-
1.1
Eachthing ApS (“Eachthing”) uses certain subprocessors and content delivery networks to assist it in providing the Eachthing Services as described in the Master Subscription Agreement (“MSA”). Defined terms used herein shall have the same meaning as defined in the MSA.
-
1.2
What is a Subprocessor
A subprocessor is a third party data processor engaged by Eachthing, who has or potentially will have access to or process Service Data (which may contain Personal Data). Eachthing engages different types of subprocessors to perform various functions as explained in the tables below.
Use of Subprocessors Policy
Version: 1.00
Created: Aug 24, 2019, Last revised: Aug 24, 2019
1. Intro
2. Due Diligence
-
2.1
Eachthing undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed subprocessors that will or may have access to or process Service Data.
3. Contractual Safeguards
-
3.1
Eachthing requires its subprocessors to satisfy equivalent obligations as those required from Eachthing (as a Data Processor) as set forth in Eachthing’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
- Process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions (as communicated in writing to the relevant subprocessor by Eachthing);
- In connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
- Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Eachthing is contractually committed to adhere to insofar as they are equally relevant to the subprocessor’s processing of Personal Data on Eachthing’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Eachthing reserves the right to audit the subprocessor;
- Promptly inform Eachthing about any actual or potential security breach; and
- Cooperate with Eachthing in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Eachthing’s engagement process for subprocessors as well as to provide the actual list of third party subprocessors and content delivery networks used by Eachthing as of the date of this policy (which Eachthing may use in the delivery and support of its Services).
If you are a Eachthing Subscriber and wish to enter into our DPA, please email us at privacy@eachthing.com.
4. Process to Engage New Subprocessors
-
4.1
For all Subscribers who have executed Eachthing’s standard DPA, Eachthing will provide notice via this policy of updates to the list of subprocessors that are utilized or which Eachthing proposes to utilize to deliver its Services. Eachthing undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of subprocessing associated with the Eachthing Services. Eachthing Subscribers may subscribe to receive notifications of updates to this policy by clicking “Follow updates” at the top of this policy.
Pursuant to the DPA, a Subscriber may object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days following the update of this policy and such objection shall describe Subscriber’s legitimate reason(s) for objection. If Subscriber does not object during such time period the new subprocessor(s) shall be deemed accepted.
If a Subscriber objects to the use of a new subprocessor pursuant to the process provided under the DPA, Eachthing shall have the right to cure the objection through one of the following options (to be selected at Eachthing’s sole discretion):
- Eachthing will cease to use the new subprocessor with regard to Personal Data;
- Eachthing will take the corrective steps requested by Subscriber in its objection (which remove Subscriber’s objection) and proceed to use the subprocessor to process Personal Data; or
- Eachthing may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of a Eachthing Service that would involve use of the subprocessor to process Personal Data.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following is an up-to-date list (as of the last revised date in the top of this policy) of the names and locations of Eachthing subprocessors and content delivery networks:
5. Infrastructure Subprocessors – Service Data Storage
-
5.1
Eachthing owns or controls access to the infrastructure that Eachthing uses to host Service Data submitted to the Services, other than as set forth below. Currently, the Eachthing production systems for the Services are primarily located in co-location facilities in the United States and Europe. Subscriber accounts are established in one of these regions based on where the Subscriber is located; the Subscriber’s Service Data subsequently remains in that region unless agreed between Subscriber and Eachthing, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged by Eachthing in the storage of Service Data.
Entity Name Entity Type Entity Region Entity Country Google, Inc. Cloud infrastructure (IaaS) Europe Belgium
6. Service Specific Subprocessors
-
6.1
Eachthing works with certain third parties to provide specific functionality within the Services. These providers are the Subprocessors set forth below. In order to provide the relevant functionality these Subprocessors access Service Data. Their use is limited to the indicated Services.
Entity Name Purpose Entity Region Entity Country Twilio, Inc. Eachthing uses Twilio, Inc for two-factor authentication of Users. The only information Twilio, Inc has access to for this purpose is User’s phone number. North America United States Stripe, Inc. Stripe is the Payment provider which is used to execute payments for our Subscripers. The only information Stripe, Inc has access to for this purpose is billing data such as creadit card information and other personal information the user has proviced for the billing purpose. North America United States
7. Content Delivery Networks
-
7.1
As explained above, Eachthing’s Services may use content delivery networks (“CDNs”) to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Service Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by Eachthing’s Services.
CDN Provider Description of CDN Services CDN Location Google, Inc. Public website content served to website visitors may be stored with Google, Inc., and transmitted by Google, Inc., to website visitors, to expedite transmission. Global
8. Updating This Policy
-
8.1
This list is subject to change, so please check back frequently for updates. Eachthing Subscribers may subscribe to receive notifications of updates to this policy by clicking “Follow updates” at the top of this policy. Others can be updated by emailing us at support@eachthing.com with a request to subscribe.