1. Ownership and Control of Your Service Data
To enable the provision of services offered by SMARTFENSE, we must act as a data processor (under your instructions) for processing your information. Therefore, you or your organization must trust SMARTFENSE with the information you control to effectively use our services or request technical assistance for our products. This includes information about your customers and employees (if you are a controller) or data that you hold and use on behalf of someone else for a specific purpose, such as a client you provide services to (if you are a processor). Data may be stored on our servers when you use our services. All information entrusted to SMARTFENSE is collectively referred to as “service data.” We acknowledge that you are the owner of your service data and provide you with full control over your service data by enabling you to (i) access your service data, (ii) share your service data through compatible third-party integrations, and (iii) request the export or deletion of your service data.
2. What is a Sub-processor?
A sub-processor is a data sub-processor (according to GDPR classification) hired by SMARTFENSE, including SMARTFENSE entities, that has or might have access to or process service data (which may contain personal data). SMARTFENSE uses different types of sub-processors to perform different functions, as outlined in this policy.
3. Due Diligence
SMARTFENSE is committed to using a commercially reasonable selection process to evaluate the security, privacy, and confidentiality practices of proposed sub-processors that will have or might have access to or process service data. SMARTFENSE contractually requires its sub-processors to accept obligations equivalent to those required of SMARTFENSE (as a data processor) as outlined in the SMARTFENSE Data Processing Agreement (“DPA”). These obligations minimally include:
- Processing personal data according to the documented instructions of the data controller (i.e., the Subscriber) (as communicated in writing to the respective sub-processor by SMARTFENSE);
- Using only reliable personnel subject to a binding contractual obligation to observe data privacy and security, as applicable, according to data protection laws;
- Providing regular security and data protection training to personnel granted access to personal data;
- Implementing and maintaining appropriate technical and organizational measures (including measures consistent with those to which SMARTFENSE is contractually committed, as relevant to the sub-processor’s processing of personal data on behalf of SMARTFENSE) and providing an annual certification demonstrating compliance. In the absence of such certification, SMARTFENSE reserves the right to audit the sub-processor;
- Immediately informing SMARTFENSE of any actual or potential security breaches; and
- Cooperating with SMARTFENSE to address requests from data controllers, data subjects, or data protection authorities, as applicable.
This policy does not grant Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information in this document is provided to illustrate SMARTFENSE’s sub-processor engagement process and to provide the current list of third-party sub-processors and content delivery networks used by SMARTFENSE as of the date of this policy (which SMARTFENSE may use in providing and supporting its Services). If you are a SMARTFENSE Subscriber and wish to enter into our DPA, please email us at privacy@smartfense.com.
4. Information Security Measures
Our sub-processors, when processing service data on behalf of the Subscriber in connection with the business services, will implement and maintain the following technical and organizational security measures for processing such service data:
- Physical Access Controls: Our sub-processors will take reasonable measures, such as security personnel and protected buildings, to prevent unauthorized physical access to service data.
- System Access Controls: Our sub-processors will take reasonable measures to prevent unauthorized use of service data. These controls may vary based on the nature of the processing and can include password authentication and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging access at multiple levels.
- Data Access Controls: Our sub-processors will take reasonable measures to ensure that service data is accessible and manageable only by authorized personnel, direct database query access is restricted, and application access rights are established and enforced to ensure that individuals with access to service data only have access to the data they are privileged to access and that service data cannot be read, copied, modified, or deleted without authorization during processing. The provider will implement and maintain an access policy under which access to its system environment, data processing systems, and service data is restricted to authorized personnel only.
- Transmission Controls: Our sub-processors will take reasonable measures to ensure that it is possible to verify and establish to which entities service data is transferred via data transmission facilities so that service data cannot be read, copied, modified, or deleted without authorization during electronic transmission or transport.
- Entry Controls: Our sub-processors will take reasonable measures to ensure that it is possible to verify and establish whether service data has been entered into data processing systems, modified, or deleted and by whom; and any transfer of service data to an external service provider is made through a secure transmission.
- Data Protection: Our sub-processors will take reasonable measures to ensure that service data is protected against accidental destruction or loss. Our sub-processors will ensure that, when hosting, backups are completed regularly, securely, and encrypted, to ensure that service data is protected. Our sub-processors will implement and maintain a managed security program to identify risks and implement preventive technology and processes to mitigate common attacks.
- Logical Separation: Our sub-processors will logically separate service data from other parties’ data on their systems to ensure that service data can be processed separately.
5. Process for Engaging New Sub-processors
For all Subscribers who have executed the standard SMARTFENSE DPA, SMARTFENSE will notify updates to the list of sub-processors used or proposed to be used to deliver its Services through this policy. SMARTFENSE is committed to keeping this list updated regularly to enable its Subscribers to stay informed about the scope of sub-processing associated with SMARTFENSE’s Services. Under the DPA, a Subscriber may object in writing to the processing of their personal data by a new sub-processor within thirty (30) days of updating this policy, and such objection must describe the Subscriber’s legitimate grounds for objection. If the Subscriber does not object within this time frame, the new sub-processors will be deemed accepted. If a Subscriber objects to the use of a new sub-processor under the process provided in the DPA, SMARTFENSE has the right to address the objection through one of the following options (at SMARTFENSE’s sole discretion):
- SMARTFENSE will cease using the new sub-processor concerning personal data;
- SMARTFENSE will take the corrective actions requested by the Subscriber in their objection (which actions will be considered to resolve the Subscriber’s objection) and proceed to use the sub-processor to process personal data; or
- SMARTFENSE may cease providing or the Subscriber may agree not to use (temporarily or permanently) the particular aspect of a SMARTFENSE Service that would involve using the sub-processor to process personal data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
6. Infrastructure Sub-processors: Data Storage and Processing
Currently, SMARTFENSE’s production systems used to host service data for the Services are located in facilities in Europe and with the following infrastructure sub-processors. SMARTFENSE also uses additional services provided by these sub-processors to process service data as necessary to provide the Services. The following is an updated list (as of the date of this policy) of the names and locations of SMARTFENSE sub-processors (including SMARTFENSE members and third parties):
| Sub-processor | General Description | Country | Data Processed | Purpose |
|---|---|---|---|---|
| Amazon, inc. | Infrastructure service provider | EU (Ireland) eu-west-1 | Customer-provided data: Name, Last name, Email, Employee ID, UPN, Language, Groups, Functional Areas, Levels of Hierarchy, Phone, Profile Picture, Status, Role. Platform-generated data: Audit logs, metrics, and SMARTFENSE campaign results. | Provide the necessary infrastructure for the platform. |
| Heroku | Platform as a service provider | EU (Ireland) eu-west-1 | Customer-provided data: Name, Last name, Email, Employee ID, UPN, Language, Groups, Functional Areas, Levels of Hierarchy, Phone, Profile Picture, Status, Role. Platform-generated data: Audit logs, metrics, and SMARTFENSE campaign results. | Provide software environment for the platform. |
| Papertrail | Log manager | EU (Ireland) eu-west-1 | Customer-provided data: Name, Last name, Email, IP Address, Browser Information, Logging Information | Provide tools for managing system logs. |
7. Service-specific Sub-processors
SMARTFENSE works with certain third parties to provide specific functionalities within the Services. These providers are the sub-processors listed below. To provide the relevant functionality, these sub-processors access service data. Their use is limited to the indicated Services.
For example, if the Subscriber has acquired SMARTFENSE with the WhatsApp Support module, they must consent to include related companies to Facebook Inc. (owner of WhatsApp) among the authorized sub-processors for the service.
| Sub-processor | General Description | Country | Data Processed | Purpose |
|---|---|---|---|---|
| Email Server | Server used to send emails to users. Primary: https://www.hostgator.com located in the USA. Secondary: https://www.iplan.com.ar located in Argentina. | Send phishing and ransomware simulation emails. Can also send other notifications if no own email server is configured. | ||
| Corporate service from Google | Name, Last name, Email, Language, Status | Importar y autenticar usuarios | ||
| Microsoft Azure AD | Active Directory service in the Microsoft cloud | Name, Last name, Email, Employee ID, UPN, Language, Groups, Status | Importar y autenticar usuarios | |
| Auth0 | Identity manager | The primary location in which Auth0 will conduct its core processing of your customer data is chosen by the customer when they create an Auth0 tenant. For our UK and EU customers, this is almost always the AWS EU region, which is made up of a primary data center in Frankfurt (Germany) with failover to a second data center in Dublin (Republic of Ireland). | Name, Last name, Email, Status | Authenticate users |
If you have any questions or need further assistance, please contact us at privacy@smartfense.com.