What is a Subprocessor?

At Gorilla, we use a small set of trusted third-party service providers to help us operate our platform reliably, securely, and at scale. Some of these partners process customer data in order to provide infrastructure, customer support, analytics, or product functionality. When they do so on our behalf, they qualify as Subprocessors under the GDPR. Each one is contractually bound by obligations that match or exceed those in our Data Processing Agreement (DPA).

Data Location and Safeguards for International Transfers

Where possible, we use EU-based or EU-hosted infrastructure. When data must be processed outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) to ensure lawful transfer.

In addition to SCCs, Gorilla performs a risk-based due diligence process before engaging any non-EEA Subprocessor. This includes:

• Direct engagement with the Subprocessor’s security and data protection leadership (typically their CISO and/or DPO);
• A review of their technical and organizational measures (e.g. encryption practices, access control policies, audit reports);
• Alignment on contractual language that protects both Gorilla and its customers;
• Ongoing monitoring and periodic reassessments of their compliance posture.

This ensures we only work with vendors who meet our internal standards and customer expectations.

How to Receive Notifications About New Subprocessors

Customers may request notification of new Subprocessors by emailing legal@gorilla.security with the subject line: “Subscribe to Subprocessor Notifications.” Upon such request, Gorilla will notify you prior to onboarding any new Subprocessor and allow ten (10) days to raise a reasonable, good-faith objection.

List of Third-Party Subprocessors

Hosting & Infrastructure Partners

These Subprocessors provide the core infrastructure used to host and store Customer Personal Data.

Application Services

These Subprocessors support essential platform functionality, observability, and user-facing features.