Your guide on how to nudge consumers toward more sustainable choices. Get started today! .
Voyado Engage

Transfer impact assessment guidance

We use sub-processors to deliver our service Voyado Engage. Such use may entail the transfer of personal data. This guidance document describes the relevant transfers and what legislation might apply.

Please subscribe here if you want to receive notifications whenever we update our legal documents.

Voyado Engage sub-processor information

Applicable sub-processors

Voyado uses the sub-processors below for Voyado Engage. For some of Engage’s Components and Third Party Services, additional sub-processor may apply, if so, these will be listed in the table “Components and Third-Party Services” below.

Third country data transfer

Voyado’s main processing of personal data takes place within the EU. For some sub-processors processing of personal data outside of the EU/EEA may occur. Please see information on applicable transfer and transfer tools below.

EU/UK/Swiss transfer to the US

For transfer to the US, Voyado’s sub-processors relies on either the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), see information below, or the Standard Contractual Clauses, (the “SCC”). The EU -US DPF shall be used as a first resort. Please see information in the table below for what applies for each sub-processor.

The EU-U.S. DPF, the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

The effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 10, 2023, which is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

Transfer Impact Assessment

If you need additional information to perform a data transfer impact assessment, please contact your account manager for such.

Voyado Engage Standard sub-processors 

The sub-processors below apply for all customers using Voyado Engage regardless of which Components you use.

Sub-processor and use Data Center location Transfer tool Possible third country data flow  Sub-processors and links
Microsoft AB

Hosting of customer data 

Ireland EU-U.S. DPF No direct data flow. Data centers are located within the EU but Microsoft Corporation (parent company) is located within the US.

Data may be transferred to the UK when using services powered by Azure Open AI.

 Sub-processors: Service Trust Portal (microsoft.com)

Technical and organisational secuirty measures: DPIA Azure for the GDPR – Microsoft GDPR | Microsoft Learn

Link Mobility AB

Inbound and outbound SMS delivery

Ireland/Germany/France/Netherlands (Service is hosted in Microsoft and AWS) EU-U.S. DPF (Microsoft and AWS) No direct data flow. Data centers are located within the EU but Microsoft Corporation and AWS Inc (parent companies) are located within the US. Sub-processors: LINK Mobility Legal

Technical and organizational security measures:  LINK Mobility Privacy

Sinch Sweden AB

Outgoing SMS

EU (Service is hosted in Microsoft and AWS) EU-U.S. DPF (Microsoft and AWS) No direct data flow. Data centers are located within the EU, but Microsoft Corporation and AWS Inc (parent companies) are located within the US. Sub-processors: Data Protection | Sub-Processors | Sinch | Enriching Engagement

Technical and organizational security measures:  Data Protection Agreement | Sinch | Enriching Engagement

Confluent Inc.

Data storage and processing platform

EU (Service is operated in Microsoft Azure) EU-U.S. DPF (Microsoft) No direct data flow. Data centers are located within the EU but Microsoft Corporation (parent company) is located within the US. Sub-processors: Confluent Cloud Subprocessors

Technical and organizational security measures: Confluent Cloud: Data Processing Addendum for Customers

Twilio Inc. (SendGrid)

E-mail message delivery service

US EU-U.S. DPF The US Sub-processors: Twilio Sub-Processors | Twilio Please note that only sub-processors for the service “SendGrid” applies.

Technical and organizational security measures:  data-protection-addendum (twilio.com)

Solarwinds Inc.(Loggly)

Log management and analytics service provider

US The SCCs The US Sub-processors: SubProcessorITOMSaaS09292021.pdf (solarwinds.com) Please note that only sub-processors for the service “Loggly” applies.

Technical and organizational security measures:  SolarWinds – Security Information

Zendesk

Customer support services

EU EU-U.S. DPF No direct data flow Sub-processors: Sub-processor Policy – Zendesk help

Technical and organisational: How We Protect Your Service Data (Enterprise Services) – Zendesk help

New Relic

Service monitoring, alerts and incident response

The US and EU EU-U.S. DPF The US Sub-processors: Not available online, please contact AM for more information.

Technical and organizational security measures:

  • Data minimization and data retention rules(15 days)
Atlassian

(Jira, OpsGenie)

Internal incident response and mitigation

The US EU-U.S. DPF The US Sub-processors: List of Data Subprocessors | Atlassian

Technical and organizational security measures:

  • Data minimization and data retention rules (6 months)
Additional Components and Third-party suppliers

The sub-processors below apply only if you use the applicable Component and or Third-Party Service. Please check your license agreement or contact your AM to confirm which Components/Third-party Service that applies for you.

Component/functionality  Sub-processor(s)  Data Center Location  Transfer tool  Possible third country data flow  Sub-processors and Links 
Webhooks Svix

 

USA and Ireland The SCCs for Svix, EU-U.S. DPF (AWS) The US Sub-processors: AWS, Auth0 Inc. Google LLC, Slack Technologies Inc, Github Inc. Svix

Technical and organisational security measures: Not available online, please contact your AM for more information.

Data Enrichment, monitoring, search (onboarding) Dun & Bradstreet The SCCs The US Sub-processors:

DPA.pdf (dnb.co.uk)

Technical and organizational security measures:

DPA.pdf (dnb.co.uk)

Shopify integration Eastside Co,

AWS Europe / Amazon Web Services EMEA SARL, Laravel FORGE / Laravel LLC / Svix Inc

Eastside (UK), AWS (Ireland), Forge (International)

Svix (North Europe)

The SCCs and EU-U.S. DPF (AWS) The US AWS sub-processors: Amazon Web Services (AWS) Sub-processors

AWS technical and organizational security measures: Cloud Security – Amazon Web Services (AWS)

 

Version 2.1 September 2023.
This document may be subject to updates from time to time. 

Receive updates on sub-processor information

If you want to receive updates when we make changes or updates regarding our sub-processors you need to subscribe using the link below.