Data Processing Agreement
Annex 2 – Subprocessors
The Processor shall use the following sub-Processors in the course of processing data for the Controller:
Primary sub-Processors used for providing our services:
Google Cloud Services: Google LLC, 1600 Amphitheatre Pkwy, Mountain View, California 94043; Purpose: Infrastructure and platform services, Computing capacity, Storage space and database services, Telecommunication services (email), Security services, Technical maintenance services; Data processing contract/ Data processing and security terms (Customers): https://cloud.google.com/terms/data-processing-terms;
US data transfer assessment: Risks arising from US security regulations: Foreign Intelligence Surveillance Act (FISA), Section 702: Under Section 702 of FISA, the United States government may compel "electronic communications service providers" to disclose information about non-US citizens located outside the United States in order to obtain information for foreign intelligence services. EO 12333 and Presidential Policy Directive 28 ("PPD-28"): Under EO 12333, U.S. intelligence agencies (such as the U.S. National Security Agency) may conduct surveillance outside the United States. Specifically, U.S. intelligence agencies are authorised to collect foreign "signals intelligence" information, i.e. information obtained from communications and other data transmitted or accessible by radio, wire and other electromagnetic means; level of risk to data subjects: Collection of behavioural data (sub-page views, app views, interaction with website/app features) within the website and interest in the content. Processsing-related content is already originating from or published on the US networks (e.g. Facebook). No information is typically processed where there is a suspicion that knowledge of US security authorities poses particular risks to users;
Contractual measures: EU Model Contract Clauses : https://cloud.google.com/terms/data-processing-terms in conjunction with https://cloud.google.com/terms/eu-model-contract-clause;
Technical Safeguards: Safeguards for international data transfers with Google Cloud https://services.google.com/fh/files/misc/safeguards_for_international_data_transfers_with_google_cloud.pdf apply: Encryption in transit/at rest/ in use; Strengthened customer controls, cryptographic key management, Cloud External Key Manager, access control, state of the art security 10/ Organisational safeguards: Transparency, regulatory requests for data; Adoption of standards and best practices; Data residency & physical storage of data, Location-based access.
The following services are primarily for the Processor to carry out the contractual relationship with the Controller. In this case, the Processor processes the personal data as a data controller (e.g. contact information of the Controllers' employees or content of the communications with them). On the other hand, these services are only exceptionally used in the context of the commissioned processing carried out for the Controller (which primarily concerns the data of the social media users/end customers). These are, for example, cases where a service transaction is discussed via email or chat and contains information about the users involved. Nevertheless, the Processor also applies the same requirements to the lawfulness and security of their use to these services as to primary services.