menu
save_alt Download

Subprocessor and Vendor Inventory

Effective February 9, 2026

< Back

Purpose

This policy document defines the operational procedures for managing third-party service providers (“Subprocessors”) who have access to or process customer data in our cloud services.

Our Architecture: Beekeeper Studio is a desktop database client. Customer database queries and results are processed locally. This policy covers subprocessors with access to our cloud services (account management, billing, license validation, support systems, and optional workspace sync). See Data Flow Diagram for architecture details.

The Vendor List: For the current list of subprocessors with details on each vendor, see our public Subprocessor List.

Public Document: This operational policy is publicly available to demonstrate our vendor management practices and is updated quarterly or when procedures change.

Scope

This inventory includes subprocessors who:

  • Have access to our cloud services or production systems
  • Process customer data on our behalf (account data, billing, cloud workspaces, support tickets)
  • Store or transmit customer data
  • Does NOT include: Customer database vendors (we never access customer databases)

For Educational Institutions: NDPA Compliance

For educational institutions with NDPA agreements:

  • All subprocessors have Data Processing Agreements (DPA) per NDPA Section 2.3
  • DPAs prohibit selling student data
  • Subprocessors provide data protections no less stringent than NDPA
  • Material changes communicated to LEAs with 30-day notice

What counts as student data: Only data in cloud workspaces or support tickets (if staff voluntarily includes it). Beekeeper Studio does not access school databases or student information systems.

Current Subprocessor List

📋 View the complete Subprocessor List for details on all third-party service providers, including:

  • Service descriptions and data types processed
  • Processing locations and certifications
  • Security measures and data protection agreements
  • Last review dates

Quick Summary: See the complete Subprocessor List for all current vendors and details.

All subprocessors maintain SOC 2 Type II, ISO 27001, or equivalent certifications.

Subprocessor Risk Assessment

Risk Level Classification

Each subprocessor is assessed for risk based on:

  1. Type and sensitivity of data accessed
  2. Security certifications and compliance
  3. Data protection agreements in place
  4. Potential exposure to student data

Risk assessments for each subprocessor are maintained internally and reviewed quarterly. See the Subprocessor List for the current vendor directory.

Subprocessor Security Requirements

All subprocessors must meet minimum security standards:

Required Certifications (at least one)

  • SOC 2 Type II
  • ISO 27001
  • PCI DSS (for payment processors)
  • FedRAMP (for government contracts)

Required Contractual Terms

  • Data Processing Agreement (DPA) or equivalent
  • Prohibition on selling customer data
  • Breach notification obligations (within 72 hours)
  • Data deletion commitments
  • Subprocessor notification rights

Required Technical Controls

  • Encryption at rest
  • Encryption in transit (TLS 1.2+)
  • Access controls and authentication
  • Logging and monitoring
  • Regular security assessments

NDPA-Specific Requirements

  • Cannot sell student data (NDPA Section 2.3)
  • Protections no less stringent than NDPA
  • Breach notification to Provider
  • Data deletion upon request

Vendor Vetting Process

Before engaging a new subprocessor:

Security Assessment

  • Review security certifications (SOC 2 or ISO 27001 required)
  • Evaluate security documentation
  • Review breach history
  • Negotiate Data Processing Agreement
  • Ensure GDPR/CCPA compliance
  • For educational customers: Verify NDPA-compliant terms

Technical Integration

  • Implement with least-privilege access
  • Enable encryption and security features
  • Configure logging

Ongoing Monitoring

  • Quarterly review (during compliance day)
  • Annual contract renewal review
  • Monitor for security incidents

Subprocessor Change Notification

All Customers:
Material changes posted to this document. Request proactive notification: support@beekeeperstudio.io

For Educational Institutions (NDPA Section 2.3)

30-day notice for material changes:

  1. Update this document
  2. Email to LEA designated representative
  3. Allow time to object before new subprocessor processes data

Material changes:

  • Adding new subprocessor with access to cloud workspace data
  • Changing subprocessor’s data processing location
  • Material reduction in security protections
  • Change of ownership (acquisition, merger)

Non-material changes (no notice required):

  • Updates to existing services (same vendor)
  • Infrastructure changes
  • Minor DPA updates
  • Removal of subprocessors

Data Flows

For detailed data flows between services, see the Data Flow Diagram. For the complete list of subprocessors and what data each processes, see the Subprocessor List.

Geographic Data Storage

All customer cloud data (accounts, workspaces, backups) is stored in the United States. Processing locations for each subprocessor are listed on the Subprocessor List.

For Educational Institutions: All cloud workspace data stored in US regions. No international transfers.

See Also: Data Flow Diagram, International Transfers

Subprocessor Audit Rights

LEA Audit Rights (NDPA Utah Code § 53E-9-309)

Educational institutions may audit our use of subprocessors:

Audit Methods:

  1. Request subprocessor list (this document)
  2. Request copies of subprocessor DPAs (with reasonable redaction)
  3. Request subprocessor security certifications (SOC 2, ISO 27001)
  4. Request subprocessor audit reports (with NDA if required)

Audit Response Timeline:

  • Document requests: 14 business days
  • Audit questionnaires: 30 days
  • Onsite audits: By mutual agreement with reasonable notice

Contact for Audits:

  • Email: support@beekeeperstudio.io
  • Subject: “NDPA Audit Request - [LEA Name]”

Alternative: Local Workspace Mode (No Subprocessor Access)

For customers with strict requirements against subprocessor access:

Local Workspace Mode:

  • All data processing on user’s local device
  • No cloud storage, no cloud workspaces
  • No data transmitted to our servers (except license validation)
  • Desktop application only

Trade-offs:

  • ❌ No cross-device sync
  • ❌ No cloud backup
  • ✅ Complete data control
  • ✅ No subprocessor access to workspace data

Setup: Disable cloud workspaces in application settings

Contact: support@beekeeperstudio.io for local-only deployment guidance

Document Maintenance

Update Schedule

Quarterly Review (during compliance day):

  • Verify all subprocessors still in use
  • Check for service changes or acquisitions
  • Review security certifications

Trigger-Based Updates:

  • Adding/removing a subprocessor
  • Material changes to existing subprocessor
  • Security incident involving subprocessor

Version Control

  • Version: 2.0
  • Effective Date: 2026-02-09
  • Last Reviewed: 2026-02-09
  • Next Review: 2026-05-09
  • Owner: CTO / Security Contact
  • Approved By: CEO

Changes from v1.0: Clarified desktop app architecture, updated for cloud services focus, added cross-references to legal documents.

Security Policies

Contact

Subprocessor Questions: support@beekeeperstudio.io

Customer Audits: support@beekeeperstudio.io (Subject: “Audit Request - [Organization]”)

Change Notifications: Request proactive notification at support@beekeeperstudio.io (Subject: “Subscribe to Subprocessor Notifications”)

Appendix A: Subprocessor Agreement Requirements

All subprocessors have Data Processing Agreements (DPAs) containing:

Standard Terms

  • Data processing only per documented instructions
  • Confidentiality obligations
  • Appropriate security measures (encryption, access controls)
  • Assistance with data subject rights (access, deletion, export)
  • Data deletion at contract termination
  • Breach notification within 72 hours
  • Prohibition on unauthorized subcontracting

For Educational Institutions (NDPA Terms)

  • No selling of student data
  • No targeted advertising
  • 60-day data deletion upon request
  • LEA audit cooperation rights

Certification Requirements

  • SOC 2 Type II or ISO 27001 required
  • Annual recertification
  • Certifications available upon request (with NDA)

Appendix B: Subprocessor Quick Reference

See the Subprocessor List for the current vendor directory with full details.

Document Owner: CTO / Security Contact
Approved By: CEO
Effective Date: 2026-02-09