SoSafe – List of Sub-Processors
Effective April 17, 2025
SoSafe engages the following third-party entities (referred to as “sub-processors”) to process personal data on behalf of its customers. These sub-processors operate under contractual agreements with SoSafe, ensuring adherence to the commitments outlined in the SoSafe Data Processing Agreement.
To maintain compliance, SoSafe conducts annual reviews of its sub-processors and requires them to implement appropriate technical and organizational measures. These measures are designed to safeguard the processing of personal data in accordance with applicable data protection laws.
The list below details the sub-processors supporting SoSafe’s Awareness Building Services.
Sub-processor | Optional / Non-optional | Address | Purpose of Processing | Data Storage Location |
Amazon Web Services EMEA SARL (Amazon Web Services, Inc. as the contractual party of the EU standard contractual clauses) | Non-optional | 38 Avenue John F. Kennedy L-1855, Luxemburg Luxemburg | Hosting of all current and future components essential for the operational functionality of the SoSafe Platform, including API interfaces, data storage systems, analytical tools, hosting of (optional) AI chatbots and tooling, and communication capabilities. The following measures have been taken to protect the data: – Storage of and, to the extent made available by AWS to its customers for the respective service, processing of all Controller data in certified data centres in the EU. – Encryption of all Controller data using a master key generated by Processor, so that neither AWS nor any other third party can access customer data, either inside or outside the EU / EEA. – Conclusion of a data processing agreement as well as the conclusion of the EU standard contractual clauses ((EU) 2021/914, 4.6.2021, module 2 and 3), incl. numerous obligations of AWS on handling and transparency in case of potential authority requests. – Amazon Web Services, Inc., is an active participant in the EU-US Data Privacy Framework. – Data protection expert opinion on Processor’s use of AWS, which can be provided upon request. | EU |
Atlassian Pty Ltd. | Non-optional | Level 6, 341 George Street, Sydney, NSW 2000 Australia | Provision of support software (Customer Support Cloud Solution) for customer service (support form or email to support@sosafe.de). This provider is only relevant for the Controller if the Controller uses Processor’s customer support or interacts with Processor for other operational purposes related to his contracted Awareness Building Services. – ISO27001 certificate can be accessed here: https://www.atlassian.com/trust/compliance/resources/iso27001. – SOC 2 Type II certificate can be accessed here: https://www.atlassian.com/trust/compliance/resources/soc2. – More information: https://www.atlassian.com/trust and dataprotection@atlassian.com The following measures have been taken to protect the data: – Storage and processing of all Controller data in data centers in EU (Ireland, Frankfurt) and, to the extent a EU-only solution is not available by Atlassian (according to Atlassian Statement), in Australia. – Encryption of all data with industry-standard encryption products during transfers as well as at rest. – Conclusion of a data processing agreement, as well as the conclusion of the EU standard contractual clauses ((EU) 2021/914, 4.6.2021, Modules 2 and 3) – Transfer Impact Assessment (TIA) conducted by Processor’s external Data Protection Officer. | EU and, to the extent a EU-only solution is not available by Atlassian, Australia. |
Planhat AB | Non-optional | Malmskillnadsgatan 13, 111 57 Stockholm Sweden | Provision of customer success management and account management services. This provider is only relevant for the Controller if the Controller uses Processor’s customer support or interacts with Processor for other operational purposes related to his contracted Awareness Building Services. – SOC 2 certificate can be requested here: compliance@planhat.com. – More information: https://www.planhat.com/security-statement/ The following measures have been taken to protect the data: – All data are processed and stored exclusively within the European Union (Ireland). Server hosting provider: Google Cloud EMEA Limited, ISO 27001 certified. – Encryption: — All data in transit is encrypted using Transport Layer Security (TLS / HTTPS). — Data at rest, provided by Planhat’s customers within the Planhat application is stored using industry-standard AES-256. – Conclusion of a data processing agreement. | EU |
Datadog Inc. | Non-optional | 620 8th Ave., 45th Fl., New York, NY 10018 USA | Provision of technical monitoring service for hybrid cloud applications provided on a SaaS-based data analytics platform. – ISO/IEC 27017:2015 can be downloaded from here: https://trust.datadoghq.com/?itemUid=1fed9faa-4a87-427c-9a95-96b4d6bf66b7&source=documents_card – SOC 2 Type I and II certificates can be requested here: security@datadoghq.com. – More information: https://trust.datadoghq.com/ . The following measures have been taken: – All data are processed and stored within the European Union. – Encryption: — Data at rest is encrypted with AES 256. — All data transmitted between Datadog and Datadog users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Datadog application is inaccessible. – Conclusion of a data processing agreement as well as conclusion of the EU standard contractual clauses ((EU) 2021/914). – Datadog, Inc. is active participant in the EU-US Data Privacy Framework. | EU |
(Optional) Kombo Technologies GmbH | Optional | Lohmühlenstraße 65, 12435 Berlin Germany | Integration of Controller Active Directory. This provider is only required to the extent the Controller requests Active Directory integration for automated uploading and regular updating of end-user data on the Processor platform. The following measures have been taken to protect the data: – All data are processed and stored exclusively within the European Union. Server hosting provider: Google Cloud EMEA Limited. – Kombo Technologies GmbH is ISO27001 certified. Access can be requested here: https://security.kombo.dev/?itemUid=1fed9faa-4a87-427c-9a95-96b4d6bf66b7&source=click/. More information about Technical and Organizational Security Measures of Kombo Technologies GmbH can be found at security.kombo.dev. – Encryption — All customer data is encrypted using symmetric AES-256 encryption at rest, including backup copies. — Data in transit: All outgoing traffic (to integration APIs) uses the highest TLS version available by the respective integration’s API (e.g., Google Workspace). All incoming traffic via the Kombo API is enforced to use TLS 1.3. Connections from Kombo’s application workloads to Kombo’s database also use TLS 1.3 with an AES-256 cipher. – Conclusion of a data processing agreement. | EU |
(Optional) OpenAI Ireland Ltd. (OpenAI OpCo, LLC as the contractual party of the DPA) | Optional | 1st Floor, The Liffey Trust Centre 117-126 Sheriff Street Upper Dublin 1, D01 YC43 Ireland | Providing interactive awareness and support and other AI-powered tooling, when selected by the Controller. – SOC 2 and SOC 3 certificates are available upon request: https://trust.openai.com/; – More information about OpenAI’s technical and organizational security measures are available at https://trust.openai.com/ (the “Trust Portal”). The following measures have been taken to protect the data: – Encryption: — OpenAI maintains industry best practices for encryption which in particular include: — Encryption of data at rest in production datastores using strong encryption algorithms; — Encryption of data in transit; — Full-disk encryption required on all corporate workstations. – Conclusion of a data processing agreement as well as conclusion of the EU standard contractual clauses. | EU, and, to the extent an EU-only solution is not available, the US. |
If you are contracting with another entity than SoSafe SE, SoSafe SE will be a sub-processor, as well.
Further details regarding privacy and security are available on the SoSafe Trust Center.