01 October 2020
To support the delivery of the Staffbase Services, Staffbase (Staffbase GmbH, Staffbase Inc. or one of its other Affiliates listed below) uses Sub-Processors that may store and process personal data of Staffbase’s Customers. Prior to engaging a Sub-Processor, Staffbase carefully evaluates the privacy and data protection, security, and confidentiality practices of that Sub-Processor. Staffbase also enters into a data processing agreement and, if relevant, standard contractual clauses with Sub-Processors. This page provides important information about the identity, location, and role of our Sub-Processors. Terms used on this page but not defined have the meaning set forth in our Terms of Service or, if applicable, in the signed Master Service Agreement between the parties (in either case, the"Governing Agreement").
List of Sub-Processors
Staffbase currently uses the following Sub-Processors to provide infrastructure services and to perform other service functions related to the Staffbase Service.
Service Provider | Country and Address | Processing Activities | Storage Location | Transfer Mechanism |
Infrastructure – DE Hosting | ||||
1&1 IONOS SE | Elgendorfer Str. 57, 56410 Montabaur, Germany | ISO 27001 certified data hosting. | Germany | |
SysEleven GmbH | Boxhagener Straße 80,10245, Germany | ISO 27001 certified data hosting. | Germany | |
Infrastructure – US Hosting | ||||
In addition to the above, we use the following Sub-Processor for Customers with US hosting | ||||
Microsoft Corporation (Azure) | One Microsoft WayRedmond, Washington 98052, USA | ISO 27001 certified data hosting. | USA | DPA with Model Clauses |
Other Staffbase Service functions | ||||
Mailjet SAS | 13-13 bis, rue de l’Aubrac – 75012 Paris, France | ISO 27001 certified email service provider used to deliver emails to Authorized Users. Mailjet has access to the email addresses of Authorized Users and the content of the email itself. | EU | |
Google Firebase Cloud Messaging | 1600 Amphitheatre Parkway, Mountain View, California 94043, USA | We use Google Firebase Cloud Messaging to send push notifications to the mobile application used by Authorized Users. Google Firebase only processes random Instance IDs to determine which devices to deliver the notification to. Each Instance ID is unique to a particular app and device and is required for sending the push notification. Google Firebase cannot link this Instance ID to Authorized Users. Authorized Users can control push notification through the app settings. | Global | DPA with Model Clauses |
Sub-Processors that only process personal data of Admin Users | ||||
Zendesk, Inc. | 1019 Market Street, San Francisco, CA 94103, USA | Zendesk provides a platform to manage customer support requests. In general, only Admin Users request support from Staffbase via the Zendesk platform. The personal data that may be processed by Zendesk in this regard is the Admin User’s name, email address and content of the support ticket. | EU | DPA with Model Clauses |
Optional Sub-Processors | ||||
Amazon CloudFront (AWS)* Used for Content Delivery Network (Media CDN) | 410 Terry Avenue North, Seattle, Washington 98109-5210, USA | Amazon provides a Content Delivery Network (CDN) for international distribution of any media asset (pictures, video, files) selected for use with the Staffbase Service. Customer’s use of the CDN results in faster delivery of media files. Media files uploaded by Customer can contain personal data, such as names or images. * If the CDN service is turned off for the end user, Amazon Web Services Inc. is not a Sub-Processor. | Global | DPA with Model Clauses |
Microsoft Corporation* Used for on-demand Machine Translation services (Microsoft Translator) | One Microsoft Way Redmond, Washington 98052, USA | ISO 27001 certified translation service. We use Microsoft Translator to provide on-demand translations. Microsoft may process personal data stored in the content of what is sent for translation. Microsoft immediately deletes this information and so no translations are written to permanent storage. There will be no record of the submitted content, or portion thereof, in any Microsoft data center. * If the translation service is turned off or not available for the end user, Microsoft Corporation is not a Sub-Processor. | EU for our Customers hosted in Germany USA for our Customers hosted in the USA | DPA with Model Clauses |
Staffbase Group
Depending on the geographic location of a Customer or their Admin Users, and the type of Staffbase Services provided, Staffbase may also engage one or more of the following Staffbase Affiliates as Sub-Processors when accessing Customer Data:
Staffbase Affiliate | Affiliate details | Transfer Mechanism |
Staffbase GmbH | Germany – registered in Germany with Company number HRB 29196 | |
Staffbase UK Ltd | UK – Registered in England with Company number 11666265 | DPA with Model Clauses |
Staffbase B.V. | Netherlands – Registered in the Netherlands with Company number 75849895 | |
Staffbase Inc. | USA – Incorporated in Delaware, US, with file number 6032180, with headquarters in New York, New York. | DPA with Model Clauses |
These Staffbase Affiliates are required to deliver (technical) support and similar services to a Customer. For example, our customer support team of Staffbase Inc. may need to provide support to a Customer that has entered into the Governing Agreement with Staffbase GmbH. Staffbase has an intragroup data processing agreement, including Model Clauses, to facilitate these transfers.
Updates
The Sub-Processors we engage may change as our business continues to grow and evolve. We will endeavour to keep this page up to date. We will update our Customers of any new Sub-Processors in accordance with our Data Processing Agreement.
Update date | Description of changes |
01 October 2020 | We’ve added a new column specifying the legal mechanism for international data transfers and we have updated the storage location for the Microsoft Translator services. |