Sub-Processor List
Third Parties Processing Customer Data
Effective Date: May 1, 2026
Version: 1.0
Last Updated: April 13, 2026
Introduction
This page lists all sub-processors that Equerra engages to process customer data when you use our Software.
Purpose: Transparency about who has access to your data and where it's processed.
Updates: We update this list when we add, replace, or materially change sub-processors.
Notification: We provide at least 30 days' advance notice before adding or replacing sub-processors.
Your Rights: You may object to changes within 15 days of notification. See Data Processing Agreement for details.
Related Documents:
Current Sub-Processors
Microsoft Corporation (Azure Cloud Services)
Entity:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
United States
Processing Activities:
- Cloud infrastructure hosting
- Microsoft Dynamics 365 Business Central platform
- Data storage and compute services
- Database services
- Authentication and identity management
- Backup and disaster recovery
Data Categories Processed:
- All Customer Data entered into the Software
- User account information
- Authentication credentials
- Usage logs and metadata
- Application data and configurations
Processing Locations:
Your selected Microsoft Azure region. Location is determined by your Business Central tenant configuration.
Common Regions:
- Australia East (Sydney)
- Australia Southeast (Melbourne)
- UK South (London)
- West Europe (Netherlands)
- East US (Virginia)
- See full list: Business Central Availability
Safeguards:
- Microsoft Online Services Terms
- Microsoft Data Processing Addendum
- Standard Contractual Clauses (EU Commission approved)
- ISO 27001, ISO 27017, ISO 27018 certified
- SOC 2 Type 2 certified
- PCI DSS Level 1 (where applicable)
- EU Data Boundary (for EU customers, where applicable)
- Microsoft Trust Center
Data Retention:
- Active subscription: As required for service delivery
- After termination: 30-day retrieval period, then deletion
- Backups: Deleted within 90 days
Microsoft Corporation (Azure OpenAI Service)
Entity:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
United States
Processing Activities:
- AI-powered features (optional, only when enabled)
- Text analysis and suggestions
- Natural language processing
- Content classification
- Intelligent recommendations
Data Categories Processed:
- User prompts and queries (when AI features used)
- Interaction text
- Metadata only (NO full Customer Data)
- Context required for AI operations
Processing Locations:
Customer-selected region when enabling AI features:
- Australia East (Sydney, Australia)
- West Europe (Amsterdam, Netherlands)
- East US (Virginia, United States)
Important Notes:
Opt-In Only: This sub-processor is engaged ONLY when you explicitly enable AI-powered features in the Software.
No Training: Your data is NOT used to train AI models. Microsoft does not retain prompts or completions for training purposes.
Data Not Retained: Prompt and completion data is not stored beyond the immediate processing requirement.
Abuse Monitoring: Human review may occur only for content flagged by automated abuse monitoring systems.
Safeguards:
- Azure OpenAI Service Data Processing Addendum
- Standard Contractual Clauses
- Microsoft Online Services Terms
- Zero data retention policy (no training data)
- Abuse monitoring only (no routine human review)
- Azure OpenAI Service Privacy
Disable Anytime: You can disable AI features at any time through Software settings.
Change History
Current Version (1.0 - May 1, 2026)
Sub-Processors:
- Microsoft Corporation (Azure) - Infrastructure and hosting
- Microsoft Corporation (Azure OpenAI) - Optional AI features
No Changes: Initial publication.
Future Changes
How We Notify You
Before Adding or Changing Sub-Processors:
- Email Notification: Sent to account administrators at least 30 days in advance
- Website Update: This page updated with "Pending" status
- In-Product Notice: Notification in Software (for significant changes)
What We Include:
- Sub-processor name and location
- Processing activities
- Data categories
- Effective date of change
- How to object
Your Objection Rights
You May Object If:
- You have reasonable data protection concerns
- The change increases your compliance risk
- The location conflicts with your data residency requirements
- The sub-processor doesn't meet your security standards
How to Object:
- Email privacy@equerra.com within 15 days of notification
- State your grounds for objection
- Provide specific concerns
Our Response:
- We'll work with you to address concerns
- If we can't accommodate your objection, you may terminate the affected services without penalty
- We'll provide reasonable transition assistance
Note: Objecting to Microsoft Azure sub-processors may prevent us from providing services, as they're essential to our infrastructure.
Sub-Processor Requirements
What We Require
All sub-processors must:
- Contractual Obligations: Agree to data protection terms equivalent to our Data Processing Agreement
- Security Measures: Implement appropriate technical and organizational security measures
- Processing Limits: Process data only as instructed and for authorized purposes
- Sub-Sub-Processors: Obtain our approval before engaging their own sub-processors
- Audit Rights: Allow audits of their data protection practices
- Breach Notification: Promptly notify us of any data breaches
- Data Return/Deletion: Return or delete data after services end
- Compliance: Comply with applicable data protection laws
Our Liability
We remain fully liable for sub-processor performance as if we performed the services ourselves.
Data Transfer Safeguards
International Transfers
When sub-processors are located outside your jurisdiction, we implement safeguards:
European Economic Area / UK / Switzerland:
- Standard Contractual Clauses (SCC)
- Transfer Impact Assessments
- Supplementary security measures
- Regular compliance reviews
Australia:
- Cross-border disclosure safeguards (APP 8)
- Contractual protections
- Equivalent privacy standards
New Zealand:
- Comparable safeguards (IPP 12)
- Contractual protections
- Security measures
Full Details: Data Processing Agreement, Part 8
Geographic Processing Locations
Primary Processing Regions
Your Control: You select the primary processing region through your Microsoft Business Central tenant configuration.
Available Regions (depends on Business Central availability):
- Asia Pacific (Australia, Japan, Singapore, etc.)
- Europe (UK, Netherlands, Ireland, Germany, etc.)
- Americas (United States, Canada, Brazil)
- Middle East (UAE)
Current Availability: Microsoft Business Central Regions
Secondary Processing
Support Operations: Limited access may occur from Equerra personnel in New Zealand for support and operational purposes.
Microsoft Operations: Microsoft personnel globally may access for infrastructure management, subject to contractual restrictions and technical safeguards.
Monitoring and Compliance
Our Oversight
We regularly monitor sub-processor performance:
Reviews:
- Annual security assessments
- Quarterly compliance reviews
- Ongoing performance monitoring
- Incident tracking and analysis
Certifications:
- We verify current security certifications
- We review audit reports
- We assess compliance status
Your Audits
You may audit sub-processor compliance:
Through Us: Request our sub-processor audit reports (subject to confidentiality)
Direct Audits: For enterprise customers, we can facilitate direct audits of sub-processors (subject to sub-processor agreement and reasonable terms)
Contact: privacy@equerra.com for audit requests
Frequently Asked Questions
Can I choose which sub-processors handle my data?
Microsoft Azure: No. This is essential infrastructure. All customers use Microsoft Azure.
Azure OpenAI: Yes. AI features are optional. You can choose not to enable them.
Where exactly is my data stored?
Your data is stored in the Microsoft Azure region you selected during Business Central tenant setup. You can verify your region in Business Central Admin Center.
Does my data leave my selected region?
Generally No: Data remains in your selected region for storage and processing.
Limited Exceptions:
- Support access from Equerra (New Zealand)
- Microsoft operations (global, with safeguards)
- Backup replication to paired Azure region (for disaster recovery)
What if I'm in the EU and object to US processing?
Current Options:
- Select an EU Azure region (keeps data in EU Data Boundary where applicable)
- Disable Azure OpenAI features (avoids optional US processing)
- Use Standard Contractual Clauses and transfer safeguards we implement
Enterprise Options: Contact sales@equerra.com for enhanced data residency options.
How do I know when sub-processors change?
Automatic Notifications: If you're an account administrator, you'll receive email notifications at least 30 days before changes.
This Page: Always shows current sub-processors and change history.
Subscription: Subscribe to updates by contacting privacy@equerra.com.
Contact Information
Data Protection Inquiries: privacy@equerra.com
Objections to Sub-Processors: privacy@equerra.com (within 15 days of notice)
General Questions: support@equerra.com
Privacy Officer:
Equerra Limited
2nd Level
40 Lady Elizabeth Lane
Wellington Central
New Zealand 6011
Phone: +64 4 4626852
Subscribe to Updates
Email Notifications: To receive email notifications of sub-processor changes, contact privacy@equerra.com with:
- Your name and company
- Email address for notifications
- Subscription/account identifier
RSS Feed: Coming soon.
Related Documents
We're committed to transparency about data processing. If you have questions about sub-processors or data handling, please don't hesitate to contact us.
Last Reviewed: April 13, 2026
Next Review: July 13, 2026 (quarterly)
Version: 1.0
Equerra Limited
Strategic Solutions for Modern Business
© 2026 Equerra Limited. All rights reserved.