Sub-processors of customer data

Last updated: 10 April 2024

What is a sub-processor?

‘Customer data’ is personal data processed by Secure Code Warrior (acting as a processor) on behalf of the customer (acting as a controller) to provide our products and/or services.

A ‘sub-processor’ is a third-party (such as a contractor, service provider or vendor) further engaged by Secure Code Warrior to help us process customer data for the same purpose. We engage different types of sub-processors to perform various functions as explained in the table below.

Where we act as an independent controller

Where Secure Code Warrior acts as an independent controller, we process personal data on our own behalf and for our own business purposes (‘SCW data’) in compliance with applicable data protection law. For example, when we process user personal data in connection with feedback or feature requests, or when a user consents to our use of analytics cookies.

Third-parties engaged to process SCW data are not sub-processors, but we follow the same review process outlined below before engaging these service providers.

For more information about our data and privacy protective practices, please refer to our privacy policy.

Our vendor review process

Due diligence

We undertake to use a commercially reasonable selection process to evaluate the security, privacy and confidentiality practices of proposed sub-processors before they process customer data.

Contractual safeguards

We require sub-processors to satisfy obligations equivalent to those contained in our own customer agreements, including provisions to:

Process customer data in accordance with documented instructions
Provide regular security and data protection training to personnel who have access to customer data
Implement and maintain appropriate technical and organisational measures
Provide evidence of compliance with its security and data protection obligations (either in the form of annual certification or audits)
Promptly inform us of any actual or potential security incidents and/or personal data breaches
Cooperate with us in order to deal with requests from customers, data subjects or data protection authorities

International data transfers

Third-countries with an adequate level of data protection

We may freely transfer personal data to sub-processors and third-countries recognised under applicable data protection law as providing an adequate level of data protection (including U.S. Data Privacy Framework (DPF) registered participants).

Restricted transfers

Where information is transferred to a sub-processor or third country not recognised as providing an adequate or equivalent level of data protection (‘restricted transfer’), we ensure adequate transfer mechanisms and appropriate safeguards are in place to protect personal data (such as standard contractual clauses and ISO aligned technical and organisational measures).

Looking for more information about international transfers?

Please refer to our dedicated webpage regarding international transfers of personal data

Customer notification

We will update this page whenever we engage new sub-processors. Where we have an obligation to inform customers of updates to our sub-processor list in writing, we will also email our regular business contact and, where reasonable, the customer’s publicly disclosed privacy contact.

Unless otherwise agreed, the customer may object to the appointment of a new sub-processor within thirty (30) days of the update by emailing privacy@securecodearrior.com, along with the legitimate reason(s) for the objection.

Customer sub-processors

Sub-processor and hosting location	Purpose	Processing locations	Customer data processed	Privacy policy and contact details
Secure Code Warrior group entities (See Appendix A of our privacy policy).	• Australia • EU/EEA • United Kingdom • United States	Product support, maintenance and delivery	See our privacy policy for more information about our processing activities.	https://www.securecodewarrior.com/trust/privacy-policy privacy@securecodewarrior.com
Amazon Web Services (AWS)	• EU/EEA • United States	Cloud storage host for our website, platform and infrastructure, and email notification service provider	• Personal data collected by AWS • Email address • Name (first and last) • Device information (browser type, device identifier and IP address) • Location information (country/region and IP geo-location)	https://aws.amazon.com/privacy/ Amazon Web Services, Inc. Attn: AWS Legal410 Terry Avenue North Seattle WA 98109-5210, USA Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy L-1855Luxembourg aws-EU-privacy@amazon.com
Datadog	• United States	Application log management, monitoring and alerting	• Email address • User ID • Device information (browser type, device identifier and IP address) • Location information (country/region and IP geo-location)	https://www.datadoghq.com/legal/privacy/ Datadog, Inc. 620 8th Avenue Floor 45 New York NY 10018, USA privacy@datadoghq.com
EverAfter	• EU/EEA • Israel • United States	Customer onboarding and ongoing success	• Email address • Name (first and last) • Device information (browser type, device identifier and IP address) •	https://www.everafter.ai/legal/privacy EverAfter AI Ltd. Yigal Alon 82 Tel Aviv Israel 6789124
MongoDB, Inc.	• EU/EEA • United States	Cloud database storage and management	• Email address • User ID • Device information (browser type, device identifier and IP address) • Location information (country/region and IP geo-location)	https://www.datadoghq.com/legal/privacy/ Attn: Legal Department MongoDB, Inc. 1633 Broadway 38th Floor New York NY 10019, USA privacy@mongodb.com
Salesforce	• Australia • EU/EEA • United Kingdom • United States	Customer platform usage Insights, metrics and visualisations	• Email address • Name (first and last) • Professional information (employer, team name, role, job title) • Assessment information (challenge stats/results)	https://www.salesforce.com/privacy/overview/ 415 Mission Street, 3rd Floor San Francisco, CA 94105, USA privacy@salesforce.com
Usersnap	• EU/EEA	Customer bug reports	• Email address • Device information (browser type, device identifier and IP address)	https://usersnap.com/privacy-policy Energiestrasse 1 A-4020 Linz Austria contact@usersnap.com
Zendesk	• United States	Customer support	• Email address • Name (first and last) • Device information (browser type, device identifier and IP address)	https://www.zendesk.co.uk/company/agreements-and-terms/privacy-notice Attn: Privacy Team 989 Market Street San Francisco, CA 94103, USA privacy@zendesk.com

‍

Appendix A - Secure Code Warrior Legal Entities

a. ENGLAND AND WALES
Secure Code Warrior Limited
Company Number 08559432
Ironstone House
4 Ironstone Way
Brixworth, Northampton. NNG 9UD
United Kingdom

b. NEW SOUTH WALES
Secure Code Warrior Pty Limited
ABN 97 608 498 639
c/o Vital Addition
5, 120 Sussex Street
Sydney. NSW 2000
Australia

c. BELGIUM
Secure Code Warrior BVBA
Baron Ruzettelaan 5
bus 3 8310 Brugge
Belgium

d. DELAWARE
Security Code Warrior Inc
265 Franklin Street, Suite 1702
Boston MA 02110
USA

e. ICELAND
Motherji ehf
Borgatun 24, 105,
Reykjavik,
Iceland

Appendix B - Collection of Personal Information

a. PLATFORM USER

User email address (username)
First Name, Last Name
Employer/Company Name/ Team name
Test results /Metrics information/Assessment data
IP Address (Anonymised)
Machine ID (Anonymised)
Geo-location (derived from IP)
Password
Roles/Job Title
Inviter details (email address of inviter/First Name/Last Name)
Country/Region
Browser Type
Phone Number*

* Only required for Trial Users

Whilst you have access to our platform, and thereafter for a period of 12 months, unless otherwise agreed.

CUSTOMERS

Name
Business Email Address
Phone Number
Employer/Company Name
Job Title
Billing address
Company/Tax Registration Number

We will retain this information in accordance with applicable laws and our privacy policy for a period of 7 years from the date of our last contact with you unless, where you are entitled, request that we delete this information.

‍
PRospects / leads

Name
Business Email Address
Phone Number
Employer/Company Name
Job Title
Physical Location

We will retain this information for a period of 24 months from the date of our last contact with you unless, where you are entitled, request that we delete this information.

PARTICIPANTS IN TOURNAMENTS AND / OR COMPETITIONS: Registrant / participant

Name
Email address
Physical address in circumstances where there may be a physical prize to be delivered
Country/Region

We will retain this information for the duration of the Competition, and for a period of 12 months from the date of our last contact with you unless, where you are entitled, request that we delete this information

SUPPLIER

Name
Business/Company Name
Email Address
Phone Number
Bank Details
Billing address
Company/Tax Registration Number

We will retain this data for up to 7 years from our last contact with you, unless you request that we delete the data beforehand.

recruitment candidates

CV/ Resume
Phone Number
Date of Birth
Qualifications
Email address
Physical address (if provided)

For unsuccessful we will retain this data for a period of twelve (12) months so that we may contact you regarding any future opportunities, unless you request that we delete the data beforehand.

Website visitor

Name³
Contact information³ (company, role/title, business email address and phone number)
IP Address¹
Cookie Data¹ ²

¹ When you communicate with us through our websites:
We use Drift as one of our chatbots to allow customers to interact with us through our websites. Drift will only use the IP address for data enrichment, i.e. to determine if it is associated with a business to provide Secure Code Warrior with information such the industry and # of employees of the business.

Drift will only use cookies to track the activities of site visitors within Secure Code Warrior’s sites, e.g. whether they visited a particular product page or the pricing page before engaging with the messaging widget. Drift will NOT track users across domains or build profiles.

² Cookiebot

We use Cookiebot to manage all cookies across our websites. Cookiebot allows Secure Code Warrior to:

Enable prior consent.
Provide clear and specific information about data types and purpose of the cookies.
Fully document all given consents.
Allow our visitors to reject superfluous cookies and still use our websites.
Allow our visitors to withdraw their consent whenever they want.

³ Information is collected after consent is given

Refer to our cookie policy

We will retain this data for a period of 12 months from the date of our last contact with you unless, where you are entitled, request that we delete this information.

Appendix C - Purposes for which we process your personal information, and the lawful basis on which we carry out such processing

1. PLATFORM USER

1.Necessary to enable us to perform our contract with you:

to set up, administer and manage a user’s account, verify a user’s identity, provider users with our platform and services, and to receive and respond to a user’s communications and requests.
to notify our users of updates to our platform and services necessary for the performance of the contract we have with you.
to support any other purpose necessary for performance of our contractual obligations or specifically stated at the time at which you provided your personal information.

2. Necessary for the performance of our contract with you where such communication relates specifically to our services, and legitimate interest to be able to handle such queries:

to receive and respond to a user’s communications and requests.

3. For legitimate interest to enable Secure Code Warrior to:

carry out market research campaigns so that we can better understand the functionality of our platform and how we can improve our platform and our services.
prepare statistics relating to the use of our platform and services by our users so that we can understand the use of, and improve our platform and services.

4. For legitimate interests to allow Secure Code Warrior to improve customer services offering:

to record and review customer service communications for training and performance improvements to enable us to improve customer services.
To enable Secure Code Warrior to comply with legal obligations.

5. With consent:

to send users marketing materials where marketing materials have been specifically requested.

2. Customers

1. Necessary for the performance of a contract

conducting business and make our services available to customers,

2. For legitimate interests to enable Secure Code Warrior to conduct business

to send and receive business communications
to administer our relationship with customers, prospective customers and business contacts

3. For legitimate interests to contact those who may benefit from our services

informing prospective customers and business contacts about our services.

4. With consent

to send out marketing materials where these have been specifically requested.

3. email contact / prospective customer

1.For legitimate interests to enable Secure Code Warrior to conduct business

to send and receive business communications
to administer our relationship with customers, prospective customers and business contacts

2. For legitimate interests to contact those who may benefit from our services

informing prospective customers and business contacts about our services.

3. With consent

to send out marketing materials where these have been specifically requested.

‍
4. participants in tournaments and / or competitions: registrant / participant

1. Necessary for the performance of our contract with you, namely for the running of the competition and/ or tournament

2. With consent: to send out marketing materials

‍

5. SUPPLIER

1. For legitimate interests to enable Secure Code Warrior for the performance of a contract where the supplier is an individual

to assess and appoint suppliers
Legitimate interests to conduct business

2. To send and receive business communications.

3. To administer our relationship with our suppliers.

6. recruitment candidates

To enable Secure Code Warrior to recruit employees and assess potential candidates, that is to:

consider applications for roles for which you may have applied, directly or via a recruitment, and the negotiation of employment opportunities,
consider applicants for other roles within Secure Code Warrior for which they may be suited,
obtain references from former employers.

7. website visitor

For legitimate interest to enable Secure Code Warrior to,

provide, operate, maintain, improve, and promote our Websites and Services;
enable you to access and use our Websites and Services;
send promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners (you can opt-out of receiving marketing communications from us by unsubscribing from any communication we send you);
monitor and analyze trends, usage, and activities in connection with our Websites and Services and for marketing or advertising purposes;
investigate and prevent fraudulent transactions, unauthorized access to our Websites and Services, and other illegal activities;
personalize our Websites and Services, including by providing features or advertisements that match your interests and preferences; and for other purposes for which we obtain your consent.

Appendix D - Secure Code Warrior Related Websites

securecodewarrior.com
help.securecodewarrior.com
discover.securecodewarrior.com
leadersinappsec.com
leadersindevsec.com
softwaresecuritygurus.com
scw.io
learn.securecodewarrior.com

Document Summary