SUB-PROCESSOR TRANSPARENCY

Effective Date: 2026

Operated by
HOODS HUB PRIVATE LIMITED
Chennai, Tamil Nadu, India

WhitePanther™ (“WhitePanther”, “we”, “us”) engages carefully selected third-party service providers (“Sub-Processors”) to support delivery of our platform.

This document provides transparency regarding Sub-Processors that may Process Customer Personal Data on our behalf.

This statement forms part of the WhitePanther Data Processing Agreement (DPA).

1. OUR SUB-PROCESSOR GOVERNANCE MODEL

WhitePanther maintains a vendor management framework aligned with ISO/IEC 27001 supplier relationship controls.

Before engaging a Sub-Processor, we:

• Conduct security and compliance due diligence
• Evaluate data protection posture
• Assess regulatory standing and reputation
• Enter into written contractual agreements
• Impose confidentiality and security obligations
• Limit data access to what is strictly necessary

We remain responsible for the performance of our Sub-Processors in accordance with the DPA.

2. DATA PROCESSING ARCHITECTURE CLARIFICATION

WhitePanther operates under a minimal data storage model.

Important distinctions:

• Email bodies and attachments remain within the Customer’s Gmail account.
• Files (e.g., screen recordings) remain within the Customer’s Google Drive.
• WhitePanther does not replicate or permanently store such content.
• WhitePanther maintains only encrypted metadata references where required for workflow continuity.

Certain providers listed below may act either:

• As Sub-Processors (where processing occurs on our behalf), or
• As Independent Controllers (where the Customer interacts directly with the provider under their own terms).

3. CURRENT SUB-PROCESSORS

3.1 Cloud Infrastructure & API Connectivity

Google LLC

Role:

• Sub-Processor for platform connectivity and API infrastructure
• Independent Controller for Customer Gmail and Google Drive accounts

Purpose of Processing (Sub-Processor context):

• OAuth authentication
• API connectivity for Gmail integration
• Secure token validation
• Cloud-based service infrastructure

Categories of Data (Sub-Processor context):

• Authentication tokens
• Encrypted metadata references
• Limited email metadata (as required by scoped permissions)

Important Clarification:

• Email content is not stored by WhitePanther.
• Google Drive files remain under the Customer’s direct control.
• Google may independently process data under its own privacy framework.

Location:
Global infrastructure (region determined by Google services configuration).

3.2 Payment Processing

WhitePanther integrates with regulated payment providers.

These providers process payment information directly and may act as Independent Controllers under financial regulations.

Razorpay Software Private Limited

Role:
Independent payment processor (may act as Sub-Processor for certain transaction metadata).

Purpose of Processing:

• Payment processing
• Card tokenization
• Subscription billing
• Order creation and verification
• Webhook transaction confirmation

Categories of Data:

• Tokenized card references
• Transaction metadata
• Billing information
• Payment status records

Important Clarification:

• WhitePanther does not store full card numbers.
• CVV data is never stored.
• Card tokenization is handled by Razorpay in compliance with RBI guidelines.

Location:
India (subject to Razorpay’s infrastructure model).

PhonePe Private Limited

Role:
Independent payment processor.

Purpose of Processing:

• UPI-based payment transactions
• Payment authentication
• Transaction verification

Categories of Data:

• Transaction identifiers
• UPI-related metadata
• Billing-related details

Location:
India.

4. DATA SECURITY REQUIREMENTS FOR SUB-PROCESSORS

WhitePanther requires Sub-Processors to:

• Process data only for defined purposes
• Maintain confidentiality obligations
• Implement appropriate technical and organizational safeguards
• Comply with applicable data protection laws
• Notify WhitePanther of security incidents affecting shared data

Where applicable, contractual safeguards consistent with GDPR principles are applied.

5. INTERNATIONAL DATA TRANSFERS

Certain Sub-Processors may operate global infrastructure.

Where Personal Data is transferred across borders:

• Appropriate contractual safeguards are implemented
• Transfer mechanisms align with GDPR principles (where applicable)
• Risk-based assessments are conducted

Cloud-provider–hosted data remains governed by the respective provider’s compliance framework.

6. SUB-PROCESSOR CHANGES

WhitePanther may update this Sub-Processor list periodically.

For material changes:

• Updates will be published on this page.
• Customers may be notified via email or in-platform communication where appropriate.

Continued use of the Platform constitutes acceptance of updated Sub-Processors, subject to the DPA.

7. CUSTOMER RESPONSIBILITIES

Customers are responsible for:

• Reviewing third-party provider terms and privacy policies
• Configuring access permissions appropriately (e.g., Google Drive access controls)
• Managing administrator privileges
• Ensuring lawful data collection practices

Security is a shared responsibility.

8. LIMITATION OF RESPONSIBILITY

WhitePanther is not responsible for:

• Independent data processing conducted by third-party providers under their own terms
• Security breaches caused by Customer misconfiguration
• Compromised Customer credentials
• Failures within third-party infrastructure beyond WhitePanther’s control

9. CONTACT

For Sub-Processor or vendor management inquiries:

customersupport@whitepanther.email

HOODS HUB PRIVATE LIMITED
Chennai, Tamil Nadu, India