Voyado Engage

Third Country Transfers and List of Sub-processors

We use sub-processors to deliver our Product “Voyado Engage”. The use of sub-processors may entail transfers of personal data. Please see below a description of the relevant transfers and what legislation might apply.

Please subscribe here if you want to receive notifications whenever we update our legal documents.

Applicable sub-processors

Voyado uses the sub-processors listed below for the provision of Voyado Engage. For some of Voyado Engage’s Component(s) and Third Party Services, additional sub-processors may apply. If so, these will be listed in the table “Components and Third-Party Services” below.

Third country transfers

Voyado’s main processing of personal data takes place within the EU. However, for some sub-processors, processing of personal data outside of the EU/EEA may occur. Please see information on applicable transfer and transfer tools below.

EU/UK/Swiss transfer to the US

For transfers to the US, Voyado’s sub-processors for Voyado Engage relies on either the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), see information below, or the Standard Contractual Clauses, (the “SCC”). The EU-U.S. DPF shall be used as a first resort. Please see information in the table below for what applies for each sub-processor.

The EU-U.S. DPF, the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

The effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 10, 2023, which is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

List of sub-processors 

The sub-processors below apply for all customers using Voyado Engage, regardless of which Component(s) you use.

Sub-processor and use Data Center location Transfer tool Possible third country data flow  Sub-processors and links
Microsoft AB

Hosting of customer data 

Ireland EU-U.S. DPF No direct data flow. Data centers are located within the EU but Microsoft Corporation (parent company) is located within the US.

Data may be transferred to the UK when using services powered by Azure Open AI.

 Sub-processors: Service Trust Portal (microsoft.com)

Technical and organisational secuirty measures: DPIA Azure for the GDPR – Microsoft GDPR | Microsoft Learn

Link Mobility AB

Inbound and outbound SMS delivery

Ireland/Germany/France/Netherlands (Service is hosted in Microsoft and AWS) EU-U.S. DPF (Microsoft and AWS) No direct data flow. Data centers are located within the EU but Microsoft Corporation and AWS Inc (parent companies) are located within the US. Sub-processors: LINK Mobility Legal

Technical and organizational security measures:  LINK Mobility Privacy

Sinch Sweden AB

Outgoing SMS

EU (Service is hosted in Microsoft and AWS) EU-U.S. DPF (Microsoft and AWS) No direct data flow. Data centers are located within the EU, but Microsoft Corporation and AWS Inc (parent companies) are located within the US. Sub-processors: Data Protection | Sub-Processors | Sinch | Enriching Engagement

Technical and organizational security measures:  Data Protection Agreement | Sinch | Enriching Engagement

Confluent Inc.

Data storage and processing platform

EU (Service is operated in Microsoft Azure) EU-U.S. DPF (Microsoft) No direct data flow. Data centers are located within the EU but Microsoft Corporation (parent company) is located within the US. Sub-processors: Confluent Cloud Subprocessors

Technical and organizational security measures: Confluent Cloud: Data Processing Addendum for Customers

Twilio Inc. (SendGrid)

E-mail message delivery service

US EU-U.S. DPF The US Sub-processors: Twilio Sub-Processors | Twilio Please note that only sub-processors for the service “SendGrid” applies.

Technical and organizational security measures:  data-protection-addendum (twilio.com)

Solarwinds Inc.(Loggly)

Log management and analytics service provider

US The SCCs The US Sub-processors: SubProcessorITOMSaaS09292021.pdf (solarwinds.com) Please note that only sub-processors for the service “Loggly” applies.

Technical and organizational security measures:  SolarWinds – Security Information

Zendesk

Customer support services

EU EU-U.S. DPF No direct data flow Sub-processors: Sub-processor Policy – Zendesk help

Technical and organisational: How We Protect Your Service Data (Enterprise Services) – Zendesk help

New Relic

Service monitoring, alerts and incident response

The US and EU EU-U.S. DPF The US Sub-processors: Not available online, please contact AM for more information.

Technical and organizational security measures:

  • Data minimization and data retention rules(15 days)
Atlassian

(Jira, OpsGenie)

Internal incident response and mitigation

The US EU-U.S. DPF The US Sub-processors: List of Data Subprocessors | Atlassian

Technical and organizational security measures:

  • Data minimization and data retention rules (6 months)
Additional Components and Third-party Services

The sub-processors below apply only if you use the applicable Component and/or Third-Party Service. Please check your Agreement or contact your AM to confirm which Component(s)/Third-party Services that applies for you.

Component/functionality  Sub-processor(s)  Data Center Location  Transfer tool  Possible third country data flow  Sub-processors and Links 
Webhooks Svix

 

USA and Ireland The SCCs for Svix, EU-U.S. DPF (AWS) The US AWS, Auth0 Inc. Google LLC, Slack Technologies Inc, Github Inc. Svix

Technical and organisational security measures: Not available online, please contact your AM for more information.

Data Enrichment, monitoring, search (onboarding) Dun & Bradstreet The SCCs The US Sub-processors:

DPA.pdf (dnb.co.uk)

Technical and organizational security measures:

DPA.pdf (dnb.co.uk)

Shopify integration Eastside Co,

AWS Europe / Amazon Web Services EMEA SARL, Laravel FORGE / Laravel LLC / Svix Inc

Eastside (UK), AWS (Ireland), Forge (International)

Svix (North Europe)

The SCCs and EU-U.S. DPF (AWS) The US AWS sub-processors: Amazon Web Services (AWS) Sub-processors

AWS technical and organizational security measures: Cloud Security – Amazon Web Services (AWS)

Onsite Messaging Public Cloud Group AB The EU N/A No direct data flow. Sub-processor only processes data within Voyado’s environments (AWS). Miracle Mill EOOD (Bulgaria)

 

Onsite Messaging AWS The EU EU-U.S. DPF No direct data flow. Data centers are located within the EU but AWS (parent company) is located within the US. AWS sub-processors: Amazon Web Services (AWS) Sub-processors

AWS technical and organizational security measures: Cloud Security – Amazon Web Services (AWS)

Onsite Messaging MongoDB The EU EU-U.S. DPF No direct data flow. Data centers are located within the EU but MongoDB (parent company) is located within the US. MongoDB sub-processors: MongoDB Subprocessors

MongoDB technical and organizational security measures: Technical and Organizational Security Measures

 

 

Version 2.3.1 October 2024.
This document may be subject to updates from time to time. 

Receive updates on sub-processor information

If you want to receive updates when we make changes or updates regarding our sub-processors you need to subscribe using the link below.