Third Party Security Policy
To deliver our services, Mo partners and shares data with several other parties. We share as little data as possible on an as needed basis, in some cases this includes personal data. When transferring data, we use suppliers that include the European Commission’s Standard Contractual Clauses within their Data Process Agreements
This document describes who we share data with, how much data we share with them and why we do so. In addition to this it also answers some questions regarding security practices at the third parties that process personal data.
Third parties that have access to Customer Personal Data
These technical partners are used to process the data of our customers and sales opportunities for us.
These technical partners are used to process the data of our customers and sales opportunities for us.
AWS
Data subject type: Application users only
Type of data: Personal data (Customer)
Critical Service: Yes
Address: AWS (Amazon Web Services, Inc. 410 Terry Ave North Seattle , WA 98109-5210 ).
Description: Amazon runs the data centre that our application servers and database operate in. In addition to this, they also operate the data centres for Heroku, Atlas, Intercom, Mandrill and Cloudinary.
Data access and usage: AWS will not access or use Customer Data, except as necessary to provide the Service Offerings initiated by Customer.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
Atlas
Data subject type: Application users only
Type of data: Personal data (Several types of customer data)
Critical Service: Yes
Address: MongoDB Inc. 3rd Floor, 16 Hatfields, London SE1 8DJ, UK
Description: Atlas is the managed MongoDB service run by MongoDB Inc. Our instance runs on top of AWS infrastructure. Atlas takes care of security patching, provisioning, scaling and other technical tasks on our database servers allowing us to focus on application development. Our database is located in the AWS EU-1 Data Center in Ireland, the physical address of this data centre is not publically available.
Data access and usage: Atlas routinely collects and analyzes metadata regarding user files and usage data, excluding any personal data, but including header information, checksum quantities, file size, file type, and archival dates. They use this information to gauge Services levels and application performance, for our own marketing purposes, and, in some instances, for data recovery purposes.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: ISO27001
WeGift
Data subject type: Application users only
Type of data: Personal data (related IDs)Critical Service: Yes
Address: The Voucher Market Ltd t/a WeGift, 1st Floor, Buckhurst house, 42-44 Buckhurst Avenue, Sevenoaks, Kent, TN13 1LZ
Description: WeGift offers various gift vouchers from retailers available for real-time purchase via API.
Data access and usage: WeGift stores Mo’s ID of a redemption instance, this allows Mo to correlate orders in our system with orders in the WeGift system. Using other data in Mo’s systems this can be correlated back to an individual, in the context of GDPR this is classified as personal data. WeGift stores this ID on behalf of Mo and does not use it for any other business purposes.Standard Contractual Clauses: Yes
Security Certification: ISO27001
Iterable
Data subject type: Application users only
Type of data: Personal data.
Critical Service: Yes
Address: Iterable, Inc. 71 Stevenson St, #300, San Francisco, CA, 94105
Description: Iterable is a platform that allows for programmatic and transactional notifications across multiple channels. Mo uses Iterable to help engage it’s users and notify them of what’s happening on the platform.
Data access and usage: Iterable stores a synchronised subset of user data such as user ID, name and email address. They also store a temporary log of all notifications sent. Iterable uses this data to send smart notifications to end users. Iterable is compliant to the GDPR right to stop processing and right to erasure. Iterable stores this data on behalf of Mo and does not use it for any other business purposes.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2
Amplitude
Data subject type: Application users only
Type of data: Personal data.
Critical Service: Yes
Address: Amplitude Inc. 631 Howard St. Floor 5, San Francisco, CA 94105
Description: Amplitude is a data analytics platform for product metrics. Mo uses Amplitude to gain high level insights into how our product is being used and the levels of user engagement. We use these insights for reporting at team, board and investor level as well as helping design and prioritising product improvements.
Data access and usage: Amplitude stores a synchronised subset of user data such as user ID, name and email address. They also store a history of events and actions taken by users. They do not have access to any user generated content or messages. Amplitude uses this data to deliver charts and data visualisations.. Amplitude is compliant to the GDPR right to stop processing and right to erasure. Amplitude processes this data on behalf of Mo and does not use it for any other business purposes.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
Intercom
Data subject type: Application users and Marketing site users
Type of data: Personal data (Customer chat support data)
Critical Service: No
Address: Intercom Inc. San Francisco, CA 55 2nd St, 4th Fl. San Francisco, CA 94105
Description: Intercom stores various bits of personal information including name, email address and usage data for the purposes of customer support. Intercom stores our data in AWS managed data centres located in the United States, the physical address of these data centres is not publically available. Intercom rely on the Standard Contractual Clauses approved by the European Commission.
Data access and usage: Intercom has the right to collect, extract, compile, synthesize and analyze non-personally identifiable data or information resulting from Customer’s use or operation of the Services (“Service Data”) including, by way of example and without limitation, information relating to volumes, frequencies, recipients, bounce rates, or any other information regarding the communications Customer, its end users or recipients generate and send using the Services. To the extent any ServiceData is collected or generated by Intercom, such data will be solely owned by Intercom and may be used by Intercom for any lawful business purpose without a duty of accounting to Customer or its recipients, provided that such data is used only in an aggregated form, without directly identifying any person.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2
The Rocket Science Group (MailChimp / Mandrill)
Data subject type: Marketing site users
Type of data: Personal data: (email, names, employer)
Critical Service: Yes
Address: The Rocket Science Group, LLC 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA
Description: We occasionally use Mailchimp to email key contacts at our customers, for example to notify them when we update our data processors. Mandrill is the transactional email arm of MailChimp and sends transactional emails on our behalf and keeps a temporary log of the email addresses that they’ve sent to. The Rocket Science Group stores our data in the United States and rely on the Standard Contractual Clauses approved by the European Commission.
Data access and usage: The Rocket Science Group only processes Customer Data for the following purposes: (i) processing to perform the Service in accordance with their Standard Terms of Use; (ii) processing initiated by Mo in its use of the Service; and (ii) processing to comply with any other reasonable instructions provided by Mo (e.g., via email or support tickets) that are consistent with the terms of their Standard Terms of Use. Mo has opted out of MailChimps Data Analytics Projects.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2
Cloudinary
Data subject type: Application users only
Type of data: Personal data (Customer images)
Critical Service: Yes
Address: Cloudinary Inc. 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086
Description: Cloudinary is the market leader in providing a comprehensive cloud-based image management solution. Images in the Mo application, such as profile pictures are hosted and manipulated by Cloudinary. Cloudinary stores our images on AWS S3 buckets in the United States.
Data access and usage: Cloudinary will only Process Personal Data on behalf of and in accordance with Mo’s instructions. Mo instructs Cloudinary to Process Personal Data for the following purposes: (i)Processing in accordance with the Cloudinary’s Terms of Use; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of Cloudinary’s Terms of Use.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
LaunchDarkly
Data subject type: Application users only
Type of data: Personal data (Several types of customer data)
Critical Service: No
Address: Catamorphic, Co. 350 Frank H. Ogawa Plaza, Suite 100, Oakland, CA 94612
Description: LaunchDarkly is a feature management platform that serves feature flags to help Mo build better software and faster. We send LaunchDarkly PII such as user name, email, ID, role and customer name. LaunchDarkly hosts their data in AWS data centres in the US and rely on the Standard Contractual Clauses approved by the European Commission.
Data access and usage: Pending.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
Sentry
Data subject type: Application users only
Type of data: Personal data (user ID, employer name, permissions)
Critical Service: No
Address: Functional Software Inc. 132 Hawthorne Street, San Francisco, California 94107
Description: Sentry is an error reporting and telemetry tool used in our frontend web application.
Data access and usage: Mo instructs Sentry to process Data only in accordance with applicable law. Sentry uses the data provided by Mo to deliver the Processor Services and any related technical support. Sentry will not process the Data for any other purpose.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
1Password
Data subject type: Application users only
Type of data: Personal data (user ID, name, employer name, email)
Critical Service: Yes
Address: AgileBits Inc. Suite 303, 49 Spadina Ave Toronto, Ontario, M5V 2J1, Canada
Description: 1Password is used to generate, store and audit passwords for Mo employees. It also has secure file sharing, which is used in the eventuality the Mo employees need to share customer data between each other.
Data access and usage: 1Password acquires Service Data about our usage of 1Password, our account, and our payments through operating the services. They retain only enough Service Data to operate and maintain the services. The data is never used for any other purpose.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2
Twilio
Data subject type: Application users only
Type of data: Personal data (phone number, name, employer)
Critical Service: No
Address: Twilio Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105
Description: For certain customers and use cases we use Twilio to send SMS notifications to users, these notifications may contain the recipient’s name or the name of their employer.
Data access and usage: Mo instructs Twilio to only use data to deliver services back to Mo and no other purpose.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
Slack
Data subject type: Application users and Marketing site users
Type of data: Personal data (name, employer name, email, user ID, associated IDs, IP address)
Critical Service: No
Address: Slack Technologies Inc, 500 Howard Street, San Francisco, CA 94105, USA
Description: Slack is an instant messaging app used by Mo employees. We have various services which can post alerts into Slack. This can include monitoring alerts from Rollbar or New Relic or new marketing leads from Hubspot.
Data access and usage: Mo instructs Slack to only use data to deliver services back to Mo and no other purpose.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
Rollbar
Data subject type: Application users only
Type of data: Personal data (user ID, associated IDs, IP address)
Critical Service: No
Address: Rollbar Inc, 51 Federal Street, Suite 401 San Francisco
Description: Rollbar is an error reporting tool used by our API and other backend services. Error reports may contain IDs of users or metadata that is traceable to a user. Rollbar sends alerts to Slack to help our Engineering Team become immediately aware of issues.
Data access and usage: Mo instructs Rollbar to only use data to deliver services back to Mo and no other purpose.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: ISO27001
New Relic
Data subject type: Application users only
Type of data: Personal data (user ID, associated IDs, IP address)
Critical Service: Yes
Address: New Relic Inc, 188 Spear St., Suite 1200, San Francisco, CA USA 94105
Description: New Relic is an observability platform that gives us real time metrics and monitoring of how our technology stack is performing. IDs of users or IDs of associated content along with IP addresses may be processed by New Relic. New Relic automatically sends alerts, via email to GSuite and instant message to Slack to help our Engineering Team become immediately aware of issues.
Data access and usage: Mo instructs New Relic to only use data to deliver services back to Mo and no other purpose.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: SOC 2, ISO27001
Google GSuite
Data subject type: Application users and Marketing site users
Type of data: Personal data (names, email, employer)
Critical Service: Yes
Address: Google LLC, Mountain View, California, United States
Description: GSuite provides email, document and spreadsheet services for Mo. Mo may receive emails from anyone and may send emails to customers, potential customers, suppliers and other people. These emails may contain the name, email address and employer of the senders and recipients.
Data access and usage: Google will process Personal Data submitted, stored, sent or received by Mo via the Services for the purposes of providing the Services and related technical support to Mo. Google will not process the Personal Data for Advertising purposes.
Standard Contractual Clauses: Yes
Security Certification: ISO27001
Planhat
Data subject type: Customer key contacts
Type of data: Personal data (names, email, employer)
Critical Service: No
Address: Planhat AB, Sveavägen 98, 113 50 Stockholm, Sweden
Description: Planhat is a customer success management tool used by our Customer Success Team. It may contain the personal data of key contacts at our customers such as buyers or IT staff.
Data access and usage: Mo instructs Planhat to use this data to deliver services back to Mo, Planhat may also use service data to help improve their products and services.
Standard Contractual Clauses: Yes, 2021 SCCs
Security Certification: SOC 2
Typeform
Data subject type: Application users and Marketing site users
Type of data: Personal data (names, email, employer)
Critical Service: No
Address: Typeform Sl, C/Bac de Roda, 163 (Local), 08018 – Barcelona (Spain)
Description: Typeform is a survey tool used from time to time to conduct user research and NPS scores. Mostly this research is anonymous but occasionally we may ask participants to leave contact details so we can follow up with them regarding their feedback.
Data access and usage: Mo instructs Typeform to use this data to deliver services back to Mo. Typeform may also use usage data to improve their services.
Standard Contractual Clauses: Yes, 2021 SCCs
Security Certification: SOC 2, ISO27001
Huggg Limited
Data subject type: Application Users only
Type of data: Personal data
Critical Service: Yes
Address: Huggg Limited, Runway East, 1 Victoria St, Bristol, United Kingdom, BS1 6AA.
Description: Huggg is a rewards platform that enables users and customers to send gifts to individuals or at scale. Users of the Mo product may opt in to utilise this feature and they will share PII such as customer name, recipient name, address, email address, employer name and phone number.
Data access and usage: Huggg stores customer and user data, such as name, address and phone number, which is classified as PII in the context of GDPR. Huggg is compliant with all applicable requirements of the GDPR and processes this data on behalf of Mo. Huggg does not use this data for any other business purposes.
Standard Contractual Clauses: Yes, UK Addendum
Security Certification: IS027001
Third party partners glossary
We keep a comprehensive list and details of all the third-parties and suppliers that we use. Each third-party and supplier is categorised by the data subject type, including Application Users, Marketing Site Users and HR Data. To see this list please email [email protected] with the subject line “Third Party Partners Glossary.”
Third party selection criteria
Mo vets all third-parties and suppliers to assess security risks and compliance with our other policies (such as anti-slavery). We only work with industry leading technical partners for our infrastructure and hosting requirements. The following criteria is now assessed before we bring onboard new third parties and current third parties are assessed against this criteria:
| Check | Data Classification |
| We only work with suppliers that support encrypted transporting of data. | All |
| We only work with suppliers where a mutual data processing agreement has been signed (for personal data) and these must include the new European Commission’s Standard Contractual Clauses, the IDTA or the UK Addendum | Confidential: Customer data and HR data |
| or their terms of service provide acceptable confidentiality clauses (for non personal data) | Confidential: Internal Use Only or EU (Risk can be accepted if the Privacy Policy is acceptable) |
| At least 1 industry recognised and externally verified security certification or assurance (ISO, SOC eg) | All (but risk can be accepted if non personal data service) |
| Support secure deletion of per customer data and where necessary industry standard disposal of hardware | All (but risk can be accepted if non personal data service) |
| Provide availability controls and uptime assurances | All (but risk can be accepted on non critical services) |
Assessing third party partners
Mo risk assesses the impact third parties have on our service and data, in terms of confidentiality, integrity and availability in line with our risk assessment schedule. All third parties are also subject to an onboarding assessment and scheduled internal audits against the above criteria.
Third party changes checklist
Any changes to third parties should follow these steps.
- Assessment (for new third parties)
- Management approval
- Communicate decision to customer with adequate time for query or objection
- Update application privacy notice
- Update marketing site privacy policy
- Update Data Processing Agreement
Monitoring and review
While the majority of the services Mo relies on do not provide SLA reporting or uptime guarantees, Mo may monitor services using each third party’s status page. Any third party incidents that have a knock on effect to our ability to deliver services, or the integrity of our data, are recorded in our incident log.