Skip to content

Subprocessors

Subprocessors

Subprocessors

Current as of 13 July 2026

Bily uses specialised service providers to deliver and support the Service. A subprocessor is a provider that processes customer personal data on Bily’s behalf when Bily acts as a processor. Not every provider used by Bily is a subprocessor, and a customer-selected destination can act independently under the customer’s own agreement.

Provider categories

  • Infrastructure and hosting. Application delivery, network services, storage, databases, compute, backup, and security functions needed to operate the Service.

  • Data processing and analytics. Event ingestion, transformation, aggregation, reporting, attribution, and operational data workflows requested by customers.

  • Billing and payments. Subscription administration, invoices, tax, payment authorisation, and commerce-platform billing.

  • Communications. Transactional email, support communication, onboarding, and service notices.

  • Monitoring, security, and support. Error diagnosis, reliability, abuse prevention, incident investigation, customer support, and audit records.

  • AI inference. Processing a prompt and the minimum selected context needed to return an AI-assisted result when an authorised user invokes that feature.

  • Professional services. Legal, accounting, security, or specialist advisers who may receive limited data subject to confidentiality.

Customer-directed integrations

Commerce platforms, advertising destinations, analytics tools, and other services selected and authorised by a customer are often customer-directed integrations rather than Bily subprocessors. Bily exchanges data with them on the customer’s instructions, but the customer’s agreement and the provider’s terms govern the destination’s independent processing.

Provider review

Bily evaluates providers in proportion to their role, the sensitivity and volume of data, access scope, security practices, contractual commitments, availability needs, transfer location, and ability to support deletion and rights requests. We limit provider access to what is reasonably necessary and use confidentiality, data-protection, security, and access terms appropriate to the service.

International transfers

Providers may operate in the United Kingdom, European Economic Area, United States, or other locations. Where required, the applicable contract package identifies the transfer mechanism. For UK restricted transfers, this may be an adequacy regulation, the ICO-approved International Data Transfer Agreement, or the ICO-approved UK Addendum to the EU Standard Contractual Clauses, supported by the required transfer assessment and supplementary measures. For EEA restricted transfers, this may include an adequacy decision or the applicable EU Standard Contractual Clauses and transfer assessment. A contract or product description may specify additional location commitments; this public page does not promise single-region residency.

Named vendor schedule

Because provider roles and product scope can change, this public page describes stable categories. Bily provides the current named subprocessor schedule to contracted customers and qualified prospects during data-protection or security diligence. We do not withhold named subprocessors from a customer that needs them to complete a lawful processor review.

Request the schedule from [email protected] with the organisation name, proposed or active service scope, and a contact responsible for privacy or security review.

Changes and objections

A customer with a signed data processing addendum may request notice of a new subprocessor as described in that addendum. A good-faith objection should identify the provider, the concrete data-protection concern, and a reasonable alternative. Bily will review the concern and work toward a commercially reasonable resolution, which may include limiting the affected feature or terminating the affected service if no reasonable alternative exists.

Relationship to the DPA

If a signed data processing addendum conflicts with this informational page, the signed addendum controls. See the DPA information page for the contract-review process.