ZenGRC Subprocessors
Last Updated: August 1, 2023
To support the delivery of our Services, ZenGRC, Inc. (“ZenGRC”) (or one of its Affiliates listed below) uses services providers (each, a “Subprocessor”) that may store or process Customer Data which may contain personal data.
ZenGRC requires its subprocessors to satisfy equivalent obligations as those required from ZenGRC (as a Data Processor) as outlined in ZenGRC’s Data Processing Agreement (DPA), including but not limited to the requirements to:
- process personal data following data controller’s (i.e., Customer’s) documented instructions (as communicated in writing to the relevant subprocessor by ZenGRC);
- in connection with the subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, under applicable data protection laws;
- promptly inform ZenGRC about any security breach; and
- cooperate with ZenGRC to address requests from data controllers, data subjects, or data protection authorities, as applicable.
The following table describes the legal entities acting as a subprocessor for ZenGRC, the service that subprocessor relates to, the function that subprocessor performs on behalf of ZenGRC, the categories of personal data processed by that subprocessor on behalf of ZenGRC, the location of the processing, the adequacy mechanism utilized between that subprocessor and ZenGRC, and a link to the public DPA that subprocessor offers.
Third Party Risk Management is conducted annually on all subprocessors.
| Name | Service | Service Provided by Subprocessor | Category of PII Processed | Location of Processing | Adequacy Safeguards | Public DPA Link |
|---|---|---|---|---|---|---|
| Auth0 | ZenGRC Pro | Identity Authentication Provider | Contact information; technical identifiers | United States | Standard Contractual Clauses | Auth0 DPA (Public) |
| AWS | ZenGRC Pro ZenGRC | Cloud Service Provider | Contact information; technical identifiers | United States | Standard Contractual Clauses | AWS DPA (Public) |
| Census | ZenGRC Pro ZenGRC | Data Warehouse synchronization | Contact information; technical identifiers | United States | Standard Contractual Clauses | Census DPA (Public) |
| Datadog | ZenGRC Pro ZenGRC | Infrastructure and cloud application monitoring | Contact information; technical identifiers | United States | Standard Contractual Clauses | Datadog DPA (Public) |
| Elastic | ZenGRC Pro ZenGRC | Data alerting and reporting platform | Technical identifiers | United States | Standard Contractual Clauses | Elastic DPA (Public) |
| Fivetran | ZenGRC Pro | Data Warehouse transportation | Contact Information; technical identifiers | United States | Standard Contractual Clauses | Fivetran DPA (Public) |
| Gong.io | ZenGRC Pro ZenGRC | Business Intelligence | Contact Information; screen and voice recordings | United States | Standard Contractual Clauses | Gong.io DPA (Public) |
| Google Workspace | ZenGRC Pro ZenGRC | Business Productivity | Contact Information; technical identifiers | United States | Standard Contractual Clauses | Google Workspace DPA (Public) |
| Insided B.V. | ZenGRC Pro ZenGRC | Community infrastructure platform | Contact information; technical identifiers | United States | Standard Contractual Clauses | Insided B.V. DPA (Public) |
| Lightbeam.ai | ZenGRC Pro ZenGRC | Security and compliance automation | Contact information; technical identifiers; other personal information submitted by the user | United States | Standard Contractual Clauses | Not publicly available; email privacy@zengrc.com for inquiries regarding Lightbeam’s DPA. |
| Marketo | ZenGRC Pro ZenGRC | E-mail automation | Contact information | United States | Standard Contractual Clauses | Marketo DPA (Public) |
| Merge API, Inc. | ZenGRC Pro | API Integrations | Contact information; technical identifiers | United States | Standard Contractual Clauses | Merge API DPA (Public) |
| Momentive, Inc. (GetFeedback) | ZenGRC | Surveys | Contact information | United States | Standard Contractual Clauses | Momentive, Inc. DPA (Public) |
| Pendo.io | ZenGRC Pro | Platform usage analytics, communication | Contact information; technical identifiers | United States | Standard Contractual Clauses | Pendo.io DPA (Public) |
| Salesforce.com, Inc. | ZenGRC Pro ZenGRC | Customer relations management and customer service | Contact information; technical identifiers | United States | Standard Contractual Clauses | Salesforce.com, Inc. DPA (Public) |
| Segment.io, Inc. | ZenGRC Pro ZenGRC | Customer Data infrastructure platform | Contact information; technical identifiers | United States | Standard Contractual Clauses | Segment.io, Inc. DPA (Public) |
| Sisense, Inc. | ZenGRC Pro ZenGRC | Business Intelligence | Contact information; technical identifiers | United States | Standard Contractual Clauses | Sisense, Inc. DPA (Public) |
| Skilljar | ZenGRC Pro ZenGRC | Product Training | Contact information; technical identifiers | United States | Standard Contractual Clauses | Skilljar DPA (Public) |
| Slack Technologies | ZenGRC Pro ZenGRC Corporate | Collaboration and communications | Contact information; technical identifiers | United States | Standard Contractual Clauses | Slack Technologies DPA (Public) |
| Splunk | ZenGRC Pro | Data alerting and reporting platform | Contact information; technical identifiers | United States | Standard Contractual Clauses | Splunk DPA (Public) |
| Twillio | ZenGRC Pro ZenGRC | Customer communication facilitation | Contact information; technical identifiers | United States | Standard Contractual Clauses | Sendgrid DPA (Public) |