Data Processing Agreement

Annex 2 – Subprocessors

The Processor shall use the following sub-Processors in the course of processing data for the Controller:

Primary sub-Processors used for providing our services:

• Google Cloud Services: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Purpose: Infrastructure and platform services, Computing capacity, Storage space and database services, Telecommunication services (email), Security services, Technical maintenance services; Data processing contract/ Data processing and security terms (Customers): https://cloud.google.com/terms/data-processing-addendum;
  US data transfer assessment: Risks arising from US security regulations: Foreign Intelligence Surveillance Act (FISA), Section 702: Under Section 702 of FISA, the United States government may compel "electronic communications service providers" to disclose information about non-US citizens located outside the United States in order to obtain information for foreign intelligence services. EO 12333 and Presidential Policy Directive 28 ("PPD-28"): Under EO 12333, U.S. intelligence agencies (such as the U.S. National Security Agency) may conduct surveillance outside the United States. Specifically, U.S. intelligence agencies are authorised to collect foreign "signals intelligence" information, i.e. information obtained from communications and other data transmitted or accessible by radio, wire and other electromagnetic means; level of risk to data subjects: Collection of behavioural data (sub-page views, app views, interaction with website/app features) within the website and interest in the content. Processsing-related content is already originating from or published on the US networks (e.g. Facebook). No information is typically processed where there is a suspicion that knowledge of US security authorities poses particular risks to users;
  Contractual measures: EU Model Contract Clauses : https://cloud.google.com/terms/data-processing-addendum in conjunction with https://cloud.google.com/terms/eu-model-contract-clause;
  Technical Safeguards: Safeguards for international data transfers with Google Cloud https://services.google.com/fh/files/misc/safeguards_for_international_data_transfers_with_google_cloud.pdf apply: Encryption in transit/at rest/ in use; Strengthened customer controls, cryptographic key management, Cloud External Key Manager, access control, state of the art security 10/ Organisational safeguards: Transparency, regulatory requests for data; Adoption of standards and best practices; Data residency & physical storage of data, Location-based access.
• OpenAI: Interface access (so-called "API") to AI-based services designed to understand and generate natural language and related input and data, analyse information and make predictions; The use of OpenAI features is optional for the Controller and is only carried out with their explicit confirmation; Service provider: OpenAI OpCo, LLC, 3180 18th St., San Francisco, CA 94110 USA; Website: https://openai.com/product; Privacy policy: https://openai.com/policies/privacy-policy; Data Processing Agreement: https://openai.com/policies/data-processing-addendum; Standard Contractual Clauses (ensuring level of data protection for processing in third countries): https://openai.com/policies/data-processing-addendum; Opt-out: https://docs.google.com/forms/d/e/1FAIpQLSevgtKyiSWIOj6CV6XWBHl1daPZSOcIWzcUYUXQ1xttjBgDpA/viewform.

Supporting services:

The following services are primarily for the Processor to carry out the contractual relationship with the Controller. In this case, the Processor processes the personal data as a data controller (e.g. contact information of the Controllers' employees or content of the communications with them). On the other hand, these services are only exceptionally used in the context of the commissioned processing carried out for the Controller (which primarily concerns the data of the social media users/end customers). These are, for example, cases where a service transaction is discussed via email or chat and contains information about the users involved. Nevertheless, the Processor also applies the same requirements to the lawfulness and security of their use to these services as to primary services.

• Google Workspace: cloud-based application software (e.g. text and spreadsheet editing, appointment and contact management), cloud storage and cloud infrastructure services; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; website: https://cloud.google.com/; privacy policy: https://cloud.google.com/terms/cloud-privacy-notice, security notices: https://cloud.google.com/security/privacy; order processing agreement: https://cloud.google.com/terms/data-processing-addendum; standard contractual clauses (guaranteeing level of data protection for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause. US data transfers, see above “Google Cloud”.
• Slack: instant messaging service; service provider:Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, USA; website: https://slack.com/; privacy policy: https://slack.com/legal; order processing contract: https://slack.com/terms-of-service/data-processing; US data transfers: standard contractual clauses (ensuring level of data protection for processing in third countries): https://slack.com/terms-of-service/data-processing; security measures: https://slack.com/security-practices.
• SendGrid: We use SendGrid to send all e-mails to customers (invoices, reports, newsletters, other transactional mails); Service provider: Twilio Irland Limited, 25 – 28 North Wall Quay, North Wall, Dublin 1, D01 H104, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://sendgrid.com; Privacy Policy: https://www.twilio.com/legal/privacy; Data Processing Agreement: https://www.twilio.com/legal/data-protection-addendum; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.twilio.com/legal/data-protection-addendum.
• Zoom: video conferencing, web conferencing and webinars; service provider: Zoom Video Communications, Inc, 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA; Website: https://zoom.us; Privacy Policy: https://zoom.us/en/trust/privacy; Order Processing Agreement: https://zoom.us/en/trust/ (referred to as Global DPA); Standard Contractual Clauses (ensuring level of data protection for processing in third countries): https://zoom.us/en/trust/ (referred to as Global DPA); Technical Security Measures: "FAQs: International Data Transfers" https://zoom.us/docs/doc/EEA_Transfer_of_Data.pdf.