Legl’s Sub-Processor Policy

Last updated: 31 May 2023

The Justice Platform Ltd. t/a Legl (“Legl”) may engage and use certain third-party data processors in providing the Services, as described in the Legl Services Agreement (“LSA”). This Policy provides important information about the identity and role of each Sub-Processor. 

This Policy does not give Clients any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Legl’s engagement process for sub-processors as well as to provide the list of principal third-party sub-processors used by Legl in the delivery and support of the Services as at the date of this Policy.

Terms used in this Policy but not defined have the meaning set forth in the LSA.

Due Diligence

Legl undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors.

Contractual Safeguards

Legl generally requires its sub-processors to satisfy equivalent obligations as those required by Legl as set forth in the LSA, including but not limited to the requirements to:

  • process Personal Data in accordance with data controller’s (i.e., Client’s) documented instructions (as communicated in writing to the relevant sub-processor by Legl);
  • comply with the Privacy Laws and any other legislation that may be applicable; 
  • in connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
  • implement and maintain appropriate technical and organisational measures 
  • promptly inform Legl about any actual or potential security breach; and
  • cooperate with Legl in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

Process to Engage New Sub-processors

Legl will provide notice via email or within your Legl environment of updates to this Policy, including updates to the list of sub-processors utilised or which Legl proposes to utilise to deliver its Services. Legl undertakes to keep this list updated regularly to enable its Clients to stay informed of the scope of sub-processing associated with the Services.

A Client may object in writing to the processing of its Personal Data by a newly appointed sub-processor within ten calendar days following the update of this Policy and such objection shall describe Client’s legitimate reason(s) for objection. If a Client does not object during such time period, the new sub-processor(s) shall be deemed accepted. 

Legl’s Sub-Processors

Legl’s sub-processors are best-in-class and have been selected based on their reliability and security. As of 31 May 2023, Leg’s principal sub-processors in respect of the Services include:

Sub-Processor NameProcessing Activities
Amazon Web Services EMEA SARLCloud services provider
IVXS UK Ltd (ComplyAdvantage)Identity verification solution
Creditsafe Business Solutions LimitedBusiness verification solution
Equifax LimitedIdentity verification solution
Heroku IncCloud services provider
Onfido LimitedIdentity verification solution
Dropbox International Unlimited Company (HelloSign)eSignature solution
TrueLayer LimitedAccount information service provider

Legl’s Partners

Our payment administration system is powered by Stripe Payments Europe, Ltd., which maintains best in class PCI Level 1 certification and is regulated by the Financial Conduct Authority (the “FCA”). Banked Ltd. provides open banking payment initiation services, and is also regulated by the FCA.

Depending on the context of the processing, each of Stripe and Banked act as either a controller or processor of Personal Data.


Updates to Our Sub-Processors

13 April 2023: Appointment of Equifax as Sub-Processor

As of 27 April 2023, The Justice Platform Ltd t/a Legl (“Legl”) will be engaging Equifax Limited as a new sub-processor. Equifax provides consumers with a wide range of solutions including consumer credit monitoring and identity theft prevention. Legl will be using Equifax’s database to provide our clients with results for county court and bankruptcy judgements and debt collection searches. 

Equifax’s Commitment to Privacy 

Equifax is committed to being an industry leader in security and has obtained numerous security certifications and authorisations including PCI DSS, ISO 27001, SOC 1, SOC 2, and FISMA.  Further information about Equifax’s commitment to privacy, and how they manage compliance with their obligations can be found in their privacy policy here, and in their security annual report here

Further Information  

We don’t require you to take any action relative to this update – Legl will commence offering the additional services from the effective date provided above. In accordance with this Policy and the Privacy Laws, you have the right to object to the use of sub-processors. However, you must do so within ten days of this notice. 

If you choose to object or have any other questions, please reach out to us at [email protected] and we will be glad to assist you with your request.