The Justice Platform Ltd. t/a Legl (“Legl”) may engage and use certain third-party data processors in providing the Services, as described in the Legl Services Agreement (“LSA”). This Policy provides important information about the identity and role of each Sub-Processor. This Policy does not give Clients any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Legl’s engagement process for sub-processors as well as to provide the list of principal third-party sub-processors used by Legl in the delivery and support of the Services as at the date of this Policy. Terms used in this Policy but not defined have the meaning set forth in the LSA.

Due Diligence

Legl undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors.

Contractual Safeguards

Legl generally requires its sub-processors to satisfy equivalent obligations as those required by Legl as set forth in the LSA, including but not limited to the requirements to:

  • process Personal Data in accordance with data controller’s (i.e., Client’s) documented instructions (as communicated in writing to the relevant sub-processor by Legl);
  • comply with the Privacy Laws and any other legislation that may be applicable;
  • in connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
  • implement and maintain appropriate technical and organisational measures
  • promptly inform Legl about any actual or potential security breach; and
  • cooperate with Legl in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

Process to Engage New Sub-processors

Legl will provide notice via email or within your Legl environment of updates to this Policy, including updates to the list of sub-processors utilised or which Legl proposes to utilise to deliver its Services. Legl undertakes to keep this list updated regularly to enable its Clients to stay informed of the scope of sub-processing associated with the Services. A Client may object in writing to the processing of its Personal Data by a newly appointed sub-processor within ten calendar days following the update of this Policy and such objection shall describe Client’s legitimate reason(s) for objection. If a Client does not object during such time period, the new sub-processor(s) shall be deemed accepted.

Legl’s Sub-Processors

Legl’s sub-processors are best-in-class and have been selected based on their reliability and security. As of 16 July 2024 Legl’s principal sub-processors in respect of the Services include:

Sub-Processor Name
Processing Activities
Amazon Web Services EMEA SARL
Cloud services provider
Heroku Inc
Cloud services provider
Microsoft Ireland Operations Limited
Cloud services provider
Snowflake Inc
Cloud data services provider
Fivetran Inc
Data integration services
IVXS UK Ltd (ComplyAdvantage)
Identity verification solution
Creditsafe Business Solutions Limited
Business verification solution
Datadog, Inc.
Logging and monitoring services
Functional Software, Inc. d/b/a Sentry
Monitoring services
Email service provider
Dropbox International Unlimited Company (HelloSign)
eSignature solution
Equifax Limited
Identity verification solution
Onfido Limited
Identity verification solution
TrueLayer Limited
Account information service provider
Mitek Systems Inc
Identity verification solution
Dun & Bradstreet Limited
Business data solution

Legl’s Partners

Legl works with best in class payment service providers to power our payment administration system. Adyen N.V. and Stripe Payments Europe, Ltd. maintain PCI Level 1 certification, SOC 2 certification and are regulated by the Financial Conduct Authority (the “FCA”). Banked Ltd. provides open banking payment initiation services, and is also regulated by the FCA. Depending on the context of the processing, each of Adyen, Stripe and Banked act as either a controller or processor of Personal Data.

Updates to Our Sub-Processors and Partners

16 July 2024:
Addition of Mitek Systems Inc as an identity verification solution
Addition of Dun & Bradstreet Limited as a business data provider

Legl has engaged Mitek Systems as a new sub-processor to provide identity verification solutions as part of our KYC services. Mitek Systems are committed to the highest standards in compliance and security, demonstrating this with SOC 2 compliance and ISO 27001 certification.

Legl has engaged Dun & Bradstreet as a new sub-processor to provide business data as part of our KYB services. Dun & Bradstreet hold a suite of globally recognised compliance and security standards, including ISO 27001 and ISO 14001.

Further information

We don’t require you to take any action relative to this update – Legl will commence offering the additional services from the effective date provided above. In accordance with this Policy and the Privacy Laws, you have the right to object to the use of sub-processors. However, you must do so within ten days of this notice. If you choose to object or have any other questions, please reach out to us at [email protected] and we will be glad to assist you with your request.