Transom data processing partners

We care about privacy and data protection

Our systems are built on a platform with privacy and data protection in mind. Your (and our) data is stored in a Tier III, ISO270001 certified datacenter in the Nordic region of the EU, hosted by a GDPR-compliant hosting provider. While this is not actually built into an ice mountain, it’s a pretty cool setup (literally). The site, LMS system and data are served to you via Cloudflare on a non-permanent pass-through basis, providing both extra protection and smooth operation. Everything is always encrypted, whether at rest or on the move.

Besides our proprietary platforms hosted as described above, we manage our, and our clients’ data on Microsoft’s 365 platform, and we make use of the security functions and settings of MS 365 (including its P1 license) to optimize protection. Our contract is with Microsoft Japan, and accordingly, all data in this part of our business operations is stored on Microsoft’s servers in Asia.

Besides the two above primary ecosystems, we use select other providers such as Zoom for virtual meetings and Signal for encrypted (mobile) communications.

We spend considerable effort to handle data in compliance with EU GDPR, Japan’s APPI privacy law, Brazil’s LGPD privacy law, and where relevant with California’s CCPA and China’s PIPL. As part of this effort, we list data processing partners we work with on this page.

Please note that, while this page is part of our public site, many of these data processors only handle data collected or kept in our (non-public) business systems and LMS platform. We strive to keep this listing up to date covering all of our business platforms. This page may be updated from time to time to reflect ongoing developments in our business and communications systems.

Data processing partners

The following parties may handle personal information as sub processors (Data Processing Partners) of Transom.

RackRay (https://www.rackray.com/about-us/) – Datacenter hosting the systems and data for our website and LMS platform, including any personal data held in these systems.

Hostens.com – Hosting service based in Lithuania, EU. Hosting provider for the above datacenter

Cloudflare – Content delivery network services, cloud cybersecurity, and DDoS mitigation. Also manages our DNS. No permanent storage of personal data.

SendGrid (Twillio) – Customer communication platform for transactional and marketing email. Functions as our email server (MTA) for system emails from our LMS platform and provides anti-spam (outgoing) monitoring and protection measures. SendGrid is US based and (yet) quite GDPR conscious in its operations. Data is pass-through and not permanently stored on its servers.

YR-Design (Nara, Japan) – Our systems integrator, including security architecture, implementation, monitoring and remediation.

Koshin LLI Holdings KK (Tokyo, Japan) – Provides us with consulting, system integration management and outsourced services.

BZ-Design (Caloundra, QLD, Australia) – Graphic design services, handles some of our client data when present in design materials (folders, web design). Operates under EU GDPR SCCs.

Microsoft Japan – MS 365 including Exchange (email services), Outlook, OneDrive, Teams, and other products in the Microsoft ecosystem that may store (client) personal data. Data in our business operations is stored in Microsoft’s Asia datacenters.

Zoom – virtual meetings, video conferencing. We store client names/email addresses on Zoom’s servers for security/access management, and we record workshops and chat comments (including files uploaded in chat) on Zoom as part of normal operations.

Signal – Open source encrypted mobile/desktop messaging app. Our preferred option for mobile messaging because of its security structure.

WhatsApp (Meta) – mobile/desktop messaging app.

Line (https://line.me/en/) – mobile/desktop messaging app, often preferred by users and clients in Japan.

WeChat – we use WeChat primarily if needed with users in China.

Webex (Cisco) – Team collaboration and virtual meetings. This is not our most commonly used platform (we use Zoom and Teams). Occasionally connectivity constraints or client preferences lead us to use this platform.

Saville Assessment – psychometric, 360, aptitude testing. We provide them with candidate name and email address in accordance with client agreements, and they manage and store the sensitive personal data of participants in our programs and projects who take these assessments.

Lumina Learning – personality, leadership and other testing. We provide them with candidate name and email address in accordance with client agreements, and they manage and store the sensitive personal data of participants in our programs and projects who take these assessments.

Generativity Partners (Vancouver, BC, Canada) – Collaboration and licensing of Clear Leadership programs. We provide them with participant names and basic identifying information for the purpose of licensing their participation in Clear Leadership based development programs. Participants who complete the program may also opt in on the Clear Leadership Network (managed on MightyNetworks).

21st Corporate Development (Vienna, Austria, EU) – Affiliate Consultant, may access relevant client information in programs where they are involved as instructors, facilitators, coaches or collaborators. Operates under GDPR.

Killumets (Tallin, Estonia, EU) – Affiliate Consultant, may access relevant client information in programs where they are involved as instructors, facilitators, coaches or collaborators. Operates under GDPR.

Change Makers (Melbourne, Australia) – Affiliate Consultant, may access relevant client information in programs where they are involved as instructors, facilitators, coaches or collaborators. Operates under EU GDPR SCCs.

The data processors listed here may have sub-processors that handle part or all of the personal information handled by the data processor, in accordance with that data processor’s own practices. Transom will, in principle, work with data processors under EU jurisdiction or the jurisdiction of a country with an EU Adequacy decision, or if this is not the case, under conclusion of EU GDPR Standard Contractual Clauses (SCCs).

This listing and its implications are open to correction or amendment without prior notice. No rights may be derived from this page by visitors or end users. For inquiries, suggestions or requests regarding Transom privacy and data protection policies and practices, please contact email hidden; JavaScript is required.