Third Party Processors

To deliver our services, Mo partners and shares data with several other parties. We share as little data as possible on an as needed basis, in some cases this includes personal data. This document describes who we share data with, how much data we share with them and why we do so. In addition to this it also answers some questions regarding security practices at the third parties that process personal data.

Third parties that have access to Customer Personal Data

These technical partners are used to process the data of our customers and sales opportunities for us.

1. AWS

Data subject type: Application users only

Type of data: Personal data (Customer)

Critical Service: Yes

Address: AWS (Amazon Web Services, Inc. 410 Terry Ave North Seattle , WA 98109-5210 ).

Description: Amazon runs the data centre that our application servers and database operate in. In addition to this, they also operate the data centres for Heroku, Atlas, Intercom, Mandrill and Cloudinary.

Data access and usage: AWS will not access or use Customer Data, except as necessary to provide the Service Offerings initiated by Customer.

Standard Contractual Clauses: Yes (although data is stored in Ireland)

2. Atlas

Data subject type: Application users only

Type of data: Personal data (Several types of customer data)

Critical Service: Yes

Address: MongoDB Inc. 3rd Floor, 16 Hatfields, London SE1 8DJ, UK

Description: Atlas is the managed MongoDB service run by MongoDB Inc. Our instance runs on top of AWS infrastructure. Atlas takes care of security patching, provisioning, scaling and other technical tasks on our database servers allowing us to focus on application development. Our database is located in the AWS EU-1 Data Center in Ireland, the physical address of this data centre is not publicly available.

Data access and usage: Atlas routinely collects and analyzes metadata regarding user files and usage data, excluding any personal data, but including header information, checksum quantities, file size, file type, and archival dates. They use this information to gauge Services levels and application performance, for our own marketing purposes, and, in some instances, for data recovery purposes.

Standard Contractual Clauses: Yes (although data is stored in Ireland)


3. WeGift

Data subject type: Application users only

Type of data: Personal data (related IDs)

Critical Service: Yes

Address: The Voucher Market Ltd t/a WeGift, 1st Floor, Buckhurst house, 42-44 Buckhurst Avenue, Sevenoaks, Kent, TN13 1LZ

Description: WeGift offers various gift vouchers from retailers available for real-time purchase via API.

Data access and usage: WeGift stores Mo’s ID of a redemption instance, this allows Mo to correlate orders in our system with orders in the WeGift system. Using other data in Mo’s systems this can be correlated back to an individual, in the context of GDPR this is classified as personal data. WeGift stores this ID on behalf of Mo and does not use it for any other business purposes.

Privacy Shield: No, UK based company.


4. Iterable

Data subject type: Application users only

Type of data: Personal data.

Critical Service: Yes

Address: Iterable, Inc. 71 Stevenson St, #300, San Francisco, CA, 94105

Description: Iterable is a platform that allows for programmatic and transactional notifications across multiple channels. Mo uses Iterable to help engage it’s users and notify them of what’s happening on the platform. 

Data access and usage: Iterable stores a synchronised subset of user data such as user ID, name and email address. They also store a temporary log of all notifications sent. Iterable uses this data to send smart notifications to end users. Iterable is compliant to the GDPR right to stop processing and right to erasure. Iterable stores this data on behalf of Mo and does not use it for any other business purposes.

Standard Contractual Clauses: Yes


5. Amplitude

Data subject type: Application users only

Type of data: Personal data.

Critical Service: Yes

Address: Amplitude Inc. 631 Howard St. Floor 5, San Francisco, CA 94105

Description: Amplitude is a data analytics platform for product metrics. Mo uses Amplitude to gain high level insights into how our product is being used and the levels of user engagement. We use these insights for reporting at team, board and investor level as well as helping design and prioritising product improvements.

Data access and usage: Amplitude stores a synchronised subset of user data such as user ID, name and email address. They also store a history of events and actions taken by users. They do not have access to any user generated content or messages. Amplitude uses this data to deliver charts and data visualisations. Amplitude is compliant to the GDPR right to stop processing and right to erasure. Amplitude processes this data on behalf of Mo and does not use it for any other business purposes.

Standard Contractual Clauses: Yes


6. Intercom

Data subject type: Application users and Marketing site users

Type of data: Personal data (Customer chat support data)

Critical Service: No

Address: Intercom Inc. San Francisco, CA 55 2nd St, 4th Fl. San Francisco, CA 94105

Description: Intercom stores various bits of personal information including name, email address and usage data for the purposes of customer support. Intercom stores our data in AWS managed data centres located in the United States, the physical address of these data centres is not publicly available. Intercom comply with the EU/Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries/Switzerland.

Data access and usage: Intercom has the right to collect, extract, compile, synthesize and analyze non-personally identifiable data or information resulting from Customer's use or operation of the Services (“Service Data”) including, by way of example and without limitation, information relating to volumes, frequencies, recipients, bounce rates, or any other information regarding the communications Customer, its end users or recipients generate and send using the Services. To the extent any Service

Data is collected or generated by Intercom, such data will be solely owned by Intercom and may be used by Intercom for any lawful business purpose without a duty of accounting to Customer or its recipients, provided that such data is used only in an aggregated form, without directly identifying any person.

Standard Contractual Clauses: Yes


7. Cloudinary

Data subject type: Application users only

Type of data: Personal data (Customer images)

Critical Service: Yes

Address: Cloudinary Inc. 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086

Description: Cloudinary is the market leader in providing a comprehensive cloud-based image management solution. Images in the Mo application, such as profile pictures are hosted and manipulated by Cloudinary. Cloudinary stores our images on AWS S3 buckets in the United States.

Data access and usage: Cloudinary will only Process Personal Data on behalf of and in accordance with Mo’s instructions. Mo instructs Cloudinary to Process Personal Data for the following purposes: (i)

Processing in accordance with the Cloudinary’s Terms of Use; and (ii) Processing to comply with

other reasonable instructions provided by Customer where such instructions are

consistent with the terms of Cloudinary’s Terms of Use.

Standard Contractual Clauses: Yes


8. LaunchDarkly

Data subject type: Application users only

Type of data: Personal data (Several types of customer data)

Critical Service: No

Address: Catamorphic, Co. 350 Frank H. Ogawa Plaza, Suite 100, Oakland, CA 94612

Description: LaunchDarkly is a feature management platform that serves feature flags to help Mo build better software and faster. We send LaunchDarkly PII such as user name, email, ID, role and customer name . LaunchDarkly hosts their data in AWS data centres in the US and are certified under the EU-U.S. and Swiss-U.S. Privacy Shield Framework.

Data access and usage: Pending.

Standard Contractual Clauses: Yes


9. Sentry 

Data subject type: Application users only

Type of data: Personal data (user ID, employer name, permissions)

Critical Service: No

Address: Functional Software Inc. 132 Hawthorne Street, San Francisco, California 94107

Description: Sentry is an error reporting and telemetry tool used in our frontend web application.

Data access and usage: Mo instructs Sentry to process Data only in accordance with applicable law. Sentry uses the data provided by Mo to deliver the Processor Services and any related technical support. Sentry will not process the Data for any other purpose.

Standard Contractual Clauses: Yes


10. 1Password

Data subject type: Application users only

Type of data: Personal data (user ID, name, employer name, email)

Critical Service: Yes

Address: AgileBits Inc. Suite 303, 49 Spadina Ave Toronto, Ontario, M5V 2J1, Canada

Description: 1Password is used to generate, store and audit passwords for Mo employees. It also has secure file sharing, which is used in the eventuality the Mo employees need to share customer data between each other.

Data access and usage: 1Password acquires Service Data about our usage of 1Password, our account, and our payments through operating the services. They retain only enough Service Data to operate and maintain the services. The data is never used for any other purpose.

Privacy Shield: As a Canadian company (the EU recognizes Canada as a destination country with “adequate level of protection” for data privacy of individuals), they are not signed up to the EU/US Privacy Shield.

SOC: 1Password is SOC 2 type 2 certified. SOC, or Service Organization Control, is an independent auditing process that ensures that 1Password securely manages data to protect customers’ interests and privacy.


11. Twilio

Data subject type: Application users only

Type of data: Personal data (phone number, name, employer)

Critical Service: No

Address: Twilio Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105

Description: For certain customers and use cases we use Twilio to send SMS notifications to users, these notifications may contain the recipient's name or the name of their employer.

Data access and usage: Mo instructs Twilio to only use data to deliver services back to Mo and no other purpose.

Standard Contractual Clauses: Yes

  1. 12. Slack

Data subject type: Application users and Marketing site users

Type of data: Personal data (name, employer name, email, user ID, associated IDs, IP address)

Critical Service: No

Address: Slack Technologies Inc, 500 Howard Street, San Francisco, CA 94105, USA

Description: Slack is an instant messaging app used by Mo employees. We have various services which can post alerts into Slack. This can include monitoring alerts from Rollbar or New Relic or new marketing leads from Hubspot.

Data access and usage: Mo instructs Slack to only use data to deliver services back to Mo and no other purpose.

Standard Contractual Clauses: Yes


13. Rollbar

Data subject type: Application users only

Type of data: Personal data (user ID, associated IDs, IP address)

Critical Service: No

Address: Rollbar Inc, 51 Federal Street, Suite 401
 San Francisco

Description: Rollbar is an error reporting tool used by our API and other backend services. Error reports may contain IDs of users or metadata that is traceable to a user. Rollbar sends alerts to Slack to help our Engineering Team become immediately aware of issues.

Data access and usage: Mo instructs Rollbar to only use data to deliver services back to Mo and no other purpose.

Standard Contractual Clauses: Yes


14. New Relic

Data subject type: Application users only

Type of data: Personal data (user ID, associated IDs, IP address)

Critical Service: Yes

Address: New Relic Inc, 188 Spear St., Suite 1200, San Francisco, CA USA 94105

Description: New Relic is an observability platform that gives us real time metrics and monitoring of how our technology stack is performing. IDs of users or IDs of associated content along with IP addresses may be processed by New Relic. New Relic automatically sends alerts, via email to GSuite and instant message to Slack to help our Engineering Team become immediately aware of issues.

Data access and usage: Mo instructs New Relic to only use data to deliver services back to Mo and no other purpose.

Standard Contractual Clauses: Yes


15. Google GSuite

Data subject type: Application users and Marketing site users

Type of data: Personal data (names, email, employer)

Critical Service: Yes

Address: Google LLC, Mountain View, California, United States

Description: GSuite provides email, document and spreadsheet services for Mo. Mo may receive emails from anyone and may send emails to customers, potential customers, suppliers and other people. These emails may contain the name, email address and employer of the senders and recipients. 

Data access and usage: Google will process Personal Data submitted, stored, sent or received by Mo via the Services for the purposes of providing the Services and related technical support to Mo. Google will not process the Personal Data for Advertising purposes.

Standard Contractual Clauses: Yes


16. Typeform

Data subject type: Application users and Marketing site users

Type of data: Personal data (names, email, employer)

Critical Service: No

Address: Typeform Sl, C/Bac de Roda, 163 (Local), 08018 – Barcelona (Spain)

Description: Typeform is a survey tool used from time to time to conduct user research and NPS scores. Mostly this research is anonymous but occasionally we may ask participants to leave contact details so we can follow up with them regarding their feedback.

Data access and usage: Mo instructs Typeform to use this data to deliver services back to Mo. Typeform may also use usage data to improve their services.

Privacy Shield: Not required, based in the EU.


17. Huggg Limited

Data subject type: Application Users only

Type of data: Personal data

Critical Service: Yes

Address: Huggg Limited, Runway East, 1 Victoria St, Bristol, United Kingdom, BS1 6AA.

Description: Huggg is a rewards platform that enables users and customers to send gifts to individuals or at scale. Users of the Mo product may opt in to utilise this feature and they will share personal data, such as customer name, recipient name, address, email address, employer name and phone number.
Data access and usage: Huggg stores customer and user data, such as name, address and phone number, which is classified as PII in the context of GDPR. Huggg is compliant with all applicable requirements of the GDPR and processes this data on behalf of Mo. Huggg does not use this data for any other business purposes.

Standard Contractual Clauses: Yes
Security Certification: IS027001



Third party partners glossary

We keep a comprehensive list and details of all the third-parties and suppliers that we use. Each third-party and supplier is categorised by the data subject type, including Application Users, Marketing Site Users and HR Data. To see this list please email hi@mo.work with the subject line “Third Party Partners Glossary.”


Third party selection criteria

Mo vets all third parties and suppliers to assess security risks and compliance with our other policies (such as anti-slavery). We only work with industry leading technical partners for our infrastructure and hosting requirements. The following criteria is now assessed before we bring onboard new third parties and current third parties are assessed against these criteria:



Check

Data Classification

Where possible we use suppliers that work within the EU. When our data must be transferred to the United States, we only work with companies who include the European Commission’s Standard Contractual Clauses within their Data Process Agreements.

All

We only work with suppliers that support encrypted transporting of data.

All

We only work with suppliers where a mutual data processing agreement has been signed (for personal data).

Confidential: Customer data and HR data

or their terms of service provide acceptable confidentiality clauses (for non-personal data).

Confidential: Internal Use Only or EU

(Risk can be accepted if the Privacy Policy is acceptable)

At least 1 industry recognised and externally verified security certification or assurance.

All

(But risk can be accepted if non personal data service)

Multi factor or federated authentication.

All

(But risk can be accepted if non personal data service)

Support secure deletion of per customer data and where necessary industry standard disposal of hardware.

All

(But risk can be accepted if non personal data service)

Provide availability controls and uptime assurances.

All

(But risk can be accepted on non-critical services)


Assessing third party partners

Mo risk assesses the impact third parties have on our service and data, in terms of confidentiality, integrity and availability in line with our risk assessment schedule.  All third parties are also subject to an onboarding assessment and scheduled internal audits against the above criteria. These are approved by our DPA and CTO. 


Monitoring and review

While the majority of the services Mo relies on do not provide SLA reporting or uptime guarantees, Mo does actively monitor services using status ticker: thanksbox.statusticker.com. Any third party incidents that have a knock on effect to our ability to deliver services, or the integrity of our data, are recorded in our incident log.