News: SuperOffice integrates marketing automation to CRM. Read more

List of pre-approved sub-Processors

in SuperOffice CRM Online

This list is valid from April 1, 2022.

You can see the previous version here.

According to clause 3.7 in the Data Processing Agreement between Customer (Controller) and SuperOffice (Processor), SuperOffice shall maintain a list of pre-approved sub-processors (Sub-Contractors).

Content: 

A. SuperOffice AS is the provider of SuperOffice CRM Online cloud service 
B. Pre-approved Sub-processors 
C. SuperOffice App Store Partners – Third Party Services
D. Integration to Identity Providers 

A. SuperOffice AS is the provider of the CRM Online cloud service

 Company name SuperOffice AS, Wergelandsveien 27, 0167 Oslo, Norway
 SuperOffice Affiliates Norway, Sweden, Denmark, The Netherlands, Germany, United Kingdom, Switzerland and Lithuania. Entities details are listed in the “CRM Online Terms of Service” available in SuperOffice Trust Center.
 Description of Service

SuperOffice CRM Online offers a broad set of CRM (Customer Relationship Management) functionalityThe functionality includes a customer database as well as functions for i.e. marketing, sales and service processes. 

SuperOffice CRM Online is available as a cloud service hosted by SuperOffice AS 

 The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): As a Processor SuperOffice stores the complete CRM Online Database for the Controller. Data Subjects and categories of Personal Data registered in the Database is defined by the Controller.
 Processing of data Data entered by the Controller into the CRM Online service are processed by sub-processors listed in this document.
 Sensitive personal Data (if relevant) SuperOffice is not aware or notified if the Controller enters sensitive data into the CRM Online Database. Categories of Personal Data that requires special protection, must be protected by configurations and settings in the CRM Online Application by the Controller.
Additional information regarding Privacy and Security Governanc Security audit Report ISAE3000 is available on request. 

 

B. Pre-approved Sub-processors

The following sub-processors are pre-approved by SuperOffice AS (these are listed below):

  1. Visma IT & Communications AS
  2. Mailgun Technologies Inc.
  3. InfoBridge B.V.
  4. Microsoft Corporation

In addition, the use of Third Party Services (Applications) must be observed.

 

1. Visma IT & Communications AS

 Entity Company Name Visma IT & Communications AS, Karenslyst Allé 56, 0277 Oslo, Norway
Company website www.visma.com
Entity Country Norway
Processing Country Norway
Entity Type and description of Service Hosting Provider. Hosting and operations of all servers, and infrastructure for SuperOffice CRM Online. Visma also stores the complete CRM database for the Controller.
The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): Personal Data entered into Controllers CRM Database.
Categories of Personal Data Personal Data entered into Controllers CRM Database.
Sensitive personal Data (if relevant) Personal Data entered into Controllers CRM Database
The Personal Data will be subject to the following Processing activities. Storage of data in the CRM Database. 
Back up and restoring of data when requested. 
Monitoring and incident-related activities. 
Access control and logging. 
Additional information regarding Privacy and Security Governance.  

ISO Certificates for ISO9001 and ISO27001 and ISO27018.

Security audit Report ISAE3402 is available on request.

 

2. Mailgun Technologies Inc.

 Entity Company Name Mailgun Technologies Inc. 535 Mission St. San Francisco, CA94105, US
Company website www.mailgun.com
Entity Country US
Processing Country Frankfurt, Germany in E 
Entity Type and description of Service Email service provider. Mailgun is 1) sending mass emails generated from SuperOffice CRM and 2) receiving and sending replies related to service-tickets in SuperOffice Service. Emails are stored by Mailgun for max. 72 hours for resending purposes.

Individual emails sent from the customer’s own email service (i.e. exchange, gmail) is not sent to Mailgun.
The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): Email recipients in e-marketing campaigns and customer service tickets. Senders and recipients of email messages.
Categories of Personal Data The personal data processed includes name, email, IP address and personal data included in message content
Sensitive personal Data (if relevant) None.
The Personal Data will be subject to the following Processing activities.

Receipt of email addresses from SuperOffice Mailservice. Sending email messages to the selected emailadresses. Receiving and sending replies related to service-tickets in SuperOffice Service.
Storage in max 72 hours for the purpose of resending mails in fault situations. 

Additional information regarding Privacy and Security Governance. Sub-processor agreement in place requiring adequate privacy and information security measures 

 

3. InfoBridge  B.V.

 Entity Company Name

InfoBridge B.V., Europalaan 24F, 5232 BC ‘s-Hertogenbosch, Netherlands

InfoBridge B.V. is a 100% owned subsidiary of SuperOffice AS.

Company website www.infobridge.com
Entity Country The Netherlands
Processing Country The Nederlands
Entity Type and description of Service Calendar synchronization Service between SuperOffice CRM and various Calendaring Systems (Microsoft 365 and Google G-Suite). No personal data is stored in the InfoBridge Service itself, only in SuperOffice CRM Online and Microsoft  365 / Google G-Suite. 
The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): Users of SuperOffice CRM Online.
Categories of Personal Data Usernames, Calendar item data incl. basic company and person data fields. Unstructured text entered into the calendar item.
Sensitive personal Data (if relevant) None.
The Personal Data will be subject to the following Processing activities.

Calendar entries in the SuperOffice Calendar will be synchronized (inserted/updated/deleted) in the Microsoft 365/Google calendar. 

Calendar entries in the Microsoft 365/Google calendar will be synchronized (inserted/updated/deleted) in the SuperOffice Calendar. 

Invitations coming via email in MS365/Google will be inserted into the SuperOffice Calendar if accepted. 

Additional information regarding Privacy and Security Governance. Sub-processor agreement in place requiring adequate privacy and security measures 

 

4. Microsoft Corporation

 Entity Company Name Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, US
Company website www.microsoft.com
Entity Country US
Processing Country The Netherlands and Ireland

 

Entity Type and description of Service Document Storage Provider. All documents stored in SuperOffice CRM Online is stored in a Microsoft Azure service.
Documents are stored as separate files. No Personal Data (or any other metadata) is stored in connection with the document. The document itself may contain unstructured personal data.
The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): Potentially Personal Data contained in a document stored by the Controller.
Categories of Personal Data Potentially Personal Data contained in documents.
Sensitive personal Data (if relevant) Potentially Personal Data contained in documents.
The Personal Data will be subject to the following Processing activities. Structured personal data is not stored in Azure, only the document itself. Documents may be containing unstructured personal data. Documents are stored, backed-up and restored when requested.
Additional information regarding Privacy and Security Governance. https://www.microsoft.com/en-us/trustcenter/cloudservices/azure

 

Entity Type and description of Service SuperOffice AI Services – 3 language analytics services: 

1. Ticket categorization 
2. Language detection and translation 
3. Sentiment detection 

The services are licenced as separate addon services. 

The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): Potentially Personal Data contained in service requests (tickets) and submitted to SuperOffice CRM Online.  
Categories of Personal Data Potentially Personal Data contained in service tickets.
Sensitive personal Data (if relevant) Potentially Personal Data contained in service tickets.
The Personal Data will be subject to the following Processing activities. The content of the service tickets will be sent to a set of Azure Sservices and processed to provide AI – based language services. 
Additional information regarding Privacy and Security Governance. Data Residency in Azure | Microsoft Azure https://azure.microsoft.com/en-us/global-infrastructure/data-residency/#overview 

 

C. SuperOffice App Store Partners (Third Party Services)

The table below is a general description of Software Partners in the SuperOffice App Store. SuperOffice AS has signed sub-processor DPA’s with all Software Partners. In addition to this, a specific DPA has to be signed between Customer (Controller) and Software Partner (Processor).

 Entity Company Name SuperOffice App Store partners
Company website App Store partner website
Entity Country App Store partner location
Processing Country App Store partner processing localtion
Entity Type and description of Service SuperOffice offers 3rd parties to integrate other solutions with the CRM Online service. Partners are using APIs available in the CRM Online Platform to build integrated standard Apps as well as customized solutions. These APIs provide access to customer data. SuperOffice certifies each individual App regarding security, privacy and proper technical and operational use of our API’s. Each partner sign a sub-processor Data Processing Agreement with SuperOffice. The integration is not activated until a formal Data Processing Agreement is signed between the Partner and the Customer and presented to SuperOffice. It is the Customer’s responsibility to sign a DPA directly with the Partner.
The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): Must be described in the DPA between Customer and Partner.
Categories of Personal Data Must be described in the DPA between Customer and Partner.
Sensitive personal Data (if relevant) Must be described in the DPA between Customer and Partner.
The Personal Data will be subject to the following Processing activities. Must be described in the DPA between Customer and Partner.
Additional information regarding Privacy and Security Governance.  Must be described in the DPA between Customer and Partner.

 

D. Integration to Identify Providers

SuperOffice offers technology that enables integration between SuperOffice and industry standard Identity providers like Google Identity and Microsoft Azure AD based on OpenID Connect. However it is the sole responsibility of the Customer to sign DPA’s and other relevant agreements with the providers of the Identity Provider.

 Company Names of Identity Providers Microsoft Corporation Inc. and Google LLC 
Entity Type and description of Service 

SuperOffice offers standard integration to Identity Services provided by the companies listed above. Additional standard integrations might be launched in the future. 

The Identity Providers handles following data:  

  • Username and password (hash)
  • In addition, User Management will require additional organizational information related to Persons. It is the SCIM standard that enables this feature. SuperOffice supports the industry standard SCIM protocol.  
The Personal Data to be Processed concerns the following categories of Data Subjects (Persons):  Must be described in the DPA between Customer and Partner. 
Categories of Personal Data  Must be described in the DPA between Customer and Partner. 
Sensitive personal Data (if relevant)  Must be described in the DPA between Customer and Partner. 
The Personal Data will be subject to the following Processing activities.  Must be described in the DPA between Customer and Partner.
Additional information regarding Privacy and Security Governance.  Must be described in the DPA between Customer and Partner.