The sub-processors we may use | Zoios Knowledge Bank

Sub-processor	Description
Google Cloud Address 1: Neue Mainzer Str. 32-36 Frankfurt, Germany Address 2: Claude Debussylaan 34 1082 MD, Amsterdam, Netherlands Link to website.	Purpose: Google Cloud is where the Zoios application runs its database instances and where files are stored. Certification: They are SOC2 and ISO certified. Flow: Files are both processes and stored. Location: Our infrastructure runs in Europe on Frankfurt and Amsterdam zones. Encryption: The whole communication is encrypted (data encrypted in transit). Data is encrypted at rest as per Google Cloud procedures. Access: Internally only developers have direct database access and mostly for development environments. The access to our production instances is highly restricted. Only the tech team has access to this platform and accesses are provided on a need-to-have basis.
Vercel Address: Eschborner Landstraße 100, 60489 Frankfurt am Main, Germany. Link to website.	Purpose: This is where Zoios runs its application code. Certification: They are SOC2 and ISO certified. Flow: No data is stored here. No data is retained here either. Data is only processed here, never stored. All the instances are shutdown whenever traffic ceases. Location: The Zoios infrastructure runs in Europe on Frankfurt and Amsterdam zones. Vercel runs their infrastructure on AWS, which are SOC2 and ISO certified. Encryption: The whole communication is encrypted (data encrypted in transit). Access: Only the Zoios tech team has access to this platform.
Typeform Address: Barcelona, Carrer de Bac de Roda, 163, Spain Link to website.	Purpose: We use typeform for managing our surveys. Certification: Typeform is ISO27001 and ISO27701 as well as HIPAA type 1 and SOC-2 type II compliant. Flow: We have a setup where no personal identifiable information is shared with typeform - they only store the survey answers, which are anonymous. Location: Barcelona, Carrer de Bac de Roda, 163, Spain Encryption: The whole communication is encrypted (data encrypted in transit). Access: Only the Zoios tech team has access to this platform.
Peaberry software Address: New York, 244 5th Ave #2238, United States. Link to website.	Purpose: This is the service we use to deliver all of our emails and SMS, which includes the emails we send as part of our surveys. Certification: CIO is SOC-2 compliant and HIPAA compliant. The reports are available to customers. CIO is also covered under “EU-U.S. Data Privacy Framework”. Flow: In customer.io (“CIO”) we store basic user information such as email, company name and, when the user opts for sms, phone number. Location: All our data is stored and processed in their EU Data Center. Encryption: The whole communication with customer IO is encrypted in transit. The data is also encrypted at rest on customer IO servers. CIO uses 128-bit SSL encryption for all authenticated sessions. This means that data sent to the CIO API as well as data retrieved through the CIO management interface is protected. Access: We enforce 2FA for all of our accounts and CIO requires it for all customers that are not using SSO.
Github Address: 88 Colin P Kelly Jr Street San Francisco, CA 94107 United States Link to website.	Purpose: Github is our code version control software of choice. Certification: Covered under “EU-U.S. Data Privacy Framework”, SOC-1 and SOC-2 compliant. Flow: No personal data is stored or processed here. Location: Address: 88 Colin P Kelly Jr Street San Francisco, CA 94107 United States Encryption: The whole communication is encrypted (data encrypted in transit). Data is always encrypted at rest. Access: The Zoios platform code is private and only the developers and founders have direct access to it. Furthermore we require 2FA for all users in our organization using Github. Controls: Our development process relies on a few heuristics to boost security and code quality. Namely: i) It is not possible to push code to production without a pull request ii) All pull requests need to be reviewed before merging into production iii) All changes are tracked with a linear ticket and the related pull request is associated within the ticket to provide traceability.
Linear Company address: 440 N Barranca Ave #4242 Covina, CA 91723, United States Link to website. Link to security docs.	Purpose: Linear is our change management system of choice. Here we track all of our changes, projects and roadmaps. All changes to the platform start with a linear issue describing the change and linking it to the github pull request that executed the change. That allows us to trace back any change that has happened. Certification: Linear is SOC-2 certified. Flow: No personal data (i.e. PI) is stored in Linear. Encryption: Data is always encrypted at rest and at transit. Access: Only the Zoios tech team has access to this platform. 2FA and SSO is enforced for all employees with access to the platform.
Sentry Company address: 45 Fremont Street, 8th Floor, San Francisco, CA 94105. Link to website. Link to security info.	Purpose: We use sentry for tracking errors and exceptions. Certification: Covered under “EU-U.S. Data Privacy Framework”. Flow: No PI data is retained here after use. Location: Address: 45 Fremont Street, 8th Floor, San Francisco, CA 94105. Encryption: Data with Sentry is encrypted at rest and in transit. The communication is encrypted (data encrypted in transit). Access: The access to sentry is restricted to developers: currently only 2 individuals. 2FA and SSO is enforced for all employees with access to the platform.
Kombo Kottbusser Damm 25-26 10967 Berlin Germany Link to website. Link to security docs.	Purpose: We use Kombo for user provisioning from other platforms like active directories, HR-IS or ATS platforms. Certification: Kombo is ISO-27001 and SOC-2 certified. Flow: PI data is stored in Kombo whenever a company integrates an HRIS system directly with Zoios. The data is retained only while the data is in active use. If the integration is ended the data is then removed immediately from Kombo. Location: Lohmühlenstr. 65/66, 12435 Berlin, Germany. Encryption: Data with Kombo is encrypted at rest and in transit. The communication is encrypted (data encrypted in transit). Access: The access to Kombo is restricted to developers with direct responsibilities in the integration: currently only one individual. 2FA and SSO is enforced for all employees with access to the platform.
OpenAI, L.L.C., Company Address: 3180 18th Street, San Francisco, CA 94110 Link to website. Link to security docs	Purpose: We use OpenAI to run analyses on the engagement data. Note that no PII data is shared with OpenAI. Certification: OpenAI is SOC-2 and SOC-3 certified amongst a range of other data and security certificates. Flow: No PII data is shared with OpenAI Location: 3180 18th Street, San Francisco, CA 94110 Encryption: Data is always encrypted at rest and at transit. Access: The access to OpenAI is restricted to developers with direct responsibilities in the integration: currently only one individual. 2FA and SSO is enforced for all employees with access to the platform.