Subprocessor Agreement
Ethnio, Inc. (“Ethnio”) uses certain subprocessors, subcontractors, and content delivery networks to assist it in providing the Ethnio Services (“Services”) as described in the Ethnio Terms & Conditions. Defined terms used herein shall have the same meaning as defined in the Terms & Conditions.
What is a Subprocessor?
A subprocessor is a third party data processor engaged by Ethnio who has or potentially will have access to or process Service Data (which may contain Personal Data). Ethnio engages different types of subprocessors to perform various functions as explained below. Ethnio refers to third parties that do not have access to or process Service Data but who are otherwise used to provide the Services as “subcontractors” and not subprocessors.
Due Diligence:
Ethnio undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data.
Contractual Safeguards:
Ethnio requires its subprocessors to satisfy equivalent obligations as those required from Ethnio (as a Data Processor) as set forth in Ethnio’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
- In connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
- Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Ethnio is contractually committed to adhere insofar as they are equally relevant to the subprocessor’s processing of Personal Data on Ethnio’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Ethnio reserves the right to audit the subprocessor;
- Promptly inform Ethnio about any actual or potential security breach;
- Process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions (as communicated in writing to the relevant subprocessor by Ethnio);
- Cooperate with Ethnio in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Ethnio’s engagement process for subprocessors as well as to provide the actual list of third party subprocessors, subcontractors and content delivery networks used by Ethnio as of the date of this policy (which Ethnio may use in the delivery and support of its Services).
Process to Engage New Subprocessors:
For all Subscribers who have executed Ethnio’s standard DPA, Ethnio will provide notice via this policy of updates to the list of subprocessors that are utilized or which Ethnio proposes to utilize to deliver its Services. Ethnio undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of subprocessing associated with the Ethnio Services.
Pursuant to the DPA, a Subscriber can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If Subscriber does not object during such time period the new subprocessor(s) shall be deemed accepted.
If a Subscriber objects to the use of a subprocessor pursuant to the process provided under the DPA, Ethnio shall have the right to cure the objection through one of the following options (to be selected at Ethnio’s sole discretion):
(a) Ethnio will cease to use the subprocessor with regard to Personal Data;
(b) Ethnio will take the corrective steps requested by Subscriber in its objection (which remove Subscriber’s objection) and proceed to use the subprocessor to process Personal Data; or
(c) Ethnio may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of a Ethnio Service that would involve use of the subprocessor to process Personal Data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA. The following is an up-to-date list (as of the date of this policy) of the names and locations of Ethnio subprocessors, subcontractors and content delivery networks (including members of the Ethnio Group and third parties):
Infrastructure Subprocessors – Service Data Storage
Ethnio owns or controls access to the infrastructure that Ethnio uses to host Service Data submitted to the Services, other than as set forth below. Currently, the Ethnio production systems for the Services are located in co-location facilities in the United States and Europe. Subscriber accounts are established in one of these regions based on where the Subscriber is located; the Subscriber’s Service Data subsequently remains in that region unless agreed between Subscriber and Ethnio, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged in the storage of Service Data by Ethnio.
| Entity Name | Entity Type | Applicable Services | Entity Country |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud Service Provider | Data center, SES | United States |
| MailGun, Inc. | Email Provider | Email Distributions | United States |
| Maxio | Subscription Billing SaaS | Credit Card Processing | United States |
Service Specific Subprocessors
Ethnio works with certain third parties to provide specific functionality within the Services. These providers are the Subprocessors set forth below. In order to provide the relevant functionality these Subprocessors access Service Data. Their use is limited to the indicated Services.
| Entity Name | Purpose | Applicable Services | Entity Country |
|---|---|---|---|
| Twilio, Inc. | Scheduling text reminders & calls | Scheduling & Responses | United States |
| FullContact, Inc. | Social data on responses | Responses | United States |
| Tremendous, Inc. | Pay Respondents | Incentives | United States |
| MaxMind, Inc. | GeoIP | Location Detection | United States |
| Google LLC | Calendar | Scheduling | United States |
| Microsoft Corporation | Outlook | Scheduling | United States |
| Zoom Video Communications, Inc | Meetings and webinars | Scheduling | United States |
Subcontractors
As explained above, Ethnio also uses certain “subcontractors” to assist in the operations necessary to provide the Ethnio Services as described in the Terms & Conditions. The following is a list (as of the date of this policy) of the names and locations of material third-party subcontractors. Subcontractors do not have access to Service Data.
| Entity Name | Purpose | Applicable Services | Entity Country |
|---|---|---|---|
| Zendesk, Inc. | Help tickets | Emailing Customers | United States |
| Intercom, Inc. | Chat & Help tickets | Notifications & emails | United States |
| Typography, Inc. | Fonts | Fonts | United States |