Document Summary

Data Subprocessors

Download PDF
Our approach to security and privacyOur approach to security and privacy
Back to Trust Center

Last updated: 10 April 2024

What is a sub-processor?

‘Customer data’ is personal data processed by Secure Code Warrior (acting as a processor) on behalf of the customer (acting as a controller) to provide our products and/or services.

A ‘sub-processor’ is a third-party (such as a contractor, service provider or vendor) further engaged by Secure Code Warrior to help us process customer data for the same purpose. We engage different types of sub-processors to perform various functions as explained in the table below.

Where we act as an independent controller

Where Secure Code Warrior acts as an independent controller, we process personal data on our own behalf and for our own business purposes (‘SCW data’) in compliance with applicable data protection law.  For example, when we process user personal data in connection with feedback or feature requests, or when a user consents to our use of analytics cookies. 

Third-parties engaged to process SCW data are not sub-processors, but we follow the same review process outlined below before engaging these service providers.

For more information about our data and privacy protective practices, please refer to our privacy policy.

Our vendor review process

Due diligence

We undertake to use a commercially reasonable selection process to evaluate the security, privacy and confidentiality practices of proposed sub-processors before they process customer data.

Contractual safeguards

We require sub-processors to satisfy obligations equivalent to those contained in our own customer agreements, including provisions to:

  • Process customer data in accordance with documented instructions
  • Provide regular security and data protection training to personnel who have access to customer data
  • Implement and maintain appropriate technical and organisational measures 
  • Provide evidence of compliance with its security and data protection obligations (either in the form of annual certification or audits)
  • Promptly inform us of any actual or potential security incidents and/or personal data breaches
  • Cooperate with us in order to deal with requests from customers, data subjects or data protection authorities

International data transfers

Third-countries with an adequate level of data protection

We may freely transfer personal data to sub-processors and third-countries recognised under applicable data protection law as providing an adequate level of data protection (including U.S. Data Privacy Framework (DPF) registered participants).

Restricted transfers

Where information is transferred to a sub-processor or third country not recognised as providing an adequate or equivalent level of data protection (‘restricted transfer’), we ensure adequate transfer mechanisms and appropriate safeguards are in place to protect personal data (such as standard contractual clauses and ISO aligned technical and organisational measures).

Looking for more information about international transfers?

Please refer to our dedicated webpage regarding international transfers of personal data

Customer notification

We will update this page whenever we engage new sub-processors. Where we have an obligation to inform customers of updates to our sub-processor list in writing, we will also email our regular business contact and, where reasonable, the customer’s publicly disclosed privacy contact. 

Unless otherwise agreed, the customer may object to the appointment of a new sub-processor within thirty (30) days of the update by emailing, along with the legitimate reason(s) for the objection.

Customer sub-processors

Sub-processor and hosting location Purpose Processing locations Customer data processed Privacy policy and contact details
Secure Code Warrior group entities
(See Appendix A of our privacy policy).
• Australia
• United Kingdom
• United States
Product support, maintenance and delivery See our privacy policy for more information about our processing activities.
Amazon Web Services (AWS) • EU/EEA
• United States
Cloud storage host for our website, platform and infrastructure, and email notification service provider Personal data collected by AWS
Email address
Name (first and last)
Device information (browser type, device identifier and IP address)
Location information (country/region and IP geo-location)

Amazon Web Services, Inc.
Attn: AWS Legal410 Terry Avenue North
WA 98109-5210, USA

Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy L-1855Luxembourg
Datadog • United States
Application log management, monitoring and alerting Email address
User ID
Device information (browser type, device identifier and IP address)
Location information (country/region and IP geo-location)

Datadog, Inc.
620 8th Avenue
Floor 45
New York
NY 10018, USA
EverAfter • EU/EEA
• Israel
• United States
Customer onboarding and ongoing success Email address
Name (first and last)
Device information (browser type, device identifier and IP address)

EverAfter AI Ltd.
Yigal Alon 82
Tel Aviv
Israel 6789124
MongoDB, Inc. • EU/EEA
• United States
Cloud database storage and management Email address
User ID
Device information (browser type, device identifier and IP address)
Location information (country/region and IP geo-location)

Attn: Legal Department
MongoDB, Inc.
1633 Broadway
38th Floor
New York

NY 10019, USA
Salesforce • Australia
• United Kingdom
• United States
Customer platform usage Insights, metrics and visualisations Email address
Name (first and last)
Professional information (employer, team name, role, job title)
Assessment information (challenge stats/results)

415 Mission Street, 3rd Floor
San Francisco, CA 94105, USA
Usersnap • EU/EEA
Customer bug reports Email address
Device information (browser type, device identifier and IP address)

Energiestrasse 1
A-4020 Linz
Zendesk • United States
Customer support Email address
Name (first and last)
Device information (browser type, device identifier and IP address)

Attn: Privacy Team
989 Market Street
San Francisco, CA 94103, USA

Looking for something else?

Our approach to security and privacy

Visit our Trust Center to learn more about the security and privacy practices that safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Trust Center