Legal

Subprocessors

Third-party service providers that process data on behalf of Zof AI.

Last updated: December 2024

Subprocessor Updates

Zof AI will provide at least 30 days advance notice before engaging a new sub-processor, allowing customers time to review and raise objections if necessary.

Current Sub-Processors

The following sub-processors are currently engaged to help deliver Zof AI services.

Amazon Web Services (AWS)

United States

SOC 2ISO 27001HIPAAPCI DSS
Purpose:

Cloud infrastructure and hosting

Data Processed:

All customer data for service delivery

Google Cloud Platform

United States / EU

SOC 2ISO 27001HIPAA
Purpose:

Cloud infrastructure (select regions)

Data Processed:

Customer data for EU data residency

Stripe

United States

SOC 2PCI DSS Level 1
Purpose:

Payment processing

Data Processed:

Billing information, payment methods

Snowflake

United States

SOC 2ISO 27001HIPAA
Purpose:

Data warehousing and analytics

Data Processed:

Aggregated usage analytics

Datadog

United States

SOC 2ISO 27001
Purpose:

Infrastructure monitoring

Data Processed:

System logs, performance metrics

PagerDuty

United States

SOC 2ISO 27001
Purpose:

Incident management

Data Processed:

Alert metadata

Intercom

United States

SOC 2
Purpose:

Customer support and messaging

Data Processed:

User contact information, support tickets

Segment

United States

SOC 2ISO 27001
Purpose:

Customer data platform

Data Processed:

Product usage analytics

SendGrid (Twilio)

United States

SOC 2ISO 27001
Purpose:

Email delivery

Data Processed:

Email addresses, notification content

Cloudflare

United States / Global

SOC 2ISO 27001PCI DSS
Purpose:

CDN, DDoS protection, DNS

Data Processed:

Traffic metadata, IP addresses

Auth0 (Okta)

United States

SOC 2ISO 27001HIPAA
Purpose:

Identity and authentication

Data Processed:

User credentials, authentication data

GitHub

United States

SOC 2
Purpose:

Source code integration

Data Processed:

Repository metadata (optional)

Data Transfer Mechanisms

Data transfers to sub-processors outside the EEA are governed by the following mechanisms.

  • Standard Contractual Clauses (SCCs) EU-approved data transfer clauses
  • Data Privacy Framework (DPF) For certified US companies
  • Binding Corporate Rules (BCRs) Where applicable

Subprocessor Due Diligence

Before engaging any sub-processor, Zof AI conducts thorough due diligence.

  • Security certification verification (SOC 2, ISO 27001, etc.)
  • Data processing agreement review and execution
  • Privacy impact assessment where applicable
  • Ongoing monitoring of sub-processor security practices and compliance status.

Notification Process

We notify customers of changes to our sub-processor list through the following process.

  1. 1Updated sub-processor list published on this page.
  2. 2Email notification sent to subscribed contacts.
  3. 330-day notice period before the new sub-processor begins processing data.
  4. 4Objection mechanism available during the notice period.

Subscribe to Updates

Enter your email address to receive notifications when our sub-processor list is updated. privacy@zof.ai

Questions

For questions about our subprocessors or data processing practices, contact our Data Protection Team at dpo@zof.ai.

Related Documents

Data Processing Agreement

DPA for GDPR compliance

Privacy Policy

How we handle data

Security

Our security practices

Subprocessors | Zof AI