List of pre-approved sub-Processors
in SuperOffice CRM Online
This list is valid from October 17, 2024.
You can see the previous version here.
According to clause 3.7 in the Data Processing Agreement between Customer (Controller) and SuperOffice (Processor), SuperOffice shall maintain a list of pre-approved sub-processors (Sub-Contractors).
Content:
A. SuperOffice AS is the provider of SuperOffice CRM Online cloud service
B. Pre-approved Sub-processors
C. SuperOffice App Store Partners – Third Party Services
D. Integration to Identity Providers
A. SuperOffice AS is the provider of the CRM Online cloud service
| Company name | SuperOffice AS, Wergelandsveien 27, 0167 Oslo, Norway |
| SuperOffice Affiliates | Norway, Sweden, Denmark, The Netherlands, Germany, United Kingdom, Switzerland and Lithuania. Entities details are listed in the “CRM Online Terms of Service” available in SuperOffice Trust Center. |
| Description of Service |
SuperOffice CRM Online offers a broad set of CRM (Customer Relationship Management) functionality. The functionality includes a customer database as well as functions for i.e. marketing, sales and service processes. SuperOffice CRM Online is available as a cloud service hosted by SuperOffice AS |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | As a Processor SuperOffice stores the complete CRM Online Database for the Controller. Data Subjects and categories of Personal Data registered in the Database is defined by the Controller. |
| Processing of data | Data entered by the Controller into the CRM Online service are processed by sub-processors listed in this document. |
| Sensitive personal Data (if relevant) | SuperOffice is not aware or notified if the Controller enters sensitive data into the CRM Online Database. Categories of Personal Data that requires special protection, must be protected by configurations and settings in the CRM Online Application by the Controller. |
| Additional information regarding Privacy and Security Governance | Penetration Test Reports (Pentest) is available on request to privacy@superoffice.com |
B. Pre-approved Sub-processors
The following sub-processors are pre-approved by SuperOffice AS (these are listed below):
- Visma IT & Communications AS
- Mailgun Technologies Inc.
- InfoBridge B.V.
- Microsoft Corporation
- Userflow Inc.
In addition, the use of Third Party Services (Applications) must be observed.
1. Visma IT & Communications AS
| Entity Company Name | Visma IT & Communications AS, Karenslyst Allé 56, 0277 Oslo, Norway |
| Company website | www.visma.com |
| Entity Country | Norway |
| Processing Country | Norway |
| Entity Type and description of Service | Hosting Provider. Hosting and operations of all servers, and infrastructure for SuperOffice CRM Online. Visma also stores the complete CRM database for the Controller. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Personal Data entered into Controllers CRM Database. |
| Categories of Personal Data | Personal Data entered into Controllers CRM Database. |
| Sensitive personal Data (if relevant) | Personal Data entered into Controllers CRM Database |
| The Personal Data will be subject to the following Processing activities. | Storage of data in the CRM Database. Back up and restoring of data when requested. Monitoring and incident-related activities. Access control and logging. |
| Additional information regarding Privacy and Security Governance. | ISO Certificates for ISO9001 and ISO27001. Security audit Report ISAE3402 is available on request. |
2. Mailgun Technologies Inc.
| Entity Company Name | Mailgun Technologies Inc. 535 Mission St. San Francisco, CA94105, US |
| Company website | www.mailgun.com |
| Entity Country | US |
| Processing Country | Frankfurt, Germany in EU |
| Entity Type and description of Service | Email service provider. Mailgun is 1) sending mass emails generated from SuperOffice CRM and 2) receiving and sending replies related to service-tickets in SuperOffice Service. Emails are stored by Mailgun for max. 72 hours for resending purposes. Individual emails sent from the customer’s own email service (i.e. exchange, gmail) is not sent to Mailgun. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Email recipients in e-marketing campaigns and customer service tickets. Senders and recipients of email messages. |
| Categories of Personal Data | The personal data processed includes name, email, IP address and personal data included in message content |
| Sensitive personal Data (if relevant) | None. |
| The Personal Data will be subject to the following Processing activities. |
Receipt of email addresses from SuperOffice Mailservice. Sending email messages to the selected emailadresses. Receiving and sending replies related to service-tickets in SuperOffice Service. |
| Additional information regarding Privacy and Security Governance. | Sub-processor agreement in place requiring adequate privacy and information security measures |
| Sinch (Mailgun) Trust Center | Access Security policies, certificates and audit reports. https://trust.sinch.com/ |
3. InfoBridge B.V.
| Entity Company Name |
InfoBridge B.V., Europalaan 24F, 5232 BC ‘s-Hertogenbosch, Netherlands InfoBridge B.V. is a 100% owned subsidiary of SuperOffice AS. |
| Company website | www.infobridge.com |
| Entity Country | The Netherlands |
| Processing Country | The Nederlands |
| Entity Type and description of Service | Calendar synchronization Service between SuperOffice CRM and various Calendaring Systems (Microsoft 365 and Google G-Suite). No personal data is stored in the InfoBridge Service itself, only in SuperOffice CRM Online and Microsoft 365 / Google G-Suite. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Users of SuperOffice CRM Online. |
| Categories of Personal Data | Usernames, Calendar item data incl. basic company and person data fields. Unstructured text entered into the calendar item. |
| Sensitive personal Data (if relevant) | None. |
| The Personal Data will be subject to the following Processing activities. |
Calendar entries in the SuperOffice Calendar will be synchronized (inserted/updated/deleted) in the Microsoft 365/Google calendar. Calendar entries in the Microsoft 365/Google calendar will be synchronized (inserted/updated/deleted) in the SuperOffice Calendar. Invitations coming via email in MS365/Google will be inserted into the SuperOffice Calendar if accepted. |
| Additional information regarding Privacy and Security Governance. | Sub-processor agreement in place requiring adequate privacy and security measures |
4. Microsoft Corporation
| Entity Company Name | Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, US |
| Company website | www.microsoft.com |
| Entity Country | US |
| Processing Country | The Netherlands and Ireland |
| Entity Type and description of Service | Document Storage Provider. All documents stored in SuperOffice CRM Online is stored in a Microsoft Azure service. Documents are stored as separate files. No Personal Data (or any other metadata) is stored in connection with the document. The document itself may contain unstructured personal data. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Potentially Personal Data contained in a document stored by the Controller. |
| Categories of Personal Data | Potentially Personal Data contained in documents. |
| Sensitive personal Data (if relevant) | Potentially Personal Data contained in documents. |
| The Personal Data will be subject to the following Processing activities. | Structured personal data is not stored in Azure, only the document itself. Documents may be containing unstructured personal data. Documents are stored, backed-up and restored when requested. |
| Additional information regarding Privacy and Security Governance. | https://www.microsoft.com/en-us/trustcenter/cloudservices/azure |
| Entity Type and description of Service | SuperOffice AI Services – 3 language analytics services:
1. Ticket categorization The services are licenced as separate addon services. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Potentially Personal Data contained in service requests (tickets) and submitted to SuperOffice CRM Online. |
| Categories of Personal Data | Potentially Personal Data contained in service tickets. |
| Sensitive personal Data (if relevant) | Potentially Personal Data contained in service tickets. |
| The Personal Data will be subject to the following Processing activities. | The content of the service tickets will be sent to a set of Azure Sservices and processed to provide AI – based language services. |
| Additional information regarding Privacy and Security Governance. | Data Residency in Azure | Microsoft Azure https://azure.microsoft.com/en-us/global-infrastructure/data-residency/#overview |
5. Userflow Inc.
| Entity Company Name | Userflow Inc., 548 Market St. PMB 69598, San Fransisco, CA94194-5401, US |
| Company website | www.userflow.com |
| Entity Country | US |
| Processing Country | US |
| Entity Type and description of Service | User onboarding and activation software that works with SuperOffice CRM delivering in-product communication. Including tooltips, onboarding tours, resource centers with contextual help, and customer surveys. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Licensed users of SuperOffice CRM Cloud. |
| Categories of Personal Data | The personal data processed includes: - User ID - Customer ID - Role and department - Page views and clicks in SuperOffice and Userflow (usage). Does not include any data-input. |
| Sensitive personal Data (if relevant) | None |
| The Personal Data will be subject to the following Processing activities. | Based on usage data and preferences, the user gets targeted and personalized communication. |
| Additional information regarding Privacy and Security Governance. | Sub-processor DPA in place requiring adequate privacy and information security measures. SOC 2 Type II certification. |
C. SuperOffice App Store Partners (Third Party Services)
The table below is a general description of Software Partners in the SuperOffice App Store. SuperOffice AS has signed sub-processor DPA’s with all Software Partners. In addition to this, a specific DPA has to be signed between Customer (Controller) and Software Partner (Processor).
| Entity Company Name | SuperOffice App Store partners |
| Company website | App Store partner website |
| Entity Country | App Store partner location |
| Processing Country | App Store partner processing localtion |
| Entity Type and description of Service | SuperOffice offers 3rd parties to integrate other solutions with the CRM Online service. Partners are using APIs available in the CRM Online Platform to build integrated standard Apps as well as customized solutions. These APIs provide access to customer data. SuperOffice certifies each individual App regarding security, privacy and proper technical and operational use of our API’s. Each partner sign a sub-processor Data Processing Agreement with SuperOffice. The integration is not activated until a formal Data Processing Agreement is signed between the Partner and the Customer and presented to SuperOffice. It is the Customer’s responsibility to sign a DPA directly with the Partner. |
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Must be described in the DPA between Customer and Partner. |
| Categories of Personal Data | Must be described in the DPA between Customer and Partner. |
| Sensitive personal Data (if relevant) | Must be described in the DPA between Customer and Partner. |
| The Personal Data will be subject to the following Processing activities. | Must be described in the DPA between Customer and Partner. |
| Additional information regarding Privacy and Security Governance. | Must be described in the DPA between Customer and Partner. |
D. Integration to Identify Providers
SuperOffice offers technology that enables integration between SuperOffice and industry standard Identity providers like Google Identity and Microsoft Azure AD based on OpenID Connect. However it is the sole responsibility of the Customer to sign DPA’s and other relevant agreements with the providers of the Identity Provider.
| Company Names of Identity Providers | Microsoft Corporation Inc. and Google LLC |
| Entity Type and description of Service |
SuperOffice offers standard integration to Identity Services provided by the companies listed above. Additional standard integrations might be launched in the future. The Identity Providers handles following data:
|
| The Personal Data to be Processed concerns the following categories of Data Subjects (Persons): | Must be described in the DPA between Customer and Partner. |
| Categories of Personal Data | Must be described in the DPA between Customer and Partner. |
| Sensitive personal Data (if relevant) | Must be described in the DPA between Customer and Partner. |
| The Personal Data will be subject to the following Processing activities. | Must be described in the DPA between Customer and Partner. |
| Additional information regarding Privacy and Security Governance. | Must be described in the DPA between Customer and Partner. |