Sub-Processors & Third Parties
List of third-party services we use to provide our platform
Sub-Processors & Third Parties
DATA PROCESSING DISCLOSURE
This document lists all sub-processors and third-party service providers that RentalTide engages to process personal data on behalf of our customers. We maintain strict data processing agreements with all providers to ensure compliance with privacy laws and protection of your data.
1. Introduction
Below is a comprehensive list of sub-processors engaged by RentalTide Inc. ("RentalTide"), a corporation incorporated in Delaware, United States, with additional registration in Canada, in accordance with our Terms of Service, Privacy Policy, and Data Processing Agreement for carrying out processing activities on customer data on behalf of you (as defined in our agreements).
RentalTide will inform you of any intended changes concerning the addition or replacement of sub-processors through your account dashboard, email notifications, or updates to this page.
Contact Information: RentalTide Inc. (Delaware) Data Protection Officer 110 Didsbury Road, Ottawa, Ontario K2J 4T4, Canada 1111B S Governors Ave STE 48363, Dover, DE 19904, United States Phone: 888-709-2650 Email: privacy@rentaltide.com
2. Data Processing Regions
RentalTide processes data in the following regions:
- Primary: Canada (Ottawa, Ontario)
- Secondary: United States (AWS regions)
- Backup: Canada (secondary data centers)
All international transfers are protected by appropriate safeguards including Standard Contractual Clauses and adequacy decisions where applicable.
3. List of Sub-processors
The following table lists all sub-processors currently engaged by RentalTide:
| Sub-processor | Description of Processing | Region of Processing | Data Categories |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud computing infrastructure, website hosting, data storage, and database management | Canada, USA | All customer data categories |
| Stripe, Inc. | Payment processing, identity verification, Know Your Customer (KYC) checks, and fraud prevention | Canada, USA | Payment data, identity documents, financial information |
| Auth0, Inc. | User authentication, identity management, and access control services | USA | Account credentials, authentication logs, user profiles |
| SendGrid, Inc. | Email delivery services for transactional emails, notifications, and marketing communications | USA | Email addresses, communication preferences, message content |
| Twilio, Inc. | SMS message delivery for notifications, two-factor authentication, and customer communications | USA | Phone numbers, message content, delivery logs |
| Google LLC (Google Workspace) | Internal email communications (Gmail), document collaboration (Google Drive), and analytics (Google Analytics) | USA | Internal business data, website analytics, support communications |
| Slack Technologies, Inc. | Internal team communications and collaboration | USA | Internal business communications only |
| Intercom, Inc. | Customer communication platform for in-app messaging and support | USA | Customer support communications, user interaction data |
4. Additional Service Providers
4.1 Infrastructure and Security
| Provider | Service | Region | Purpose |
|---|---|---|---|
| Cloudflare, Inc. | Content delivery network (CDN) and DDoS protection | Global | Website performance and security |
4.2 Business Operations
| Provider | Service | Region | Purpose |
|---|---|---|---|
| HubSpot, Inc. | Customer relationship management (CRM) | USA | Sales and marketing operations |
4.3 Analytics and Marketing
| Provider | Service | Region | Purpose |
|---|---|---|---|
| Google Analytics | Website and application analytics | USA | Usage statistics and performance metrics |
| Mailchimp (Intuit) | Email marketing campaigns and customer communications | USA | Marketing communications, newsletters |
5. Code Sharing and Development Partners
5.1 Shared Development Relationship
RentalTide shares certain code repositories and development resources with WetRentals, a related entity in the rental platform ecosystem:
| Partner | Relationship | Code Sharing Scope | Data Processing |
|---|---|---|---|
| WetRentals | Sister company and development partner | Shared core platform libraries, API frameworks, and infrastructure components | No personal data sharing - code repositories only |
5.2 Code Sharing Safeguards
What is shared:
- Open-source libraries and frameworks
- Common API infrastructure code
- Shared development tools and utilities
- Non-proprietary platform components
What is NOT shared:
- Customer personal data or business information
- Proprietary algorithms or business logic
- Database contents or customer records
- Authentication systems or security credentials
- Billing or payment information
5.3 Technical Separation
Despite code sharing arrangements:
- Separate databases - no cross-platform data access
- Independent authentication - separate user accounts and credentials
- Isolated customer data - complete segregation of personal information
- Independent operations - separate business operations and customer relationships
5.4 Data Protection Compliance
Code sharing activities:
- Do not involve personal data transfer between platforms
- Maintain separate privacy policies and data processing agreements
- Comply with all applicable data protection laws independently
- Undergo separate security audits and compliance assessments
6. Data Categories Processed
6.1 Customer Account Data
- Personal identifiers (name, email, phone)
- Business information (company name, address, tax ID)
- Account credentials and authentication data
- Billing and subscription information
6.2 Rental Transaction Data
- Booking details and reservation history
- Asset information and availability
- Customer preferences and special requests
- Communication logs and support tickets
6.3 Financial Data
- Payment card information (processed by Stripe)
- Bank account details for payouts
- Transaction history and receipts
- Tax documentation and reporting data
6.4 Identity Verification Data
- Government-issued identification documents
- Address verification documents
- Business registration certificates
- Know Your Customer (KYC) verification results
7. Data Processing Safeguards
7.1 Contractual Protections
All sub-processors are bound by:
- Data Processing Agreements (DPAs)
- Standard Contractual Clauses (SCCs)
- Confidentiality and security obligations
- Data breach notification requirements
- Audit and compliance monitoring provisions
7.2 Technical Safeguards
- End-to-end encryption for data in transit
- AES-256 encryption for data at rest
- Multi-factor authentication requirements
- Regular security assessments and penetration testing
- Access controls and privilege management
7.3 Organizational Safeguards
- Employee background checks and security training
- Regular compliance audits and reviews
- Incident response and breach notification procedures
- Data retention and deletion policies
- Privacy impact assessments for new services
8. International Data Transfers
8.1 Transfer Mechanisms
For transfers outside Canada, we rely on:
- EU-Canada Adequacy Decision for EU data
- Standard Contractual Clauses for other jurisdictions
- Binding Corporate Rules where applicable
- Explicit consent when required
8.2 US Data Transfers
Data transferred to US-based processors is protected by:
- Standard Contractual Clauses approved by European Commission
- Additional safeguards including encryption and access controls
- Regular compliance monitoring and audits
- Incident response and notification procedures
9. Third-Party Integrations
9.1 Customer-Controlled Processors
RentalTide may interact with third-party processors that you directly contract with, including:
- Payment processors (beyond Stripe)
- Waiver and liability management solutions
- Insurance providers and verification services
- Marketing and analytics tools
- Custom business integrations via our API
9.2 Independent Processing
These third-party processors:
- Act as independent data controllers or processors
- Have direct contractual relationships with you
- Are not sub-processors of RentalTide
- Are governed by their own privacy policies and terms
10. Sub-processor Changes
10.1 Notification Process
When adding or replacing sub-processors, we will:
- Provide 30 days advance notice via email
- Update this document with new information
- Post notifications in your account dashboard
- Ensure new processors meet our security standards
10.2 Objection Rights
If you object to a new sub-processor, you may:
- Submit objections within 30 days of notice
- Request alternative processing arrangements
- Terminate affected services if no alternative exists
- Receive pro-rated refunds for terminated services
10.3 Emergency Changes
For urgent security or legal reasons, we may:
- Implement immediate sub-processor changes
- Provide notice as soon as reasonably possible
- Offer remediation or alternative solutions
- Conduct expedited security and compliance reviews
11. Compliance and Auditing
11.1 Regular Audits
We conduct:
- Annual security and compliance audits of all sub-processors
- Quarterly reviews of data processing activities
- Ongoing monitoring of security incidents and breaches
- Regular updates to contractual terms and safeguards
11.2 Compliance Standards
All sub-processors must meet:
- SOC 2 Type II certification or equivalent
- ISO 27001 information security standards
- GDPR and other applicable privacy law compliance
- Industry-specific security requirements (PCI DSS for payments)
11.3 Audit Rights
You have the right to:
- Request information about sub-processor compliance
- Review security certifications and audit reports
- Conduct your own audits subject to reasonable notice
- Receive copies of relevant compliance documentation
12. Data Subject Rights
12.1 Rights Facilitation
We ensure sub-processors support:
- Data access and portability requests
- Correction and rectification of inaccurate data
- Deletion and erasure of personal data
- Restriction of processing when required
- Objection to processing based on legitimate interests
12.2 Response Coordination
When data subjects exercise rights:
- We coordinate responses across all sub-processors
- Ensure consistent and complete fulfillment
- Meet legal deadlines for response (typically 30 days)
- Provide clear communication to data subjects
13. Security Incident Response
13.1 Incident Notification
Sub-processors must notify us within:
- 4 hours for high-severity security incidents
- 24 hours for data breaches involving personal data
- 72 hours for other security events
13.2 Response Coordination
We coordinate incident response by:
- Assessing impact and risk to customer data
- Implementing containment and remediation measures
- Notifying affected customers and authorities as required
- Conducting post-incident reviews and improvements
14. Contact Information
14.1 Data Protection Inquiries
- Email: privacy@rentaltide.com
- Phone: 888-709-2650
- Mail: Data Protection Officer, RentalTide Inc., 110 Didsbury Road, Ottawa, Ontario K2J 4T4, Canada and 1111B S Governors Ave STE 48363, Dover, DE 19904, United States
14.2 Security Incidents
- Emergency: security@rentaltide.com
- Phone: 888-709-2650 (24/7 security hotline)
14.3 Sub-processor Objections
- Email: legal@rentaltide.com
- Subject Line: "Sub-processor Objection - [Your Account ID]"
Last Updated: November 14, 2025
Effective Date: February 1, 2025
Version: 1.0
Note: This document is updated regularly to reflect changes in our sub-processor relationships. We recommend reviewing this page quarterly or subscribing to notifications for updates.