Transparency in Data Processing
This list includes all third-party services that may process your personal data on our behalf. We carefully vet each subprocessor and ensure they meet our strict security and privacy standards.
Overview
As part of providing our YouTube analytics and revenue optimization services, PrimeTime Media works with trusted third-party subprocessors. All subprocessors are required to:
- Provide appropriate data protection guarantees
- Implement adequate technical and organizational security measures
- Process data only on our documented instructions
- Maintain confidentiality of all personal data
- Assist with data subject rights requests
- Notify us immediately of any data breaches
- Submit to regular security audits and assessments
Categories of Subprocessors
- Infrastructure Cloud hosting, storage, and computing services
- Analytics Data analytics, YouTube API, and performance monitoring
- Payments Payment processing and financial services
- Communication Email, messaging, and customer support services
- Security Security monitoring, protection, and compliance services
Current Subprocessors
The following table lists all current subprocessors, their services, data processing locations, and applicable data protection measures:
| Subprocessor | Service Category | Services Provided | Data Location | Safeguards |
|---|---|---|---|---|
| Amazon Web Services (AWS) United States |
Infrastructure | Cloud hosting, data storage, computing services, database management | United States, EU (configurable) | SOC 2, ISO 27001, GDPR-compliant, Standard Contractual Clauses |
| Google LLC United States |
Analytics | YouTube Analytics API, Google Analytics, workspace services | Global (Google infrastructure) | ISO 27001, SOC 2, GDPR-compliant, Adequacy Decision (partial) |
| Stripe, Inc. United States |
Payments | Payment processing, revenue share distribution, financial reporting | United States, EU | PCI DSS Level 1, SOC 2, Standard Contractual Clauses |
| Cloudflare, Inc. United States |
Security | CDN, DDoS protection, web application firewall, DNS services | Global network | ISO 27001, SOC 2, Standard Contractual Clauses |
| Mailgun Technologies United States |
Communication | Transactional email delivery, email API services | United States, EU | SOC 2, GDPR-compliant, Standard Contractual Clauses |
| SendGrid (Twilio) United States |
Communication | Marketing email campaigns, email automation, analytics | United States | SOC 2, ISO 27001, Standard Contractual Clauses |
| Intercom, Inc. United States |
Communication | Customer support chat, help desk, user messaging | United States, EU | SOC 2, GDPR-compliant, Standard Contractual Clauses |
| Mixpanel, Inc. United States |
Analytics | Product analytics, user behavior tracking, funnel analysis | United States, EU (configurable) | SOC 2, GDPR-compliant, Standard Contractual Clauses |
| Hotjar Ltd. Malta (EU) |
Analytics | User experience analytics, heatmaps, session recordings | European Union | EU-based, GDPR-compliant, ISO 27001 |
| Sentry.io United States |
Security | Error monitoring, performance monitoring, application debugging | United States | SOC 2, Standard Contractual Clauses |
| Calendly Corporation United States |
Communication | Meeting scheduling, calendar integration, appointment management | United States | SOC 2, GDPR-compliant, Standard Contractual Clauses |
| Plausible Analytics Estonia (EU) |
Analytics | Privacy-focused website analytics, traffic analysis | European Union | EU-based, GDPR-compliant, Privacy-focused |
International Data Transfer Safeguards
For subprocessors located outside the European Economic Area (EEA), we implement appropriate safeguards to ensure adequate protection of personal data:
Transfer Mechanisms
- Standard Contractual Clauses (SCCs): EU-approved contractual terms for international data transfers
- Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
- Binding Corporate Rules: For multinational organizations with approved internal data transfer rules
- Certification Schemes: Transfers covered by approved certification mechanisms
Additional Safeguards
- Transfer Impact Assessments (TIAs) for all international transfers
- Encryption of data in transit and at rest
- Contractual obligations for data protection and security
- Regular monitoring and assessment of transfer conditions
- Right to suspend transfers if adequate protection cannot be ensured
EU Data Residency Options
Where technically feasible, we offer EU data residency options for European customers to minimize international data transfers.
Subprocessor Management Process
Selection Criteria
All subprocessors must meet strict requirements before being approved:
- Comprehensive security and privacy assessment
- Verification of appropriate technical and organizational measures
- Review of relevant certifications and compliance attestations
- Evaluation of data processing locations and transfer mechanisms
- Assessment of incident response and breach notification procedures
- Review of subcontractor agreements and data protection terms
Ongoing Monitoring
- Regular security assessments and compliance reviews
- Monitoring of security incidents and breach notifications
- Review of updated certifications and audit reports
- Assessment of any changes to services or data processing practices
- Periodic renegotiation of contracts and data protection terms
Performance Standards
- Service level agreements for availability and performance
- Security incident response time requirements
- Data breach notification timelines (within 24 hours to PrimeTime Media)
- Regular security reporting and compliance documentation
- Cooperation with audits and security assessments
Changes to Subprocessors
Addition of New Subprocessors
- 30-Day Notice: We provide at least 30 days advance notice before engaging new subprocessors
- Due Diligence: Comprehensive security and privacy assessment of new subprocessors
- Contract Requirements: New subprocessors must agree to the same data protection obligations
- Customer Objection Rights: Customers may object to new subprocessors within 14 days of notification
Removal of Subprocessors
- Notification when subprocessors are removed or replaced
- Secure data return or deletion procedures
- Transition planning to minimize service disruption
- Verification of data deletion and destruction certificates
Changes to Existing Subprocessors
- Assessment of material changes to subprocessor services or practices
- Notification of changes that may affect data protection
- Renegotiation of contracts when necessary
- Updated risk assessments and transfer impact assessments
Customer Notification
We notify customers of subprocessor changes via email and updates to this page. Customers should monitor this list regularly and contact us with any concerns.
Subprocessor Questions
For questions about our subprocessors or data processing practices:
Data Protection Officer: dpo@primetime.media
Privacy Team: privacy@primetime.media
Security Team: security@primetime.media
Legal Department: legal@primetime.media
Subprocessor Objections: subprocessor-objections@primetime.media
Response Time: We respond to subprocessor inquiries within 48 hours.
Trusted Partner Network
We carefully select and monitor our subprocessors to ensure they meet the same high standards for security and privacy that we maintain. Your data is protected throughout our entire service ecosystem. 🔒