Accept Mission Sub-processors

Accept Mission uses certain sub-processors to assist in providing Accept Mission’s services. A sub-processors is a third party data processor engaged by Accept Mission who agrees to receive personal data from Accept Mission intended for processing activities to be carried out (i) on behalf of Accept Mission Customers; (ii) in accordance with Customer instructions as communicated by Accept Mission; and (iii) in accordance with the terms of a written contract between Accept Mission and the sub-processors.

Accept Mission imposes data protection terms on each sub-processor regarding their security controls and applicable laws for the protection of personal data. Further information relating to sub-processor security measures can be found via the external links below.

Where the engagement of a sub-processor requires the cross-border transfer of personal data, Accept Mission has performed Transfer Impact Assessments for such data transfer.

Accept Mission maintains an up-to-date list of the names and locations of all sub-processors below.

Duration of processing: For each sub-processor below, processing of personal data will be for the duration that the Customer uses and continues to use Accept Mission and for the retention periods as set out in customer’s agreement with Accept Mission.

Data Processing Agreements

We have in place written Data Processing Agreements (“DPA”) with all of our sub-processors. The DPA is a contract between a data controller and a data processor, and covers the items required under Art. 28 of the GDPR. This includes the roles and responsibilities of the parties when personal data is processed.

According to the General Data Protection Regulation (GDPR), contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called standard contractual clauses (“SCC”) – that have been “pre-approved” by the European Commission. All of our sub-processors outside of EU have SCC in place.

Third-Party Sub-processors

Accept Mission works with other third parties to provide specific functions or features within the Service. These providers will have access to relevant personal information (in both an identifiable and anonymous manner) in order to provide their relevant functions. The use of information is limited to the specific purposes.

Relevant for End-users

The following sub-processors are used to provide the Accept Mission Service and are part of the chain of processing of sensitive, personal and other data of end-users.

Microsoft Azure

Function: Server infrastructure

Personal data: End-user IP, End-user URL, End-user Referrer, End-user Browser, End-user Device, End-user Events, End-user Settings

Sensitive data: Customer Content

Other Data: Customer Subdomain, Customer Company Email, Customer Name, Customer Email, Customer Settings, Events

Vendor measures: Secure Infrastructure, Encryption at Rest, Encryption in Transit, Compliance and Certifications, Privacy

Certifications: List of all certifications

Additional measures: Accept Mission exclusively hosts its Service on Azure Cloud Infrastructure. Standard all our servers are hosted in West Europe, where it is encrypted at rest. Backups are also performed on Azure Cloud Infrastructure West EU.

Retention: Accept Mission does not automatically expire data on Accept Mission servers. Customer has the option to delete Content and End-users individual and in bulk as well as delete all data on their Workspace (per GDPR compliance).

Entity: Microsoft

Data location: West EU

Legal basis: DPA (SCC)

SendGrid

Function: Email Infrastructure. Application mails are send via SendGrid.

Personal data: End-user Email Addresses, End-user Names

Sensitive data: None

Other Data: Email Content

Vendor measures: Security Measures, GDPR

Certifications: SOC2 Type II

Additional measures: Accept Mission enforces full TLS 1.1. end-to-end encryption in transit for all emails.

Retention: SendGrid email providers retain email message activity (such as opens and clicks) for up to 90 days. Aggregated sending stats and suppression lists (bounces, unsubscribes) and spam reports are stored indefinitely.

Entity: Twilio Inc.

Data location: United States

Legal basis: DPA (SCC)‍

Sentry

Function: Real time error tracking, monitoring and logging for service improvement.

Personal data: End-user IP addresses

Sensitive data: None

Other Data: Browser Information, Device Information, URL,

Vendor measures: PII Scrubbing, Security Measures

Certifications: SOC2 Type II, HIPAA

Additional measures:  Data in Sentry is fully encrypted and scrubbed for personal data.

Retention: Sentry error tracking retains activity logs (such as errors and requests) for up to 90 days. Aggregated performance stats (errors, load times) are stored indefinitely.

Entity: Sentry Inc.

Data location: United States

Legal basis: DPA (SCC)

Google Analytics

Function: Anonymous visitor analytics for product improvement.

Sensitive data: None

Personal data: None

Other Data: Customer Subdomain, Customer Company Name, Browser Information, Device Information, Anonymized IP, Events, URL, Referrer

Vendor measures: Secure Infrastructure, Encryption at Rest, Encryption in Transit, Compliance and Certifications, Privacy

Certifications: ISO27001/17/18, SOC1/2/3, PCI DSS, HIPAA

Additional measures: While event, device and behavioral information is sent to Google Analytics, this data is not personally identifiable. IP addresses are anonymized by removing the last digits. Google data sharing is disabled and the Controller-Controller Data Protection terms are not applicable; Google does not use the data in other products or for building user profiles. For detailed information on how Accept Mission uses analytics data see the ToS or Privacy Policy.

Retention: Data from inactive contacts is deleted after 14 months.

Entity: Google Inc.

Data location: United States

Legal basis: DPA (SCC)

Relevant for Customers

The following sub-processors are only used in connection with data related directly to the Customer that signed up for an Accept Mission Workspace and not with end-users invited to the platform.

Hupspot

Function: CRM

Sensitive data: Names, Email Addresses

Personal data: Names, Email Addresses, Phone numbers, Job title

Other Data: Customer Company Name, Customer Subdomain, Customer Subscription, Customer Company Name

Vendor measures: Security

Certifications: SOC 2, SOC 3, ISO 127001,

Retention: Accept Mission keeps records of CRM for up to 10 years for compliance reasons, this does not include personal data.

Entity: Hubspot Inc.

Data location: United States

Legal basis: DPA (SCC)

Stripe

Function: Payment and credit card processing

Sensitive data: Customer Credit Card Details

Personal data: Customer Contact Email, Customer Contact Name, Customer Contact IP, Customer Address

Other Data: Customer Company Name, Customer Subdomain, Customer Subscription, Customer Company Name

Vendor measures: Security Hub 

Certifications: PCI Service Provider Level 1, PCI DSS

Additional measures: Accept Mission uses Stripe for services related to payment processing for our subscription and billing. The use of information is limited to that specific purpose. Stripe is PCI compliant and Accept Mission does not handle or store credit card information.

Retention: Accept Mission keeps records of billing data for up to 10 years for compliance reasons, this does not include personal data. Credit card data can be deleted by the Customer in the Accept Mission interface.

Entity: Stripe Inc.

Data location: United States

Legal basis: DPA (SCC)

Intercom

Function: User onboarding and support

Sensitive data: None

Personal Data: Username, Email

Other data: Customer Subdomain, Customer Company Name, Browser Information, Events

Vendor measures: Security

Certifications: SOC2 Type II, ISO 127001, CSA

Additional measures: Intercom is only loaded for the Workspace Owner and no personal data is sent to Intercom.

Retention: Data from inactive contacts is deleted after 6 months.

Entity: Intercom

Data location: United States

Legal basis: DPA (SCC)‍‍

Changes in Sub-processors

Our business needs may change from time to time. For example, we may deprecate a sub-processor to consolidate and minimize our use of sub-processors. Similarly, we may add a sub-processor if we believe that doing so will enhance our ability to deliver our Services. Before engaging a sub-processors, we perform due diligence, including a security and legal analysis. We do not engage a sub-processor unless our quality, security and the standard of the GDPR are met.

Changes in sub-processors are regulated by the DPA we have in place with you.