Staffbase Sub-Processors

21 November 2022

To support the delivery of the Staffbase Services, Staffbase uses Sub-Processors that may store and process personal data of Staffbase’s Customers. Prior to engaging a Sub-Processor, Staffbase carefully evaluates the privacy and data protection, security, and confidentiality practices of that Sub-Processor. Staffbase also enters into a data processing agreement and, if relevant, standard contractual clauses with Sub-Processors. This page provides important information about the identity, location, and role of our Sub-Processors. Terms used on this page but not defined have the same meanings as in our Terms of Service or, if applicable, in the signed Master Subscription Agreement between the parties (in either case, the “Governing Agreement”).

We wish to highlight that: (i) the Sub-Processors used in relation to the Staffbase Services, depends on what product(s) Customer has ordered; and (ii) Staffbase is a global company and our Staffbase Affiliates may process personal data in order to provide the Staffbase Services, including (technical) customer support.

Product Specific Sub-Processors

Employee App & Front Door Intranet
Employee Email
Communications Control

Employee App & Front Door Intranet

Service Provider	Processing Activities	Country and Address	Storage Location	Transfer Mechanism
Required Infrastructure and other Services
SysEleven GmbH	We are planning to fully deprecate the SysEleven services by the end of 2022. ISO 27001 certified data hosting.	Boxhagener Straße 80, 10245 Berlin, Germany	Germany	n/a
Microsoft Ireland Operations Ltd. (Azure)	Microsoft offers ISO 27001 certified data hosting and, if applicable, Microsoft Translator services. Availability of Microsoft Translator depends on the applicable product plan ordered by Customer.	South County Business Park, One Microsoft Court, Carmanhall and Leopardstown, Dublin, D18 DH6K, Ireland	EU Hosting
			Germany	n/a
			US Hosting
			USA (Virginia)	Model Clauses
Zendesk, Inc.	Zendesk provides a platform to manage customer support requests. In general, only Admin Users or other Authorized Users authorized by customer to access the Staffbase Studio may request support from Staffbase via the Zendesk platform. The personal data that may be processed by Zendesk in this regard are: name, email address, (company) phone number, content, and metadata of the support ticket and any other communication shared with Staffbase via the Zendesk support widget.	989 Market Street, San Francisco, CA 94103, USA	EU	Model Clauses
Google LLC (Firebase Cloud Messaging)	We use Google Firebase Cloud Messaging to send push notifications to the mobile application used by Authorized Users. Google Firebase only processes random Instance IDs to determine which devices to deliver the notification to. Each Instance ID is unique to a particular app and device and is required for sending the push notification. Google Firebase cannot link this Instance ID to Authorized Users. Authorized Users can control push notifications through the app settings.	1600 Amphitheatre Parkway, Mountain View, California 94043, USA	Global	Model Clauses
Email Services – DE Hosting
Mailjet SAS	ISO 27001 certified email service provider used to deliver emails to Authorized Users. Mailjet has access to the email addresses of Authorized Users and the content of the email itself.	13-13 bis, rue de l’Aubrac – 75012 Paris, France	EU	n/a
Email Services – US Hosting
Mailgun Technologies Inc.	ISO 27001 certified email service provider used to deliver emails to Authorized Users. Mailgun has access to the email addresses of Authorized Users and the content of the email itself.	San Antonio HQ. 112 E Pecan St. #1135. San Antonio, TX 78205.	USA	Model Clauses
Optional Services – the following services are optional or they are only offered to Customer as part of a specific product plan.
Amazon Web Services EMEA SARL (CloudFront)* * Used for Content Delivery Network (Media CDN)	The CloudFront services are being deprecated. The CloudFront CDN will be replaced by Cloudflare’s CDN. Amazon provides a Content Delivery Network (CDN) for international distribution of any media asset (pictures, video, files) selected for use with the Staffbase Service. Customer’s use of the CDN results in faster delivery of media files. Media files uploaded by Customer can contain personal data, such as names or images. * If the CDN service is turned off, Amazon Web Services EMEA SARL is not a Sub-Processor.	38 Avenue John F. Kennedy, L-1855, Luxembourg	Cloudfront caches media files globally depending on the location where the content is consumed by an end user.	Model Clauses
Cloudflare, Inc.	Cloudflare provides a Content Delivery Network (CDN) for international distribution of any media asset (pictures, video, files) selected for use with the Staffbase Service. Customer’s use of the CDN results in faster delivery of media files. Media files uploaded by Customer can contain personal data, such as names or images. * If the CDN service is turned off, Cloudflare is not a Sub-Processor.	101 Townsend St, San Francisco, USA	EU Hosting
			EU	Model Clauses
			US Hosting
			USA	Model Clauses

Employee Email

Service Provider	Processing Activities	Country and Address	Storage Location	Transfer Mechanism
Required Infrastructure and other Services
Amazon Web Services (EMEA SARL)	ISO 27001 certified data hosting. We use AWS for hosting services and to send: (i) email notifications to Employee Email Users; and (ii) employee emails to Email Recipients via Amazon Simple Email Service.	EU Hosting
		Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855, Luxembourg	Germany	n/a
		US Hosting
		Amazon Web Services, Inc. 410 Terry Avenue North, Seattle, WA 98109-5210, USA	USA	Model Clauses
Zendesk, Inc.	Zendesk provides a platform to manage customer support requests. In general, only Admin Users request support from Staffbase via the Zendesk platform. The personal data that may be processed by Zendesk in this regard is the Admin User’s name, email address, (company) phone number, content, and metadata of the support ticket.	989 Market Street, San Francisco, CA 94103, USA	EU	Model Clauses

Communications Control

Service Provider	Processing Activities	Country and Address	Storage Location	Transfer Mechanism
Microsoft Ireland Operations Ltd. (Azure)	Microsoft offers ISO 27001 certified data hosting and, when applicable, Microsoft Translator services.	South County Business Park, One Microsoft Court, Carmanhall and Leopardstown, Dublin, D18 DH6K, Ireland	EU (Netherlands & Ireland)	n/a
Intercom R&D Unlimited Company	Intercom provides a support platform to manage customer support requests and provide support guidance. Intercom will process contact details of the user requesting support, including full name and email address, content of support requests, and application telemetry data.	2nd Floor Stephen Court, 18-21 St. Stephen’s Green, Dublin, 2 Ireland	EU (Ireland)	n/a
The Rocket Science Group, LLC (Mailchimp)	ISO 27001 certified email service provider used to deliver emails to Authorized Users. Mailchimp has access to the first name, last name, and email addresses of Authorized Users and the content of the email itself.	675 Ponce de Leon Ave NE Suite, 5000 Atlanta, GA 30308 USA	USA (QTS & Sabey colocation data centers)	Model Clauses
Zendesk, Inc.	Staffbase will start using the Zendesk support platform related to Communications Control in the near future. Zendesk provides a platform to manage customer support requests. The personal data that may be processed by Zendesk in this regard is the requestor’s name, email address, (company) phone number, content, and metadata of the support ticket.	989 Market Street, San Francisco, CA 94103, USA	EU	Model Clauses

Staffbase Group

Depending on the geographic location of a Customer or their Admin Users, and the type of Staffbase Services provided, Staffbase may also engage one or more of the following Staffbase Affiliates as Sub-Processors when accessing Customer Data.

These Staffbase Affiliates are required to deliver (technical) support and similar services to a Customer. For example, our customer support team of Staffbase Inc. may need to provide support to a Customer that has entered into the Governing Agreement with Staffbase GmbH. Staffbase has an intragroup data processing agreement, including Model Clauses, to facilitate these transfers.

Staffbase Affiliate	Affiliate details	Transfer Mechanism
Staffbase GmbH	Germany – Registered in Germany with Company number HRB 29196	Intragroup DPA with Model Clauses
Staffbase B.V.	Netherlands – Registered in the Netherlands with Company number 75849895	Intragroup DPA with Model Clauses
Staffbase UK Ltd.	UK – Registered in England with Company number 11666265 UK’s adequacy status ensures that personal data can be transferred by Staffbase from the EU to the UK without requiring additional data protection safeguards.	Intragroup DPA with Model Clauses Adequacy Decision of 28 June 2021
Staffbase Inc.	USA – Incorporated in Delaware, US, with file number 6032180, with headquarters in New York, New York	Intragroup DPA with Model Clauses
Staffbase Canada Systems Inc. (formerly Bananatag Systems Inc.)	Canada – Incorporated in British Columbia, Canada, under incorporation number BC1303003 Canada’s adequacy status ensures that personal data can be transferred by Staffbase from the EU to Canada without requiring additional data protection safeguards.	Intragroup DPA with Model Clauses Adequacy Decision 2002/2/EC
247GRAD Labs GmbH (Dirico)	Germany – Registered in Germany with Company number HRB 23676	Intragroup DPA with Model Clauses
Dirico Software S.R.L.	Romania – Registered in Romania with Registry number J5/1829/2020	Intragroup DPA with Model Clauses
Valo Solutions Ltd	Finland – Registered in Finland under Business Identity Code 1732654-1	Intragroup DPA with Model Clauses
Valo Solutions Inc.	Canada – Registered in Canada under Company number: 1173209215 Canada’s adequacy status ensures that personal data can be transferred by Staffbase from the EU to Canada without requiring additional data protection safeguards.	Intragroup DPA with Model Clauses
Valo Solutions Pty Ltd	Australia – Registered in Australia under Company number ABN 19 633 416 190	Intragroup DPA with Model Clauses

Updates

The Sub-Processors we engage may change as our business continues to grow and evolve. We will endeavour to keep this page up to date. We will update our Customers of any new Sub-Processors in accordance with our Data Processing Agreement.

Update date	Description of changes
01 October 2020	We’ve added a new column specifying the legal mechanism for international data transfers and we have updated the storage location for the Microsoft Translator services.
18 May 2021	The updates reflect: a change in address of Zendesk Inc.; the current contracting entity of Amazon Web Services and Microsoft; our upcoming roll out of movingimage EVP GmbH; our recent merger with Bananatag Systems Inc.; our upcoming use of Mailgun as our email provider in relation to US Hosting.
17 August 2021	The updates reflect: the launch of our latest product Employee Email; and UK’s adequacy decision as legitimate transfer mechanism.
11 February 2022	The updates reflect: the deprecation of 1&1 IONOS; the upcoming deprecation of SysEleven GmbH; and the upcoming roll out of Microsoft Ireland Operations Ltd. as hosting provider for customers with DE Hosting.
15 July 2022	The updates reflect: the deprecation of Cloudfront as of 15 September 2022; the roll-out of Cloudflare as of 15 September 2022; changes the way we sell our various products. This new version shows the relevant Sub-Processors per Staffbase product; and the offering of Microsoft Translator services as part of a specific product package. Instead of offering Microsoft Translator as an optional service for all customers, it will only be part of a specific product plan; the recent addition of Dirico and Valo companies to the Staffbase Group.
21 November 2022	The updates reflect: the addition of Sub-Processors used in relation to the new Staffbase Service called ‘Communications Control’; and the deprecation of the video services provided by movingimage EVP GmbH. As a result we have removed this movingimage EVP GmbH from the Sub-Processor Page.