BitSight Technologies, Inc. (“Bitsight”) uses certain subprocessors (including Bitsight affiliates and third parties, as listed below) to process Personal Data to support Bitsight's provision of the Bitsight services. Prior to engaging any third party subprocessor, Bitsight performs diligence to evaluate their privacy, security, and confidentiality practices. For more information, see below.

Bitsight Group Subprocessors

Name	Country
BitSight Technologies UK Limited	United Kingdom
BitSight Technologies France SAS	France
BitSight Technologies Singapore Pte. Ltd.	Singapore
NSEC Sistemas Informaticos S.A.	Portugal
Sixgill, USA Inc.	United States
Sixgill Ltd.	Israel

Infrastructure and Service-Specific Subprocessors

The following table describes the legal entities engaged by Bitsight in the storage of a customer’s confidential information. Bitsight may also use additional services provided by these subprocessors to process a customer’s confidential information as needed to provide the Services.

Name	Purpose	Hosting Location
Abnormal AI, Inc. abnormal.ai	Email security platform that detects phishing and targeted threats in cloud email service.	United States
Amazon.com Inc. (AWS) aws.amazon.com	Hosts the Bitsight services, including all data, and connects underlying foundation models (via Bedrock) for CTI services.	United States Ireland (Dependent on Vendor Risk Management customer hosting selection.)
Anthropic, PBC anthropic.com	AI platform provider for product features and assistance.	United States Ireland (Dependent on Vendor Risk Management customer hosting selection.)
Google LLC google.com	Corporate email service (including for communicating with customers and storing documents). Services (e.g. Vertex) used to support generative artificial intelligence functionality within the Bitsight services.	United States
Forethought Technologies, Inc. forethought.ai	Platform to assist Bitsight in responding to customer support requests, including identifying escalation needs.	United States
MailChimp, Inc. mailchimp.com	Platform for email services used for product-related alerts.	United States
MixMax Inc. mixmax.com	Email platform for "Enable Vendor Access" notifications.	United States
Okta Inc. okta.com	Authentication platform for customers with single sign-on.	United States
OpenAI OpCo, LLC openai.com	AI platform provider for product features and assistance.	United States
Sendgrid Inc. sendgrid.com	Platform for email services used for product-related alerts.	United States
Zendesk Inc. zendesk.com	Platform to assist Bitsight in providing support to its customers.	United States

Sales and Marketing Support

Bitsight may use the following subprocessors to support the sales and marketing of Bitsight's products.

Name	How Service Uses Personal Data	Hosting Location
ClickHouse, Inc. clickhouse.com	Observability and prompt management platform.	San Francisco, CA
Cybersel S.R.L cybersel.eu	Customers who purchase Bitsight products and services through Cybersel only may also receive support services from Cybersel.	Italy
Docusign Inc. docusign.com	Bitsight uses Docusign to process electronic signatures on customer contract documents.	United States
Gainsight Inc. gainsight.com	GainsSight integrates with Salesforce to assess engagement of accounts and support sales and marketing.	United States
Highspot, Inc. highspot.com	Sales enablement and content management platform for go-to-market teams.	United States
Hubspot, Inc. hubspot.com	Marketing engagement, customer communication, and relationship management.	United States
LeadCrunch, Inc. leadcrunch.ca	Lead generation platform.	San Diego, California
Monto A.I Ltd. (dba MontoPay) montopay.com	Business to business payment platform.	New York, NY
Nooks Communications, Inc. www.nooks.ai	Sales enablement platform.	San Francisco, CA
Salesforce.com inc. salesforce.com	SaaS platform for customer relationship management (including to store customer and prospect data and to provide marketing, billing, and other services).	United States
Salesloft, Inc. salesloft.com	Sales engagement and customer communication and relationship management	United States
Slack Technologies Inc. slack.com	BitSight uses Slack for internal communication, as well as sales and marketing support.	United States
Zoom Communications, Inc zoom.us	Cloud-based Video Conferencing Service Provider.	United States

Analytics Support

Bitsight may use the following subprocessors for internal analytics of Bitsight’s services.

Name	Purpose	Hosting Location
Datadog Inc. datadoghq.com	Application performance monitoring.	United States
Fivetran, Inc. Fivetran.com	Data integration platform connection tool.	United States
Pendo.io Inc. pendo.io	A third-party analytics provider that assists Bitsight in capturing information about how users interact with the Service. Bitsight uses this information to analyze and improve the Services.	United States
Portkey, Inc. portkey.ai	AI gateway and observability platform for managing and monitoring LLM usage.	United States
Snowflake Inc. snowflake.com	Supports efficient provision and trend analysis of the Services and day-to-day business operations.	United States

Cyber Threat Intelligence Services

In addition to the above, the following subprocessors may also be used to support Bitsight's provision of the Cyber Threat Intelligence (“CTI”) services to its customers.

Name	Purpose	Hosting Location
Coralogix, Inc. coralogix.com	Creating and maintaining logs.	United States
Elasticsearch B.V. elastic.co	Database management tool.	United States
Monday.com, Ltd. monday.com	Task management platform for tracking and assigning service requests.	United States
MongoDB, Inc. mongodb.com	Database management tool.	United States
Netcraft, Ltd. netcraft.com	Performing requested takedown services.	United Kingdom

Due Diligence

Bitsight undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors.

Contractual Safeguards

Bitsight generally requires its subprocessors to adhere to obligations including but not limited to the requirements to:

• Process personal data in accordance with data controller’s documented instructions;
• In connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
• Provide regular training in security and data protection to personnel to whom they grant access to personal data;
• Implement and maintain appropriate technical and organizational measures including measures consistent with those to which Bitsight is contractually committed to adhering to to the extent they are relevant to the subprocessor’s processing of personal data on Bitsight’s behalf; and
• Promptly inform Bitsight about any actual or potential security breach; and
• Cooperate with Bitsight in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

This policy does not give customers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Bitsight’s engagement process for subprocessors as well as to provide the actual list of third party subprocessors as of the date of this policy.

Data Transfers

Where Bitsight transfers personal data in connection with its Solutions, it does so in compliance with applicable data protection laws and regulations and utilizes the following safeguards and framework, as applicable:

• Standard Contractual Clauses
• EU-U.S. Data Privacy Framework (“DPF”), UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF
• APEC CBPR (Cross Border Privacy Rules System) and PRP (Privacy Recognition for Processors)