11 February 2022
To support the delivery of the Staffbase Services, Staffbase uses Sub-Processors that may store and process personal data of Staffbase’s Customers. Prior to engaging a Sub-Processor, Staffbase carefully evaluates the privacy and data protection, security, and confidentiality practices of that Sub-Processor. Staffbase also enters into a data processing agreement and, if relevant, standard contractual clauses with Sub-Processors. This page provides important information about the identity, location, and role of our Sub-Processors. Terms used on this page but not defined have the same meanings as in our Terms of Service or, if applicable, in the signed Master Subscription Agreement between the parties (in either case, the “Governing Agreement”).
List of Sub-Processors
Staffbase currently uses the following Sub-Processors to provide required infrastructure services and to perform other – required or optional – service functions related to the Staffbase Service, as clarified below.
Required Infrastructure services
Service Provider | Country and Address | Processing Activities | Storage Location | Transfer Mechanism |
DE Hosting | ||||
SysEleven GmbH | Boxhagener Straße 80, 10245 Berlin, Germany | We will migrate away from SysEleven, starting 15 April 2022. Until SysEleven is fully deprecated, Personal Data may be hosted by both SysEleven and Microsoft Ireland Operations Ltd. SysEleven: ISO 27001 certified data hosting. | Germany | n/a |
Microsoft Ireland Operations Ltd. (Azure) | South County Business Park, One Microsoft Court, Carmanhall and Leopardstown, Dublin, D18 DH6K, Ireland | As of 15 April 2022, we will roll-out the hosting services of Microsoft Azure (EU). Microsoft Ireland Operations Ltd.: ISO 27001 certified data hosting. | Germany | n/a |
US Hosting – except for a limited set of plugins that are still hosted by SysEleven GmbH (see above), for Customers with US Hosting we use the hosting services of: | ||||
Microsoft Ireland Operations Ltd. (Azure) | South County Business Park, One Microsoft Court, Carmanhall and Leopardstown, Dublin, D18 DH6K, Ireland | ISO 27001 certified data hosting. | USA (Virginia) | Model Clauses |
Required Staffbase Services
Service Provider | Country and Address | Processing Activities | Storage Location | Transfer Mechanism |
Zendesk, Inc. | 989 Market Street, San Francisco, CA 94103, USA | Zendesk provides a platform to manage customer support requests. In general, only Admin Users request support from Staffbase via the Zendesk platform. The personal data that may be processed by Zendesk in this regard is the Admin User’s name, email address, (company) phone number and content of the support ticket. | EU | Model Clauses |
Google LLC (Firebase Cloud Messaging) | 1600 Amphitheatre Parkway, Mountain View, California 94043, USA | We use Google Firebase Cloud Messaging to send push notifications to the mobile application used by Authorized Users. Google Firebase only processes random Instance IDs to determine which devices to deliver the notification to. Each Instance ID is unique to a particular app and device and is required for sending the push notification. Google Firebase cannot link this Instance ID to Authorized Users. Authorized Users can control push notifications through the app settings. | Global | Model Clauses |
DE Hosting – in addition to the above, for Customers with DE Hosting we use the services of: | ||||
Mailjet SAS | 13-13 bis, rue de l’Aubrac – 75012 Paris, France | ISO 27001 certified email service provider used to deliver emails to Authorized Users. Mailjet has access to the email addresses of Authorized Users and the content of the email itself. | EU | n/a |
US Hosting – in addition to the above, for Customers with US Hosting we use the services of: | ||||
Mailgun Technologies Inc. | 112 E Pecan St. #1135 San Antonio, TX 78205, USA | ISO 27001 certified email service provider used to deliver emails to Authorized Users. Mailgun has access to the email addresses of Authorized Users and the content of the email itself. | USA | Model Clauses |
Optional services
The following services are optional or they are only offered to Customer as part of a specific product package. The following service providers will only process Personal Data when their services are activated for or ordered by Customer.
Service Provider | Country and Address | Processing Activities | Storage Location | Transfer Mechanism |
movingimage EVP GmbH | Tempelhofer Ufer 1, 10961 Berlin, Germany | The services of movingimage are only provided when separately agreed between Customer and Staffbase. We use movingimage for storing and managing video files that are uploaded by the Customer. By using movingimage’s services Staffbase is able to support more video formats and increase the quality of videos and the video uploading process. Movingimage may process personal data contained in videos, including titles and metadata. | EU | n/a |
Amazon Web Services EMEA SARL (CloudFront)* Used for Content Delivery Network (Media CDN) | 38 Avenue John F. Kennedy, L-1855, Luxembourg | Amazon provides a Content Delivery Network (CDN) for international distribution of any media asset (pictures, video, files) selected for use with the Staffbase Service. Customer’s use of the CDN results in faster delivery of media files. Media files uploaded by Customer can contain personal data, such as names or images. * If the CDN service is turned off, Amazon Web Services EMEA SARL is not a Sub-Processor. | Cloudfront caches media files globally depending on the location where the content is consumed by an end user. | Model Clauses |
Microsoft Ireland Operations Ltd.* Used for on-demand Machine Translation services (Microsoft Translator) | South County Business Park, One Microsoft Court, Carmanhall and Leopardstown, Dublin, D18 DH6K, Ireland | ISO 27001 certified translation service. We use Microsoft Translator to provide on-demand translations. Microsoft may process personal data stored in the content of what is sent for translation. Microsoft immediately deletes this information and so no translations are written to permanent storage. There will be no record of the submitted content, or portion thereof, in any Microsoft data center. * If the translation service is turned off, Microsoft Ireland Operations Ltd. is not a Sub-Processor. | EU for our Customers with DE Hosting USA for our Customers with US Hosting | For Customers with US Hosting: Model Clauses |
Staffbase Group
Depending on the geographic location of a Customer or their Admin Users, and the type of Staffbase Services provided, Staffbase may also engage one or more of the following Staffbase Affiliates as Sub-Processors when accessing Customer Data.
Staffbase Affiliate | Affiliate details | Transfer Mechanism |
Staffbase GmbH | Germany – Registered in Germany with Company number HRB 29196 | Intragroup DPA with Model Clauses |
Staffbase B.V. | Netherlands – Registered in the Netherlands with Company number 75849895 | Intragroup DPA with Model Clauses |
Staffbase UK Ltd. | UK – Registered in England with Company number 11666265 UK’s adequacy status ensures that personal data can be transferred by Staffbase from the EU to the UK without requiring additional data protection safeguards. | Intragroup DPA with Model Clauses Adequacy Decision of 28 June 2021 |
Staffbase Inc. | USA – Incorporated in Delaware, US, with file number 6032180, with headquarters in New York, New York | Intragroup DPA with Model Clauses |
Staffbase Canada Systems Inc. (formerly Bananatag Systems Inc.) | Canada – Incorporated in British Columbia, Canada, under incorporation number BC1303003 Canada’s adequacy status ensures that personal data can be transferred by Staffbase from the EU to Canada without requiring additional data protection safeguards. | Intragroup DPA with Model Clauses Adequacy Decision 2002/2/EC |
These Staffbase Affiliates are required to deliver (technical) support and similar services to a Customer. For example, our customer support team of Staffbase Inc. may need to provide support to a Customer that has entered into the Governing Agreement with Staffbase GmbH. Staffbase has an intragroup data processing agreement, including Model Clauses, to facilitate these transfers.
Product-Specific Sub-Processors
If Customer has purchased the Staffbase Service listed below, then the relevant Sub-Processors are used in relation to that specific Staffbase Service.
If Customer has only purchased the Staffbase Service listed below, then Staffbase only uses the relevant Sub-Processors listed below in addition to the Staffbase Affiliates listed above.
Service Provider | Country and Address | Processing Activities | Storage Location | Transfer Mechanism |
Staffbase Service: Employee Email | ||||
Amazon Web Services (EMEA SARL*) * For Customers with DE Hosting, we use the services of AWS EMEA SARL | 38 Avenue John F. Kennedy, L-1855, Luxembourg 410 Terry Avenue North, Seattle, WA 98109-5210, USA | ISO 27001 certified data hosting. We use AWS for hosting services and to send: (i) email notifications to Employee Email Users; and (ii) employee emails to Email Recipients via Amazon Simple Email Service. | Germany for our Customers with DE Hosting USA for Customers with US Hosting | For Customers with US Hosting: Model Clauses |
Zendesk, Inc. | 989 Market Street, San Francisco, CA 94103, USA | Zendesk provides a platform to manage customer support requests. Zendesk may process the name, email address, phone number of Admin Users only and the content of the support ticket. | EU | Model Clauses |
Updates
The Sub-Processors we engage may change as our business continues to grow and evolve. We will endeavour to keep this page up to date. We will update our Customers of any new Sub-Processors in accordance with our Data Processing Agreement.
Update date | Description of changes |
01 October 2020 | We’ve added a new column specifying the legal mechanism for international data transfers and we have updated the storage location for the Microsoft Translator services. |
18 May 2021 | The updates reflect:
|
17 August 2021 | The updates reflect:
|
11 February 2022 | The updates reflect:
|