanism permitted by applicable data protection law. Where Joqiva or the relevant party relies on appropriate safeguards rather than adequacy regulations or an exception, Joqiva will carry out or rely on an appropriate transfer risk assessment, data protection test or equivalent assessment where required. Supplementary technical, contractual or organisational measures may be applied where needed to support the relevant transfer mechanism. Joqiva will assess international transfers in light of the nature of the data, the provider, the destination country, the processing activity and the safeguards available.

Joqiva may add or replace subprocessors from time to time. Where Joqiva makes a material change to subprocessors that process Customer Personal Data under the DPA, Joqiva will provide notice before the change takes effect where reasonably possible. Notice may be provided by: (a) updating this page; (b) emailing the workspace owner or account contact; (c) providing an in-app notice; (d) posting a notice on the Joqiva website; or (e) sending notice to customers who have requested subprocessor change notices. To request subprocessor change notices, use the privacy or legal contact details in the Legal Notice with the subject line "Subprocessor notices".

If you are a Joqiva customer and you object to a new or replacement subprocessor on reasonable data protection grounds, you must notify Joqiva in writing before the effective date stated in the notice. If no effective date is stated, you must notify Joqiva within 30 days after the notice. Your objection must explain the specific data protection grounds for the objection. Joqiva will review the objection in good faith and may, where reasonable and technically possible: (a) provide further information about the subprocessor; (b) provide information about safeguards; (c) suggest a workaround; (d) disable the affected feature; (e) delay the change for the objecting customer where feasible; (f) allow cancellation of the affected paid Service; or (g) take another reasonable step. If Joqiva cannot reasonably resolve the objection and the subprocessor is necessary to provide the Service, Joqiva may permit you to cancel the affected Service in accordance with the Terms of Service and DPA. Continued use of the affected Service after the effective date of a subprocessor change may be treated as authorisation of the subprocessor, unless you have made a valid unresolved objection before that date.

Joqiva may add or replace a subprocessor without the usual advance notice where necessary to address an urgent security, legal, operational, availability or service continuity issue. In that case, Joqiva will provide notice as soon as reasonably practicable.

Joqiva's subprocessors may use their own subprocessors. Where a Joqiva subprocessor uses its own subprocessors, Joqiva relies on the contractual commitments, data processing terms, security measures and subprocessor controls provided by that vendor. Joqiva does not reproduce every vendor subprocessor chain on this page, but may refer to the vendor's own subprocessor list, data processing terms, trust centre or security documentation where appropriate. Joqiva remains responsible to the Joqiva customer for subprocessors as described in the DPA and applicable data protection law.

Joqiva configures subprocessors so that they process only the Customer Personal Data reasonably necessary for the relevant service. Joqiva also seeks to avoid sending unnecessary Customer Personal Data to monitoring, analytics, support, AI, logging, billing or partner programme providers. Joqiva does not intentionally send customer quote content, invoice content, payment proof content, bank details, payment instructions, AI source input or output, email bodies, customer names, customer email addresses, customer phone numbers, credentials, secrets or full URLs containing access information to providers unless necessary for the relevant Service function, lawful, documented and covered by the DPA or another applicable legal basis. Where email or SMS delivery is used, the communications provider may receive message content containing a customer-facing link because that is necessary to deliver the message to the intended recipient. Customers should not submit unnecessary sensitive personal data, special category personal data, criminal offence data, children's data, full payment card details, passwords or irrelevant personal data into Joqiva.

For questions about subprocessors, international transfers or this page, use the contact details maintained in the Legal Notice. The current privacy contact and legal contact are listed in the Legal Notice.