Data Processing Agreement
Annex 2 – Subprocessors
The Processor shall use the following sub-Processors in the course of processing data for the Controller:
Primary sub-Processors used for providing our services:
- Google Cloud Services: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Purpose: Infrastructure and platform services, Computing capacity, Storage space and database services, Telecommunication services (email), Security services, Technical maintenance services; Data processing contract/ Data processing and security terms (Customers): https://cloud.google.com/terms/data-processing-addendum;
Legal basis for US data transfers: Adequacy decision under the “Data Privacy Framework” (DPF), Google certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active;
Technical Safeguards: Safeguards for international data transfers with Google Cloud https://services.google.com/fh/files/misc/safeguards_for_international_data_transfers_with_google_cloud.pdf apply: Encryption in transit/at rest/ in use; Strengthened customer controls, cryptographic key management, Cloud External Key Manager, access control, state of the art security 10/ Organisational safeguards: Transparency, regulatory requests for data; Adoption of standards and best practices; Data residency & physical storage of data, Location-based access. - OpenAI: Interface access (so-called “API”) to AI-based services designed to understand and generate natural language and related input and data, analyse information and make predictions; The use of OpenAI features is optional for the Controller and is only carried out with their explicit confirmation; Service provider: OpenAI OpCo, LLC, 3180 18th St., San Francisco, CA 94110 USA; Website: https://openai.com/product; Privacy policy: https://openai.com/policies/privacy-policy; Data Processing Agreement: https://openai.com/policies/data-processing-addendum; Standard Contractual Clauses (ensuring level of data protection for processing in third countries): https://openai.com/policies/data-processing-addendum; Opt-out: https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.
Supporting services:
The following services are primarily for the Processor to carry out the contractual relationship with the Controller. In this case, the Processor processes the personal data as a data controller (e.g. contact information of the Controllers’ employees or content of the communications with them). On the other hand, these services are only exceptionally used in the context of the commissioned processing carried out for the Controller (which primarily concerns the data of the social media users/end customers). These are, for example, cases where a service transaction is discussed via email or chat and contains information about the users involved. Nevertheless, the Processor also applies the same requirements to the lawfulness and security of their use to these services as to primary services.
- Google Workspace: cloud-based application software (e.g. text and spreadsheet editing, appointment and contact management), cloud storage and cloud infrastructure services; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; website: https://cloud.google.com/; privacy policy: https://cloud.google.com/terms/cloud-privacy-notice, security notices: https://cloud.google.com/security/privacy; DPA: https://cloud.google.com/terms/data-processing-addendum; Legal basis for US data transfers: Adequacy decision under the “Data Privacy Framework” (DPF), see above.
- Slack: instant messaging service; service provider:Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, USA; website: https://slack.com/; privacy policy: https://slack.com/legal; DPA: https://slack.com/terms-of-service/data-processing; Legal basis for US data transfers: Adequacy decision under the “Data Privacy Framework” (DPF), Slack certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnMBAA0&status=Active.
- SendGrid: We use SendGrid to send all e-mails to customers (invoices, reports, newsletters, other transactional mails); Service provider: Twilio Irland Limited, 25 – 28 North Wall Quay, North Wall, Dublin 1, D01 H104, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://sendgrid.com; Privacy Policy: https://www.twilio.com/legal/privacy; Data Processing Agreement: https://www.twilio.com/legal/data-protection-addendum; Legal basis for US data transfers: Adequacy decision under the “Data Privacy Framework” (DPF), Twilio certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TNLbAAO&status=Active.
- Zoom: video conferencing, web conferencing and webinars; service provider: Zoom Video Communications, Inc, 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA; Website: https://zoom.us; Privacy Policy: https://zoom.us/en/trust/privacy; Order Processing Agreement: https://zoom.us/en/trust/ (referred to as Global DPA); Standard Contractual Clauses (ensuring level of data protection for processing in third countries): https://zoom.us/en/trust/ (referred to as Global DPA); Technical Security Measures: “FAQs: International Data Transfers” https://zoom.us/docs/doc/EEA_Transfer_of_Data.pdf.