Appfarm Policies
Appfarm Policies
  • Appfarm Policies
  • Service & Usage
    • Acceptable Use Policy
    • Backup Policy
    • ESIN Policy
    • Notice and Takedown Policy
  • Privacy
    • Data Processors
    • Privacy Policy
  • Security
    • Responsible Disclosure Policy
    • Platform Security & Compliance
    • Trust Center
  • Glossary
    • Product Glossary
  • Ethics
    • Code of Conduct
Powered by GitBook
  1. Privacy

Data Processors

Last updated 5 months ago

To support the delivery of our services, Appfarm AS may engage and use data processors with access to certain customer data (each, a "data processor"). This page provides vital information about each processor's identity, location, and role. Terms used on this page but not defined have the meaning outlined in the Software Service Agreement or superseding written agreements between the Customer and Appfarm.

Third-party data processors for the Appfarm Platform (the "Service") processing customer personal data

Appfarm and its affiliates engage the following third-party entities to assist in connection with the Service as specified below:

Entity Name
Service location
Registered address
Country of registration
Service
Task performed
GDPR compliance
Participant in Data Privacy Framework
Schrems II
Link to DPA
Type of data stored
Storage period

Report-URI Ltd.

Norway***

22 Shireburn Avenue

Clitheroe, Lancashire

United Kingdom, BB7 2PN

England and Wales

Report URI

Automated Content Security Policy anomaly reporting for platform users (Platform Security)

Not relevant (processing within EU/EEA)

IP address, URL of Appfarm solution, Browser information (User Agent string)

Deleted after 30 days

Functional Software, Inc.

USA

132 Hawthorne Street

San Francisco, CA 94107

USA

Sentry

Automated error reporting for platform users

YES

IP address, browser information (User Agent string), internal Appfarm identifier and crash logs. End-users

Deleted after 90 days

Mailgun Technologies, Inc.

EU/EAA

548 Market Street, Suite 43099

San Francisco, CA 94101

USA

Email

Email services

Not relevant (processing within EU/EEA)

Email address and other data used in email body

Deleted after 30 days

OnlineCity ApS

EU/EEA

Buchwaldsgade 50,

5000 Odense C

Denmark

Gateway API

SMS Services

Not relevant (processing within EU/EEA)

Phone number, internal Appfarm identifier

​Deleted after 30 days

MongoDB Limited

Belgium

3 Shelbourne Building, 3rd floor

Crampton Avenue

Ballsbridge

Dublin 4

Ireland

MongoDB Cloud

Database services

Not relevant (processing within EU/EEA)

Given name, surname, email address, company name, all data stored through Appfarm Create and the applications created on the platform

*

Amazon Web Services EMEA SARL

Sweden

38 avenue John F. Kennedy

L-1855 Luxembourg, R.C.S. Luxemburg: B186284

Luxembourg

Amazon Web Services

Cloud infrastructure for servers and databases. Email.

Not relevant (processing within EU/EEA)

IP-address and email address

*

Google Cloud EMEA Limited

Belgium

Gordon House

Barrow Street

Dublin 4

Ireland

Google Cloud Platform

Cloud infrastructure for servers and databases

Not relevant (processing within EU/EEA)

IP-address and email address

*

Twilio Ireland Limited

USA

3 Dublin Landings

North Wall Quay

Dublin 1

Ireland

Twilio Sendgrid

Email handling and email address validation

YES

Email address and other data used in email body

​****

Heap, Inc.

USA

225 Bush St. 2nd floor

San Francisco, CA 94104

USA

Heap

Product usage analytics

YES

Pageviews, user interactions, timing, IP address, browser details

**

* Customer data is continuously stored (and backed up) as long as the customer has an active Appfarm subscription. Customer data is stored up to 1 year after a subscription is canceled (if not otherwise instructed by the customer) to facilitate the customer's data transfer procedures.

** Data is stored in accordance with Appfarm’s privacy policy at .

*** Data is sent to the closest Cloudflare edge node to the user. For users in Norway, this is Oslo; in other countries, it is most likely the country of origin.

**** Most data is deleted automatically according to Twilio's within a maximum of 37 days. Twilio does retain some email event data in pseudonymized form (not including the message body content) for up to a year for security, fraud detection, anti-abuse, and network protection purposes.

Third-party data processors not connected to the Service

Company
Service location
Registered address
Country of registration
Service
Task performed
GDPR compliance
Participant in Data Privacy Framework
Schrems II
Link to DPA
Type of data stored
Storage period

Teamtailor AB

EU/EAA

Östgötagatan 16

116 21 Stockholm

Sweden

Teamtailor

Applicant tracking software (ATS)

Not relevant (processing within EU/EEA)

Name, phone number, CV, grades, references, messages, emails, reason for application response, interview notes

Up to 30 days

Docspring, Inc.

EU/EEA

2035 Sunset Lake Road, Suite B-2

Newark, Delaware 19702

USA

Docspring

PDF-generator API service

Not relevant (processing within EU/EEA)

Appfarm client specific PDF-data

Up to 7 days

Civilized Discourse Construction Kit, Inc.

EU/EEA

8 The Green Suite #8383, Dover, DE, 19901

USA

Discourse

Discussion forum platform

Not relevant (processing within EU/EEA)

Name, email address.

**

Notion Labs, Inc.

USA

548 Market St #74567

San Francisco

USA

Notion

Internal workspace and project management application

YES

Customer name, partner name, email address, given name, surname and phone number

**

Contractbook ApS

EU/EEA

Masnedøgade 22, st

2100 Copenhagen

Denmark

Contractbook

Contract management platform

Not relevant (processing within EU/EEA)

Given name, surname, company name, address, email address, location

**

EdInvent, Inc.

USA

800 West El Camino Real, Suite 180, Mountain View, CA 94040

USA

Accredible

Digital badge, certificate, and credential platform

NO

Name, email address.

As long as the certification remains valid, plus 1 year for renewal or verification purposes.

Induslynk Training Services Private Ltd.

India

8th Floor, Good Earth Business Bay Sector 58, Gurgaon 122098

India

Mercer Mettl

Online examination and proctoring platform

NO

Name, email address, date of birth, phone number, country of login, face image, image of valid ID, test results, webcam and screen recording during certification exams.

Up to 90 days

Google Cloud EMEA Limited

EU/EEA

Gordon House, Barrow Street, Dublin 4

Ireland

Google Workspace

Cloud computing, productivity and collaboration tools

Not relevant (processing within EU/EEA)

Given name and surname, company name, email address, phone number

**

HubSpot, Inc.

EU/EEA

25 First Street, 2nd Floor, Cambridge, MA 02141

USA

Hubspot

Sales, marketing, and customer relationship management activities

Not relevant (processing within EU/EEA)

Company name, given name, surname, email address, phone number, emails

**

Slack Technologies, Inc.

USA

500 Howard Street, San Francisco, California 94105

USA

Slack

Instant messaging services

YES

Given name and surname, company name, email address, phone number

Up to 90 days

Hotjar, Ltd.

EU/EEA

Dragonara Business Centre

5th Floor, Dragonara Road,

Paceville St Julian's STJ 3141

Malta

Hotjar

Website analytics

Not relevant (processing within EU/EEA)

IP address

Up to 1 year

Intercom R&D Unlimited Company

EU/EEA

Stephens Court, 18-21 Saint Stephen's Green, Dublin 2

Ireland

Intercom

Customer support management system

Not relevant (processing within EU/EEA)

Name and contact information, as well as any data or information provided by the customer during the management of a customer support incident

**

* Customer data is continuously stored (and backed up) as long as the customer has an active Appfarm subscription. Customer data is stored up to 1 year after a subscription is canceled (if not otherwise instructed by the Customer) to facilitate the Customer's data transfer procedures.


Updates

As our business grows and evolves, the data processors we engage may also change. We will endeavor to provide the owner of the Customer's account with notice of any new data processors to the extent required under the Agreement, along with posting such updates here. Please check back frequently for updates.

2023-11-13: Additional data processors

Appfarm has, as of today, added new data processors to the list. The new processors are:

  • Twilio, Inc.: an email handling and email address validation system, connected to the Service. Twilio is a participant in the Data Privacy Framework (DPF),

  • Zendesk, Inc.: a customer support system,

  • Hotjar Ltd.: an analytics tool used on Appfarm's website.

The following companies listed as data processors have, since the last update, become participants of the DPF:

  • Notion Labs, Inc.

2023-09-07: Update on the Data Privacy Framework

The following companies listed as data processors in a third country currently not listed in the Data Privacy Framework are:

  • Mailgun Technologies, Inc.

  • Notion Labs, Inc.

  • Docspring, Inc.

  • Civilized Discourse Construction Kit, Inc.

  • EdInvent, Inc.

Appfarm has engaged in dialog with the companies in question regarding their timeline to get registered on the list of the Data Privacy Framework.

2023-01-02: Removal of Atlassian, Inc. as data processors

‍Appfarm has discontinued use of Atlassian Inc. and their service Trello.

2022-12-13: Addition of new data processors

Appfarm has added new data processors in order to provide our existing and prospective customers, users, and partners with an improved and more comprehensive product offering:

  • Notion Labs, Inc. (with its service Notion): Internal communication tool, process management, and project management system.

  • Contractbook ApS (with its service Contractbook): Contract management platform

  • Webflow, Inc. (with its service Webflow): Website services

  • Civilized Discourse Construction Kit, Inc. (with its service Discourse): Community and forum platform used to organize engagement and processes

  • Docspring, Inc. (with its service Docspring): PDF template management and API service

  • Teamtailor AB (with its service Teamtailor): Applicant tracking system

None of these new data processors are directly connected to the Service but offer services Appfarm uses for auxiliary business activities, of which some customer data may be processed.

2022-11-29: Freshworks, Inc. has been removed as a data processor

Appfarm has, as of today, discontinued Freshworks, Inc. and its service Freshworks as a data processor.

2022-04-25: Added EdInvent, Inc. and Mettl Technologies, Inc. as new processors

Appfarm has, as of today, added EdInvent, Inc. and Mettl Technologies, Inc. as new data processors. Both vendors are used in relation to our certification program and are not connected to the Service.

2022-04-20: Added Hubspot as a data processor

2021-08-17: Added AWS as a data processor

Appfarm has, as of today, added Amazon Web Services (AWS) as a new data processor for the Service processing Customer personal data. The current use of AWS in the Service will be restricted to the use of the Amazon Simple Email Service (SES). Other AWS services may be used at a later time.

The reason for the change is that several Appfarm customers have, at times, experienced poor delivery times with the internal Appfarm email service, which, among others, is used for the delivery of PIN codes for user authentication purposes. The Appfarm engineering team has concluded that the current vendor and data processor (Mailgun Technologies) should be replaced with a more reliable service to secure the highest service quality of the Service.

All Appfarm customers have been notified of the change. In line with the Appfarm Data Processing Agreement (section 7.2), the new data processor will not take effect and become active in use in the Service until 30 days (September 17th, 2021) if not otherwise instructed by Appfarm customers.

2021-01-29: International Data Transfers

Although, in the light of European Court of Justice decision C-311/18 (Schrems-II), in which Privacy Shield as grounds for data transfers to third countries was invalidated, Appfarm is still ensuring that its third-party data processors are compliant with the GDPR framework, either by implementing Standard Contractual Clauses ensuring the same level of protection for its users or similar grounds accepted by the EDPB. This includes but is not limited to, already existing service providers and service providers in the future.

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

Appfarm and its affiliates engage the following third-party entities to assist in delivering services to Appfarm customers but not connected to the Service. Hence, these third-party data processors do not process or store personal data related to Appfarm Customers’ use of the Service and the Service. These third-party data processors are used for auxiliary business activities such as customer relationship management, communication, project management, and other purposes where Appfarm has a legitimate interest to operate. For further information, please see .

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​​

​

​​

​​

​​

​​

​​

​​

​​

** Data is stored in accordance with .

Appfarm may also use other third-party service providers to process personal data from individuals, interacting with Appfarm outside the use of the Service if it is necessary to provide you with a contractual service (GDPR art. 6.1 b), if we are required by law, court orders or legal processes to disclose your personal data (GDPR art. 6.1 c), or it can be justified based on our legitimate interest in doing so (GDPR art. 6.1 f). Examples of this would be cloud-based email, accounting, and CRM systems. Please see for more information.

The EU–US Data Privacy Framework is a transatlantic data transfer framework between the United States and the European Union. The European Commission adopted its for the framework on July 10, 2023. The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to companies participating in the EU-U.S. Data Privacy Framework. With the adoption of the adequacy decision, European entities are able to transfer personal data to participating companies in the United States without having to put in place additional data protection safeguards. Although Appfarm has put in place necessary safeguards (e.g., standard contractual clauses) with all US-based data processors outlined above, this decision will apply to all US-based data processors participating in the framework as the US is now considered a under GDPR.

Appfarm has, as of today, added HubSpot, Inc. as a new data processor. Hubspot is used as a customer relationship management (CRM) system and is not connected to the Service. HubSpot offers , and all data is located in HubSpot’s product infrastructure hosted on Amazon Web Services (AWS) in Germany.

https://www.appfarm.io/privacy
retention schedule
Appfarm’s Privacy Policy
Appfarm’s Privacy Policy
Appfarm’s Privacy Policy
adequacy decision
secure third country
regional data hosting
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
​View​
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View
View