Effective: August 11, 2020

AppZen, Inc. (“AppZen”) uses certain Subprocessors (including AppZen affiliates and third-parties, as listed below), when providing its cloud service under the AppZen Master Services Agreement made available at https://www.appzen.com/services-agreement/ (“MSA”). Defined terms used herein shall have the same meaning as defined in the MSA.

What is a Subprocessor?
A Subprocessor is a third-party engaged by AppZen, who have access to or process Customer Data (which may contain Personal Data).
AppZen engages different Subprocessors to perform the various functions as explained below.

Due Diligence
AppZen performs a due diligence review on the data privacy and security posture of potential Subprocessors prior to engagement. Our activities are designed to ensure that processing of Customer Data is only performed by entities with sufficient ability to meet data protection obligations.

Contractual Safeguards
AppZen requires its Subprocessors to satisfy equivalent obligations as those required from AppZen (as a Data Processor) as set forth in AppZen’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:
  • process Personal Data in accordance with data controller’s (i.e. Customer’s) documented instructions (as communicated in writing to the relevant Subprocessor by AppZen);
  • in connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security measures, to the extent applicable, pursuant to applicable data protection laws;
  • provide regular training in security and data protection to personnel who have been granted access to Personal Data;
  • implement and maintain appropriate technical and organizational measures (including measures consistent with those to which AppZen is contractually committed to adhere insofar as they are equally relevant to the Subprocessor’s processing of Personal Data on AppZen’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification AppZen reserves the right to audit the Subprocessor;
  • promptly inform AppZen about any actual or potential security breach; and
  • cooperate with AppZen to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
Infrastructure Subprocessor(s)
Customer Data is stored in either the US or Europe unless agreed by Customer and AppZen to move the location of where Customer Data is stored. Processing may take place in different data centers within a region to ensure performance and availability of the cloud service and outside the region for support purposes.
The following table describes the countries and legal entities engaged in the hosting of the cloud service and Customer Data.
Applicable services Entity name Entity country(ies) Purpose
AppZen cloud service Amazon Web Services, Inc. United States or Europe Host the cloud service and Customer Data

Subcontractors
The following is a list of the names and locations of material third-party subcontractors. These Subcontractors provide a component of the cloud service that is not developed by AppZen and in general will not have access to Customer Data but Customer Data flows through their systems.

Applicable services Entity name Entity country(ies) Purpose
AppZen cloud service Okta US Single sign on
AppZen Middleware Jitterbit US Customized Integrations for On-premise or integration with Workday, Ariba, SAP B1, SAP ECC, Oracle Fusion. This subprocessor is not used with Concur / ChromeRiver/ Oracle iExpense integrations.
APPZEN AFFILIATES
AppZen may engage its affiliate(s) listed below as a Subprocessor as necessary to perform its obligations under the MSA.
Applicable services Entity name Entity country(ies) Purpose
AppZen cloud service AppZen Labs India Private Limited India Data research, engineering, support and data labeling