1. Purpose and Scope
This Sub-Processor List is published by DONE MENAT FZCO ("DONE") in accordance with Clause 9 of the Data Processing Addendum ("DPA") and Section 8 of the Privacy Policy, both available at www.done.fyi.
A sub-processor is any third-party entity engaged by DONE to process personal data on behalf of DONE's clients in connection with the delivery of the DONE platform and associated services. DONE engages sub-processors solely to provide, maintain, secure, and improve its platform. All sub-processors are bound by contractual data protection obligations that are no less protective than those imposed on DONE under the DPA.
This list identifies all current sub-processors engaged by DONE as of the effective date above. DONE will update this list whenever a sub-processor is added, changed, or removed, and will provide clients with not less than thirty (30) days' prior written notice of any such change in accordance with Clause 9.3 of the DPA.
2. Current Sub-Processors
| Sub-Processor | Country | Service Provided | Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| DigitalOcean, LLC | United States (data centres: multiple regions) | Primary cloud infrastructure provider. Provides hosting, storage, compute, and networking services on which the DONE platform runs. | All personal data processed within the DONE platform, including client account data, learner profiles, course content, completion records, and user-generated content. | EU SCCs (Controller-to-Processor Module) / UK IDTA where applicable. DigitalOcean is ISO 27001 certified and SOC 2 Type II attested. |
| Cloudflare, Inc. | United States (global CDN network) | Content delivery network (CDN), DDoS mitigation, DNS management, SSL termination, and web application firewall. Deployed in conjunction with DigitalOcean infrastructure to secure and accelerate content delivery. | IP addresses, request metadata, and traffic data processed in transit. Cloudflare does not have persistent access to platform personal data or learner content. | EU SCCs / UK IDTA where applicable. Cloudflare participates in the EU-US Data Privacy Framework. |
| Google LLC (Google Analytics) | United States | Web and platform analytics. Collects aggregated and anonymised usage data to help DONE understand how the website and platform are used and to support product improvement. | Anonymised usage data, IP addresses (anonymised at collection), device identifiers, session data, and navigation paths. No learner personal data from client academies is transmitted to Google Analytics. | EU SCCs / UK IDTA where applicable. Google participates in the EU-US Data Privacy Framework. IP anonymisation is enabled. |
| Stripe, Inc. | United States | Payment processing and billing infrastructure. Processes all client subscription payments and manages payment method tokenisation on behalf of DONE. | Billing contact details, payment card data (tokenised — full card details are never stored by DONE or accessible to DONE), transaction records, and invoice history. | EU SCCs / UK IDTA where applicable. Stripe participates in the EU-US Data Privacy Framework and is PCI DSS Level 1 certified. |
| Twilio Inc. (SendGrid) | United States | Transactional email delivery service. Used to send platform notifications, account registration confirmations, password resets, billing communications, and system alerts to clients and users. | Recipient email addresses, sender information, and the content of transactional email messages. No learner academy content is transmitted via SendGrid. | EU SCCs / UK IDTA where applicable. Twilio participates in the EU-US Data Privacy Framework. SendGrid is ISO 27001 certified. |
| Crisp IM SARL | France (EU) | Customer support and live chat platform. Used by DONE's support team to manage client support requests, helpdesk tickets, and live chat communications. | Name, email address, account identifiers, and the content of support conversations submitted by clients and users. No learner academy data is accessible through Crisp. | No international transfer mechanism required — Crisp is incorporated and processes data within the EU (France) and is subject to GDPR directly as an EU-established entity. |
3. Client Objection Rights
In accordance with Clause 9.3 and 9.4 of the DPA, DONE will provide clients with not less than thirty (30) days' prior written notice before engaging any new sub-processor or replacing an existing one. Clients may object to a new sub-processor within fifteen (15) days of receiving such notice by submitting a written objection to info@done.fyi stating their reasonable grounds for objection.
DONE will work with the objecting client in good faith to resolve the concern. If the parties cannot reach a resolution within thirty (30) days, either party may terminate the affected service with a pro-rata refund of prepaid fees for the unused subscription period.
4. Sub-Processor Obligations
Before engaging any sub-processor, DONE:
- Conducts reasonable due diligence on the sub-processor's data protection and security practices;
- Enters into a data processing agreement with the sub-processor imposing obligations no less protective than those in DONE's DPA;
- Ensures appropriate international transfer mechanisms are in place where the sub-processor is located outside the EEA, UK, or UAE;
- Remains fully liable to clients for the performance of each sub-processor's data protection obligations.
5. Updates to This List
This Sub-Processor List is reviewed and updated on a continuous basis. The effective date at the top of this page reflects the date of the most recent update. Clients are encouraged to check this page periodically. All material changes will be notified to clients in advance in accordance with the DPA.
For questions about this Sub-Processor List or to request copies of applicable transfer mechanisms, please contact: info@done.fyi.
6. Company Details
DONE MENAT FZCO
Registration: DSO-FZCO-6511
Dubai Silicon Oasis, DDP, Building A2, Dubai, UAE
www.done.fyi | info@done.fyi | +971 52 452 3339