Get a demo of Culture Amp

Simply fill out the form and we’ll be in touch soon.

Skip to main content

Get a demo of Culture Amp

Simply fill out the form and we’ll be in touch soon.

Data Processing Addendum

In this page

Version effective date: 10 June, 2026

This Data Processing Addendum (DPA) forms part of the Agreement and sets out the respective responsibilities of the Customer (as Controller) and Culture Amp (as Processor) in relation to the processing of Customer Personal Data. Capitalised terms used, but not otherwise defined below, have the meaning given to them in the General Terms.

  1. Definitions

    1. Applicable Data Protection Law means all laws and regulations applicable to and binding on the processing of Customer Personal Data by a party.
    2. Californian Data Protection Law means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (CCPA).
    3. Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
    4. Data Protection Law means all applicable laws, regulations and other legally binding requirements relating to privacy, data protection, the processing of Personal Data, data security, breach notification, direct marketing, cookies and other tracking technologies and electronic communications, including, where applicable, EU Data Protection Law, UK Data Protection Law and the CCPA.
    5. Data Subject means (a) a "data subject" as defined under EU Data Protection Law; (b) a "data subject" as defined under UK Data Protection Law; (c) a "consumer" as defined under CCPA; and (d) any other identified or identifiable natural person whose Personal Data is processed under the Agreement and who is afforded rights under applicable Data Protection Law.
    6. EU Data Protection Law includes, as applicable, (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time.
    7. EU SCCs means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.
    8. Europe includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.
    9. Personal Data means information about an identified or identifiable natural person, or which otherwise constitutes "personal data", "personal information", "personally identifiable information" or similar terms as defined in Applicable Data Protection Law.
    10. Processing (and "Process" and "Processed") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    11. Processor means the entity which Processes Personal Data on behalf of the Controller and includes any substantially analogous role as defined under Applicable Data Protection Law (such as "Service Provider" under the CCPA).
    12. Security Incident means a confirmed breach of security of the Service or Culture Amp's systems used to process Customer Personal Data leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Culture Amp. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
    13. Standard Contractual Clauses or SCCs means any standard contractual clauses, international data transfer agreement, addendum, transfer mechanism or equivalent contractual terms approved, issued or recognised under Applicable Data Protection Law for the transfer of Personal Data across jurisdictions, including under EU Data Protection Law and UK Data Protection Law.
    14. Subprocessor means any third-party, including Culture Amp affiliates, engaged by Culture Amp to Process Customer Personal Data.
    15. Subprocessor List means the list of Subprocessors maintained and made available by Culture Amp in accordance with clause 6.2.
    16. Training Purposes means the use of Customer Personal Data, in anonymized, aggregated, pseudonymized, or de-identified form, to develop, train, improve, tune, or validate machine learning models, algorithms, or artificial intelligence systems operated by or on behalf of Culture Amp.
    17. UK Data Protection Law means the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of clause3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time.
    18. UK IDTA means the contractual clauses issued by the UK Information Commissioner under section 119A (1) of the Data Protection Act 2018 (DPA 2018) and is in force from 21 March 2022, as amended, superseded or replaced from time to time.

  2. Processing of Customer Personal Data

    1. Roles of the Parties

      For the purposes of the Agreement, the parties agree that the Customer is the Controller of the Customer Personal Data and Culture Amp is a Processor of the Customer Personal Data.

    2. Customer's Documented Instructions

      The parties agree that this DPA, together with the Agreement and the Customer's use of the Services (including any relevant configurations and settings), constitute the entirety of the Customer's documented instructions to Culture Amp regarding the Processing of Customer Personal Data ("Documented Instructions"). Further details about the Data Processing are found in Schedule B.

    3. Instructions for Processing

      Culture Amp will Process Customer Personal Data solely in accordance with the Customer's Documented Instructions except where Processing is necessary to comply with applicable laws or a binding governmental order. In such cases, Culture Amp will inform the Customer of the legal requirement before Processing, unless that law or order prohibits disclosure on important grounds of public interest.

    4. Compliance with Applicable Data Protection Law

      The Customer will ensure that all Documented Instructions it issues to Culture Amp comply with all Applicable Data Protection Law. Culture Amp is not responsible for monitoring Customer's compliance with Applicable Data Protection Law. However, to the extent required by law, Culture Amp will inform the Controller if it becomes aware that Customer's Documented Instructions breach the Data Protection Law applicable to the customer.

    5. Confidentiality Obligations

      Culture Amp will treat Customer Personal Data in line with the confidentiality provisions set out in the Agreement, including the Privacy Policy. Culture Amp will ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.
    6. Use of Customer Personal Data for Training Purposes Notwithstanding Culture Amp's role as Processor under Section 2.1, the Customer acknowledges and agrees that Culture Amp may Process Customer Personal Data for Training Purposes. To the extent Culture Amp is Processing Customer Personal Data for Training Purposes, Culture Amp shall be deemed an independent Controller in respect of such Processing and shall: (i) prior to any such Processing, apply appropriate technical measures to anonymize, aggregate, pseudonymize, or de-identify the Customer Personal Data such that it cannot reasonably be used to re-identify any Data Subject; (ii) Process such data solely for Training Purposes and not for any other purpose; (iii) comply with all obligations applicable to it as a Controller under Applicable Data Protection Law; (iv) not intentionally use such data to re-identify any Data Subject from the data processed for Training Purposes; and (v) implement and maintain appropriate technical and organizational measures to protect such data in accordance with Schedule C. For the avoidance of doubt, Culture Amp's obligations as Processor under this DPA shall continue to apply to all Processing of Customer Personal Data that is not carried out for Training Purposes.

  3. Assistance with Data Subject Requests and Cooperation Obligations

    1. Assistance with Data Subject Requests

      Culture Amp will, in a manner consistent with the functionality of the Service and its role as Processor, provide commercially reasonable support to the Customer to enable the Customer to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law (Data Subject Requests).

    2. Cooperation Obligations

      Upon the Customer's reasonable request, and to the extent required by law taking into account the nature of the Processing, Culture Amp will provide reasonable assistance to the Customer in fulfilling its obligations under Applicable Data Protection Law. Such assistance will only be provided to the extent the Customer cannot reasonably fulfil these obligations independently using the documentation and resources that Culture Amp makes available through its website, Platform and its Customer Trust Center.
    3. Third Party Requests Unless prohibited by Applicable Law, Culture Amp will notify Customer of any legal process or governmental request compelling Culture Amp to disclose Customer Personal Data, and will not respond to such requests unless legally obligated to do so. In the event that Culture Amp receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, Culture Amp will redirect such inquiries to Customer, and will not provide any information unless required to do so under Law.

  4. Security

    1. Security Measures

      Culture Amp has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity, and availability of Customer Personal Data and to prevent Security Incidents. The Customer is responsible for configuring the Services and using the security features and functionalities made available by Culture Amp to maintain appropriate protection in light of the nature of the Customer Personal Data. Culture Amp's current technical and organizational measures are described in Schedule C. The Customer acknowledges that these Security Measures are subject to technical progress and development and that Culture Amp may update or modify them from time to time, provided that such updates and modifications do not materially reduce the overall level of security of the Services during the applicable Subscription Term.

    2. Security Incidents

      Culture Amp will notify the Customer without undue delay, and where feasible, no later than forty-eight (48) hours after becoming aware of a Security Incident. Culture Amp will make reasonable efforts to identify the cause of the Security Incident, mitigate its effects, and remediate the underlying cause to the extent within Culture Amp's reasonable control. Upon the Customer's request, and taking into account the nature of the Processing and the information available to Culture Amp, Culture Amp will provide reasonable assistance by supplying information necessary for the Customer to meet its notification obligations under Applicable Data Protection Law. Culture Amp's notification of a Security Incident does not constitute an admission of fault or liability.

  5. Audits

    1. Audit Reports Culture Amp is regularly audited by independent third-party auditors and/or internal auditors. Upon the Customer's request. If the Customer cannot reasonably verify Culture Amp's compliance with the terms of this DPA based on this summary, Culture Amp will provide written responses (on a confidential basis) to reasonable requests for information made by the Customer relating to Culture Amp's Processing of Customer Personal Data. This right may be exercised no more than once during the term of the Agreement.
    2. Customer Audit Right To the extent Culture Amp is legally required to participate in independent audits initiated by a Customer under Applicable Data Protection Law, and only where the Customer cannot reasonably verify Culture Amp's compliance with this DPA through the rights described in clause 5.1, the Customer may, at its own expense, conduct an audit during the term of the Agreement to assess Culture Amp's compliance with this DPA. Any such audit will: (i) be conducted during Culture Amp's normal business hours and with at least thirty (30) calendar days' prior written notice (unless a shorter notice period is required by Applicable Data Protection Law or a regulatory authority); (ii) be subject to reasonable confidentiality obligations requiring the Customer (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be treated as confidential; (iii) occur no more than once per contract term; and (iv) be limited in scope to information relevant to the Customer's data and Culture Amp's processing activities under this DPA.

  6. Subprocessing

    1. General Authorisation By entering into this DPA, Customer provides general authorization for Culture Amp to engage Subprocessors to process Customer Personal Data. Culture Amp will: (i) enter into a written agreement with each Subprocessor that imposes data protection obligations requiring the Subprocessor to a substantially similar level to those extended in this DPA; and (ii) remain liable to Customer for the Subprocessor's performance of its data protection obligations with respect to the relevant processing activities under the Agreement.
    2. Notice of New Subprocessors Culture Amp will make available a list of Subprocessors that Culture Amp currently engages, which is currently available at https://www.cultureamp.com/company/trust/platform-sub-processors. Culture Amp may update the Subprocessor List from time to time. Before Culture Amp engages a new Subprocessor, Culture Amp will provide notice to the Customer through the Services, by email, through its published materials, or by any other reasonable means.
    3. Objection to New Subprocessors If Customer does not consent to the use of a new Subprocessor that was not included on the list of subprocessors most recently provided or made available to the Customer (whether at the time that the Agreement was entered into of following an update), Customer may notify Culture Amp in writing at privacy@cultureamp.com within 14 days of receiving notice of the Subprocessor update. Upon receiving such notice, the parties will discuss Customer's concerns in good faith. If the parties are unable to reach a mutually acceptable resolution, Customer's sole and exclusive remedy will be to terminate the order for the affected Service for convenience. In such a case, Culture Amp will refund any prepaid, unused fees covering the terminated portion of the applicable subscription term for the affected Service.

  7. Deletion or Return of Customer Personal Data

    1. Return of Customer Personal Data During the term of the Agreement, or following its termination, the Customer may request the export of Customer Personal Data. Culture Amp will facilitate such export without undue delay, to the extent the Customer Personal Data is within Culture Amp's immediate possession or control, except where the request (i) conflicts with the Confidentiality Protections selected by the Customer, or (ii) the Customer Personal Data has already been automatically deleted in accordance with the data retention period set out in the Agreement.
    2. Deletion of Customer Personal Data During the term of the Agreement, or following its termination, the Customer may request the deletion of Customer Personal Data. Upon such a request, Culture Amp will make commercially reasonable efforts to delete or destroy any Customer Personal Data remaining in its possession, to the extent required by the Agreement and applicable law. Culture Amp will not delete Customer Personal Data to the extent that (a) retention is required by Applicable Law; (b) retention is required by a binding court order or other lawful requirement of a governmental authority; or (c) retention is expressly permitted by, or reasonably necessary for Culture Amp to comply with, its obligations under the Agreement.

  8. International Provisions and Transfers

    1. International Data Transfer Customer Personal Data will be stored in the data center specified in the applicable Service Order. Customer acknowledges and agrees that Culture Amp may transfer and process Customer Personal Data internationally, including in jurisdictions where Culture Amp, its Affiliates, and its Subprocessors operate. Culture Amp will comply with Applicable Data Protection Law with respect to any such transfers or Processing.
    2. Compliance with Region Specific Data Transfer Provisions To the extent Culture Amp processes Customer Personal Data protected by Applicable Data Protection Law in any of the regions listed in Schedule A, the terms specified for the applicable region will also apply, including the provisions relevant to international transfers of Personal Data (whether directly or via onward transfer).

  9. General

    1. Term The term of this DPA will run concurrently with the term of the Agreement and will terminate upon the expiration or earlier termination of the Agreement (or, if later, the date Culture Amp ceases all Processing of Customer Personal Data).
    2. Modifications Culture Amp may update this DPA from time to time to reflect changes to Applicable Data Protection Law. If Culture Amp makes a material change to this DPA for reasons other than to comply with Applicable Data Protection Law, it will provide notice to Customers through the Services, by email, through its published materials, or by any other reasonable means. The most current version of this DPA will be published on Culture Amp's website and will supersede any previous version from its effective date.
    3. Standard Contractual Clauses (SCCs) To the extent of any conflict between this DPA and any applicable Standard Contractual Clauses, the Standard Contractual Clauses will prevail in relation to the relevant transfer of Customer Personal Data.

Schedule A - Region Specific Terms

  1. European Union Transfers

    1. Applicability

      The terms in clause 10 only apply to the extent Customer's Personal Data is protected by EU Data Protection Law, and Culture Amp has not adopted an alternative lawful mechanism for the transfer of data (with lawfulness being defined by the relevant regulator).

    2. Data Transfer

      If Personal Data that is protected by the EU Data Protection Law is transferred, either directly or via onward transfer to a country outside of Europe to a country that is not subject to an adequacy decision from the European Commission, the EU SCCs are incorporated by reference into this DPA as follows: (a) Module Two (Controller to Processor) applies, and all other Modules will be deleted. (b) For Module Two, the parties agree that: (i) Clause 7, the optional docking clause will apply; (ii) Clause 9, Option 2 applies and Culture Amp will give the Customer 14 days advance notice; (iii) In Clause 11, the optional language will not apply; (iv) In Clause 17, Option 1 will apply and the law of Ireland will apply; (vi) In Clause 18(b), disputes will be resolved before the Courts of Ireland; (vii) Annex I (A) through Annex I (C) will be deemed completed with the information set out in Schedule B of this DPA; and (viii) Annex II will be deemed completed with the information set out in Schedule C.

  2. United Kingdom Transfers

    1. Applicability

      The terms in clause 11 only apply to the extent Customer's Personal Data is protected by UK Data Protection Law, and Culture Amp has not adopted an alternative lawful mechanism for the transfer of data (with lawfulness being defined by the relevant regulator).

    2. Data Transfer

      If Personal Data that is protected by the UK Data Protection Law is transferred, either directly or via onward transfer to a country outside of the UK to a country that is not subject to an adequacy decision from the Information Commissioner's Office, the parties agree that: (a) The parties agree that such transfer will be governed by the EU SSCs as set out in clause 10 above, as modified and interpreted by the UK IDTA, which will be incorporated by reference into this Addendum. (b) The parties adopt the UK IDTA as follows: (i) Table 1 and Table 3 in Part 1 will be deemed completed with the information set out in Schedule B of this Addendum, with the Start Date effective as of the Effective Date of the Agreement; (ii) Table 2 in Part 1 will be deemed completed as set out in clause 10 of this Addendum; (iii) Table 4 in Part 1 will be deemed completed with the selection of "neither party;" and (iv) any conflict between the terms of the EU SSCs and the UK IDTA will be resolved in accordance with Sections 9 through 11 of the UK IDTA.

  3. United States of America (California)

    1. Applicability

      The terms in this clause 12 apply to the extent Customer's Personal Data is subject to Californian Data Protection Law.

    2. Prohibitions

      To the extent this clause 12 applies, Culture Amp is prohibited from: (a) selling or sharing Customer Personal Data; (b) processing Customer Personal Data for targeted and/or cross context behavioural advertising; (c) retaining, using, or disclosing Customer Personal Data for any purposes other than the specific purposes of performing the Service or as otherwise permitted under the Agreement; (d) retaining, using, or disclosing Customer Personal Data outside the direct business relationship between Culture Amp and Customer; and (e) combining Customer Personal Data with any other data if doing so will be inconsistent with the Business Purpose or limitations on service providers under the CCPA.

    3. Benchmarking

      Notwithstanding the foregoing, and for the avoidance of any doubt, Customer acknowledges that Culture Amp will have a right to process Customer Personal Data for the purposes of creating anonymized, aggregate and/or de-identified information for its own legitimate business purposes, including compiling anonymized benchmarking reports and statistics.

    4. Grant of Rights

      Culture Amp will maintain mechanisms to assist Data Subjects in exercising their rights under the CCPA, and will follow the procedures outlined in clause 3 when facilitating the exercise of those rights.

    5. Certification

      Culture Amp hereby certifies that it understands the rules, requirements and definitions of the CCPA, and it will notify Customers if Culture Amp becomes unable to meet its obligations under the CCPA.

  4. Other Regions

    1. To the extent the Customer is subject to a Data Protection Law that is not explicitly identified in Schedule A, and such law requires the execution of Standard Contractual Clauses (SCCs), the parties agree to discuss the implementation of those SCCs on a case-by-case basis. Any mutually agreed SCCs will be appended to the relevant Service Order.

Schedule B - Description of the Processing and Transfer

Annex 1(A) - List of Parties

Customer (Data Exporter)

Name Either the Customer (as set out in the Agreement) or, the Central Company to the extent that the Customer is participating in a Central Survey which is an optional add on feature that enables a customer entity (the “Central Company”) to initiate, manage and analyse surveys and corresponding reports on behalf of one or more affiliated entities (each a “Participating Company”).
Address The address associated with the account for Services, or as otherwise specified in the Agreement.
Contact Name, Position, and Contact Details The contact details associated with the account for Services, or as otherwise specified in the Agreement.
Activities Relevant to Data Transferred Receipt and use of the Services
Role (Controller/Processor) Controller

Culture Amp (Data Importer)

Name Culture Amp
Address Level 2, 29 Stewart Street, Melbourne VIC 3121 Australia
Contact Name, Position, and Contact Details Marc Bonavia privacy@cultureamp.com
Activities Relevant to Data Transferred All activities relevant to the provision of the Service.
Role (Controller/Processor) Processor

Annex 1(B) - Description of Transfer

Categories of Data Subjects The Data Exporter’s current and former employees, agents, advisors, affiliates, contractors and other personnel, that are Data Subjects (as users of the Service).
Categories of Personal Data Transferred

The Data Exporter determines the categories of Personal Data processed by Culture Amp. The categories of Personal Data may include:

  • Name, age, email address, employment information (e.g., job title, department, manager, location, tenure, etc.);
  • Any other Personal Data that the Data Exporter chooses to include in the demographic information used for an employee survey conducted using the Culture Amp's Services;
  • If the Data Exporter uses Culture Amp's network analysis services, metadata included in company operated communication software;
  • Any other Personal Data provided by a data subject, including data the Data Subject includes in free text fields within Culture Amp's Services such as comments by a data subject or any self-selected demographics provided by a data subject.
  • Any other categories of Personal Data listed in Culture Amp's Privacy Policy.
Special Categories of Data (if appropriate)

Culture Amp does not intentionally collect or process any special categories of data in provision of its services to the Data Exporter.

To the extent that the Data Exporter or Data Subject causes Culture Amp to process special categories of data by including this information in the demographic details used for an employee survey, or free text fields, the Data Exporter will be solely responsible for ensuring it complies with all conditions and obligations imposed by applicable laws and regulations – including, where necessary, obtaining the explicit consent of the Data Subject.
Frequency of Transfer Continuous.
Nature of the Processing Culture Amp will Process Customer Personal Data in order to provide the Service in accordance with the Agreement.
Purpose of the Data Transfer

Personal data may be processed for the following purposes: (i) to provide and improve the Service provided to Data Exporter in accordance with the Agreement; (ii) processing initiated by Data Subjects in their use of the Service; (iii) to comply with other reasonable instructions provided by Data Exporter (e.g. via email or support tickets) that are consistent with the terms of the Agreement; (iv) for Training Purposes and (iv) to comply with any legal obligation under applicable law, including Applicable Data Protection Law.

Where data benchmarking is provided as part of the Service requested by Data Exporter, Data Exporter Data may also be aggregated with other customer's Data Exporter Data for the purpose of overall trends, to compile anonymized benchmarking reports and statistics requested by Data Exporter in connection with its use of the Service, in accordance with the Main Agreement.

Where Data Exporter chooses to use a Culture Amp AI Feature, Data Exporter authorizes, instructs, and warrants that it has obtained any necessary consents required for Culture Amp and its Subprocessors to process Data Exporter Data for the purpose of providing Culture Amp AI Output and functionality.
Duration of the Processing Culture Amp will process data for the term set out in the Agreement plus the period from the expiration of the Agreement, until the return or deletion of Personal Data is requested in accordance with the DPA provisions above.
Transfers to Subprocessors Culture Amp will transmit Personal Data to Subprocessors as permitted in the DPA above. The subject matter and duration of the processing is outlined above within Schedule A. The nature of the specific subprocessing services are further particularised within the Subprocessor list that Culture Amp makes available on its website.

Annex 1(C) - Competent Supervisory Authority

The competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs unless required otherwise by Schedule A, clause 11.2.2 (United Kingdom Transfers).

Schedule C – Technical and Organisational Measures

Culture Amp will maintain appropriate technical and organizational security measures to protect data, which are kept up to date at cultureamp.com/company/legal/technical-and-organisational-measures. These linked measures are a formal part of this Data Protection Addendum.

FAQ

Legal Notice: The following FAQs are provided for general informational purposes only. They do not constitute a legal agreement or create any binding commitments. Culture Amp’s obligations and liabilities toward its customers are determined solely by the terms of its official agreements. These FAQs do not modify or supplement any agreement between Culture Amp and its customers.

The DPA applies whenever Culture Amp processes personal data as a data processor in connection with our Services. The DPA applies automatically, as soon as your organisation enters into an Agreement with Culture Amp — no separate signature is needed. If you’re looking for details on how Culture Amp acts as a data processor (for example, how we collect and use account or profile information), please refer to our Privacy Policy.

Our DPA has been carefully drafted to accurately reflect how Culture Amp delivers its Services and manages privacy and security. A large number of Customers use our Services, and we operate under a global compliance framework. Consequently, it is impossible for us to operationalise customer-specific requirements into our DPA.

The DPA is automatically in-force once you enter into an Agreement with Culture Amp. However, if your organization requires a signed version for its records, a pre-signed copy can be downloaded from our Customer Trust Center.

The DPA applies to customers around the world and sets out the legal and privacy commitments governing the processing of personal data. Most terms are universal, but if you direct Culture Amp to process data subject to region-specific requirements (for example, EU Standard Contractual Clauses), those are detailed in Schedule A of the DPA.

A sub-processor is a third party authorized by Culture Amp to access or process Customer Personal Data in order to help deliver our Services. For instance, we use Amazon Web Services (AWS) data centers to securely host customer data. Even if we engage a sub-processor, Culture Amp remains responsible for ensuring that your data is handled appropriately and in compliance with our commitments.

A current list of our approved sub-processors is published on our Sub-Processors page, available here.

Invest in your people and create impact