1. Ownership and Control of Your Service Data
To properly provide the services offered by SMARTFENSE, the only viable operational model is for SMARTFENSE to act as a data processor (under your instructions) when processing your information. For this reason, it is necessary that you or your organization entrust SMARTFENSE with the information you control, so that you can effectively use our services or request technical assistance for our products.
This includes information about your clients and your workforce (if you are a data controller) or data that you hold and use on behalf of another party for a specific purpose, such as a client to whom you provide services (if you are a data processor). Data may be stored on our servers when you use our services. All information entrusted to SMARTFENSE is collectively referred to as “Service Data.”
We acknowledge that you are the owner of your Service Data: we provide you full control over your Service Data by giving you the ability to (i) access your Service Data, (ii) share your Service Data through compatible third-party integrations, and (iii) request the export or deletion of your Service Data.
2. What is a Sub-processor?
A sub-processor is a sub-data processor (as defined under the GDPR) contracted by SMARTFENSE—including SMARTFENSE group entities—that has or may have access to, or process, Service Data (which may include Personal Data).
SMARTFENSE uses different types of sub-processors to perform various functions, as described in this policy.
3. Due Diligence
SMARTFENSE is committed to using a commercially reasonable selection process to evaluate the security, privacy, and confidentiality practices of proposed sub-processors that will or may have access to Service Data.
SMARTFENSE contractually requires its sub-processors to accept obligations equivalent to those required of SMARTFENSE (as Data Processor), as established in SMARTFENSE’s Data Processing Agreement (“DPA”). These obligations must include at minimum:
- Processing Personal Data only in accordance with the documented instructions of the Data Controller (the Subscriber), as communicated in writing to the sub-processor by SMARTFENSE;
- Using only reliable personnel, contractually bound to confidentiality and data security obligations, in accordance with applicable data protection laws;
- Providing periodic security and data protection training to personnel with access to Personal Data;
- Implementing and maintaining appropriate technical and organizational measures (including those to which SMARTFENSE is contractually committed, when relevant to the sub-processor’s processing activities), and providing annual certification demonstrating compliance. In the absence of such certification, SMARTFENSE reserves the right to audit the sub-processor;
- Immediately notifying SMARTFENSE of any actual or potential security breach;
- Cooperating with SMARTFENSE in responding to requests from data controllers, data subjects, or data protection authorities, as applicable.
This policy does not grant Subscribers any additional rights or remedies and should not be interpreted as a binding agreement. The information provided here is solely intended to describe SMARTFENSE’s sub-processor engagement process and to provide the current list of third-party sub-processors and content delivery networks used by SMARTFENSE (which SMARTFENSE may employ in delivering and supporting its Services).
If you are a SMARTFENSE Subscriber and wish to enter into our DPA, please contact us at privacy@smartfense.com.
4. Information Security Measures
Our sub-processors, when processing Service Data on behalf of the Subscriber in relation to Enterprise Services, will implement and maintain the following technical and organizational security measures:
- Physical Access Controls: reasonable measures, such as security personnel and protected facilities, to prevent unauthorized physical access to Service Data.
- System Access Controls: reasonable measures to prevent unauthorized use of Service Data, including password authentication, two-factor authentication, documented authorization procedures, documented change management processes, and multi-level access logging.
- Data Access Controls: measures ensuring Service Data is accessible only by authorized personnel, restricting direct database access, enforcing application-level access rights, and preventing unauthorized reading, copying, modification, or deletion during processing.
- Transmission Controls: measures ensuring that authorized recipients of transmitted Service Data are verifiable, and that Service Data cannot be read, copied, modified, or deleted without authorization during electronic transmission or transport.
- Input Controls: measures ensuring the ability to verify whether Service Data has been entered, modified, or deleted, and by whom; and that any transfer to external service providers occurs securely.
- Data Protection: measures ensuring Service Data is protected against accidental destruction or loss, including encrypted and secure backups; implementation of managed security programs designed to identify risks and mitigate common cyberattacks.
- Logical Separation: measures ensuring Service Data is logically separated from other parties’ data, enabling isolated processing.
5. Process for Engaging New Sub-processors
For all Subscribers who have executed SMARTFENSE’s standard DPA, SMARTFENSE will notify updates to the sub-processor list through this policy. SMARTFENSE is committed to maintaining this list regularly updated so that Subscribers remain informed of the scope of sub-processing associated with SMARTFENSE Services.
Under the DPA, a Subscriber may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days after this policy is updated. The objection must include the Subscriber’s legitimate grounds. If no objection is received within this period, the new sub-processor is considered accepted.
If a Subscriber objects to a new sub-processor according to the process set out in the DPA, SMARTFENSE may resolve the objection through one of the following (at SMARTFENSE’s sole discretion):
- SMARTFENSE will cease using the new sub-processor with respect to Personal Data;
- SMARTFENSE will take corrective actions requested by the Subscriber (if these resolve the objection) and continue using the sub-processor;
- SMARTFENSE may cease providing—or the Subscriber may accept temporarily or permanently not to use—the specific Service feature requiring that sub-processor.
Termination rights, where applicable, are defined exclusively in the DPA.
6. Infrastructure Sub-processors: Storage and Processing of Service Data
SMARTFENSE’s production systems used to host Service Data are currently located in facilities in Europe and within the infrastructure sub-processors listed below. SMARTFENSE also uses additional services provided by these sub-processors to process Service Data as needed to deliver the Services.
Below is the updated list (as of this policy’s date) of SMARTFENSE sub-processors (including SMARTFENSE group members and third parties):
Sub-processor |
General Description |
Country |
Data Processed |
Purpose |
|---|---|---|---|---|
| Amazon, Inc. | Infrastructure service provider | EU (Ireland) eu-west-1 |
Customer-provided data: First Name, Last Name, Email, Employee ID, UPN, Language, Groups, Functional Areas, Hierarchical Levels, Phone, Profile Photo, Status, Role. Platform-generated data: |
Provide the infrastructure on which the platform runs. |
| Heroku | Platform-as-a-Service provider | EU (Ireland) eu-west-1 |
Customer-provided data: First Name, Last Name, Email, Employee ID, UPN, Language, Groups, Functional Areas, Hierarchical Levels, Phone, Profile Photo, Status, Role. Platform-generated data: |
Provide the software environment on which the platform operates. |
| Papertrail | Log management service | EU (Ireland) eu-west-1 | First Name, Last Name, Email, IP Address, Browser Information, Logging Data. | Provide tools to manage system logs. |
7. Service-specific Sub-processors
SMARTFENSE works with certain third parties to provide specific features within the Services. These providers are the sub-processors listed below. To provide the relevant functionality, they access Service Data. Their use is limited to the described Services.
For example, if a Subscriber purchases SMARTFENSE with the WhatsApp Support module, consent will be required to authorize sub-processors associated with Facebook Inc. (owner of WhatsApp).
Sub-processor |
General Description |
Country |
Data Processed |
Purpose |
|---|---|---|---|---|
| Email Server | Server used to send emails to users. |
Primary: https://www.hostgator.com (USA) Secondary: https://www.iplan.com.ar (Argentina) |
Send phishing and ransomware simulation emails, as well as other notifications if a custom mail server is not configured. | |
| Google corporate services | United States |
First Name Last Name Language Status |
Import and authenticate users. | |
| Microsoft Azure AD | Microsoft cloud active directory service | United States |
First Name Last Name Employee ID UPN Language Groups Status |
Import and authenticate users. |
| Auth0 | Identity management provider | AWS EU Region (Frankfurt primary, Dublin failover) |
First Name Last Name Status |
User authentication. |
| Keycloak | Open-source identity and access solution with SSO, federation, and MFA | United States |
Username Full Name First Name Last Name |
User authentication. |
| Okta | Cloud IAM provider offering SSO, MFA, and user management | United States |
Username Full Name First Name Last Name |
User authentication. |
| Slack | Unified communication tool (chat, calls, video meetings, collaboration) | United States | Send notifications to end users. | |
| Microsoft Teams | Identity management / communication platform | United States | Send notifications to end users. | |
| Vanta | Compliance and security automation platform (SOC 2, ISO 27001) | United States | Send campaign audit logs from SMARTFENSE to Vanta. | |
| SAP SuccessFactors | Cloud talent management suite (HR, development, compensation, analytics) | United States | Send campaign audit logs from SMARTFENSE to SAP SuccessFactors. |