Last Updated: August 1, 2023
To support the delivery of our Services, ZenGRC, Inc. (“ZenGRC”) (or one of its Affiliates listed below) uses services providers (each, a “Subprocessor”) that may store or process Customer Data which may contain personal data.
ZenGRC requires its subprocessors to satisfy equivalent obligations as those required from ZenGRC (as a Data Processor) as outlined in ZenGRC’s Data Processing Agreement (DPA), including but not limited to the requirements to:
- process personal data following data controller’s (i.e., Customer’s) documented instructions (as communicated in writing to the relevant subprocessor by ZenGRC);
- in connection with the subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, under applicable data protection laws;
- promptly inform ZenGRC about any security breach; and
- cooperate with ZenGRC to address requests from data controllers, data subjects, or data protection authorities, as applicable.
The following table describes the legal entities acting as a subprocessor for ZenGRC, the service that subprocessor relates to, the function that subprocessor performs on behalf of ZenGRC, the categories of personal data processed by that subprocessor on behalf of ZenGRC, the location of the processing, the adequacy mechanism utilized between that subprocessor and ZenGRC, and a link to the public DPA that subprocessor offers.
Third Party Risk Management is conducted annually on all subprocessors.
Name | Service | Service Provided by Subprocessor | Category of PII Processed | Location of Processing | Adequacy Safeguards | Public DPA Link |
---|---|---|---|---|---|---|
Auth0 |
|
Identity Authentication Provider | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Auth0 DPA (Public) |
AWS |
|
Cloud Service Provider | Contact information; technical identifiers. | United States | Standard Contractual Clauses | AWS DPA (Public) |
Census |
|
Data warehouse synchronization | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Census DPA (Public) |
Datadog |
|
Infrastructure and cloud application monitoring | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Datadog DPA (Public) |
Elastic |
|
Data alerting and reporting platform | Technical identifiers | United States | Standard Contractual Clauses | Elastic DPA (Public) |
Fivetran |
|
Data warehouse transportation | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Fivetran DPA (Public) |
Gong.io |
|
Business intelligence | Contact information; screen and voice recordings. | United States | Standard Contractual Clauses | Gong.io DPA (Public) |
Google Workspace |
|
Business Productivity | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Google Workspace DPA (Public) |
Insided B.V. |
|
Community infrastructure platform | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Insided B.V. DPA (Public) |
Lightbeam.ai |
|
Security and compliance automation | Contact information; technical identifiers; other personal information submitted by the user. | United States | Standard Contractual Clauses | Not publically available; e-mail [email protected] for inquiries regarding Lightbeam’s DPA. |
Marketo |
|
E-mail automation | Contact information | United States | Standard Contractual Clauses | Marketo DPA (Public) |
Merge API, Inc. |
|
API Integrations | Contact information, technical identifiers | United States | Standard Contractual Clauses | Merge API DPA (Public) |
Momentive, Inc. (GetFeedback) |
|
Surveys | Contact information | United States | Standard Contractual Clauses | Momentive, Inc. DPA (Public) |
Pendo.io |
|
Platform usage analytics, communication | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Pendo.io DPA (Public) |
Salesforce.com, Inc. |
|
Customer relations management and customer service | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Salesforce.com, Inc. DPA (Public) |
Segment.io, Inc. |
|
Customer data infrastructure platform | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Segment.io, Inc. DPA (Public) |
Sisense, Inc. |
|
Business intelligence | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Sisense, Inc. DPA (Public) |
Skilljar |
|
Product training | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Skilljar DPA (Public) |
Slack Technologies |
|
Collaboration and Communications | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Slack Technologies DPA (Public) |
Splunk |
|
Data alerting and reporting platform | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Splunk DPA (Public) |
Twilio |
|
Customer communication facilitation | Contact information; technical identifiers. | United States | Standard Contractual Clauses | Sendgrid DPA (Public) |
ZenGRC Subsidiaries
Depending on the geographic location of a Customer or their authorized users, and the nature of the Services provided, ZenGRC may also engage our subsidiary to deliver some or all of the Services to a Customer.
Entity Name | Country |
---|---|
Reciprocity, d.o.o. | Slovenia |