New:System Graph 2.0Learn more

Legal

Subprocessors

Third-party service providers that process data on behalf of Zof AI.

Last updated: December 2024

Subprocessor Updates

We provide 30 days advance notice before engaging new subprocessors. Enterprise customers can subscribe to notifications and exercise objection rights as specified in our DPA.

Current Subprocessors

The following third parties may process personal data on our behalf to help deliver our services:

Amazon Web Services (AWS)

United States

SOC 2ISO 27001HIPAAPCI DSS
Purpose:

Cloud infrastructure and hosting

Data Processed:

All customer data for service delivery

Google Cloud Platform

United States / EU

SOC 2ISO 27001HIPAA
Purpose:

Cloud infrastructure (select regions)

Data Processed:

Customer data for EU data residency

Stripe

United States

SOC 2PCI DSS Level 1
Purpose:

Payment processing

Data Processed:

Billing information, payment methods

Snowflake

United States

SOC 2ISO 27001HIPAA
Purpose:

Data warehousing and analytics

Data Processed:

Aggregated usage analytics

Datadog

United States

SOC 2ISO 27001
Purpose:

Infrastructure monitoring

Data Processed:

System logs, performance metrics

PagerDuty

United States

SOC 2ISO 27001
Purpose:

Incident management

Data Processed:

Alert metadata

Intercom

United States

SOC 2
Purpose:

Customer support and messaging

Data Processed:

User contact information, support tickets

Segment

United States

SOC 2ISO 27001
Purpose:

Customer data platform

Data Processed:

Product usage analytics

SendGrid (Twilio)

United States

SOC 2ISO 27001
Purpose:

Email delivery

Data Processed:

Email addresses, notification content

Cloudflare

United States / Global

SOC 2ISO 27001PCI DSS
Purpose:

CDN, DDoS protection, DNS

Data Processed:

Traffic metadata, IP addresses

Auth0 (Okta)

United States

SOC 2ISO 27001HIPAA
Purpose:

Identity and authentication

Data Processed:

User credentials, authentication data

GitHub

United States

SOC 2
Purpose:

Source code integration

Data Processed:

Repository metadata (optional)

Data Transfer Mechanisms

For international data transfers, we rely on the following legal mechanisms:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer clauses
  • EU-US Data Privacy Framework: For certified US companies
  • Binding Corporate Rules: Where applicable

Subprocessor Due Diligence

Before engaging any subprocessor, we conduct thorough security and privacy assessments:

  • Security certification verification (SOC 2, ISO 27001, etc.)
  • Data processing agreement review and execution
  • Privacy impact assessment where applicable
  • Regular ongoing monitoring and annual reviews

Notification Process

We notify customers of subprocessor changes through the following process:

  1. 1Update published to this page
  2. 2Email notification to subscribed customers
  3. 330-day notice period before new subprocessor engagement
  4. 4Objection handling process (Enterprise DPA customers)

Subscribe to Updates

To receive notifications about subprocessor changes, email privacy@zof.ai with subject "Subscribe to Subprocessor Updates" and include your organization name.

Questions

For questions about our subprocessors or data processing practices, contact our Data Protection Team at dpo@zof.ai.

Related Documents

Data Processing Addendum

DPA for GDPR compliance

Privacy Policy

How we handle data

Security

Our security practices