Sub-Processors

We have updated this policy. If you are a new Customer, then this policy will be effective as of December 20, 2022. If you are an existing Customer, we are providing you with prior notice of these changes which will be effective as of January 19, 2023.

Previous versions of this policy:

• October 3, 2022
  
• September 17, 2021

A Sub-processor is a third-party data processor engaged by Front, including entities from within the Front Group (see below), who have or potentially will have access to or process Personal Data. Front engages different types of sub-processors to perform various functions as explained below.

Front undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process Personal Data.

Front generally requires its sub-processors to satisfy equivalent obligations as those required from Front (as a Data Processor) as set forth in Front’s Data Processing Addendum (“DPA”), including but not limited to the requirements to:

• Process Personal Data in accordance with data controller’s (i.e., Customer’s) documented instructions as communicated in writing to the relevant sub-processor by Front;

• In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;

• Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;

• Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Front is contractually committed to adhere to insofar as they are equally relevant to the sub-processor’s processing of Personal Data on Front’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Front reserves the right to audit the sub-processor;

• Promptly inform Front about any actual or potential security breach of Personal Data; and

• Cooperate with Front to handle requests from data controllers, data subjects or data protection authorities, as applicable.

This policy does not give Customers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Front’s engagement process for sub-processors as well as to provide the actual list of third-party sub-processors and content delivery networks used by Front as of the date of this policy (which Front may use in the delivery and support of its Services).

If you are a Front Customer and wish to enter into our DPA, please email us at [email protected].

For all Customers who have executed Front’s standard DPA, Front will provide notice via this policy of updates to the list of sub-processors that are utilized or which Front proposes to utilize to deliver its Services. Front undertakes to keep this list updated regularly to enable its Customers to stay informed of the scope of sub-processing associated with the Front Services. Front Customers may subscribe to receive notifications of updates to this policy by clicking here.

Pursuant to the Front DPA, a Customer may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days following the update of this policy and such objection shall describe Customer ’s legitimate reason(s) for objection. If Customer does not object during such time, the new sub-processor(s) shall be deemed accepted. If a Customer objects to the use of a new sub-processor pursuant to the process provided under the DPA, Front shall have the right to cure the objection through one of the following options (to be selected at Front’s sole discretion):

• (a) Front will cease to use the new sub-processor with regard to Personal Data;
• (b) Front will take the corrective steps requested by Customer in its objection (which steps will be deemed to resolve Customer’s objection) and proceed to use the sub-processor to process Personal Data; or
• (c) Front may cease to provide, or Customer may agree not to use (temporarily or permanently), an aspect of a Front Service that would involve use of the sub-processor to process Personal Data.

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

The following is an up-to-date list (as of the date of this policy) of the names and locations of Front sub-processors and content delivery networks (including members of the Front Group and third parties):

Front uses third party sub-processors to provide infrastructure services, host and process Personal Data submitted to the Services and to help us provide customer support and email notifications. Currently, the Front production systems used for hosting Personal Data for the Services are in co-location facilities in the United States and Europe and in the infrastructure sub-processors listed below. Customer accounts are typically established in one of these regions based on where the Customer is located but may be shifted among locations to ensure performance and availability of the Services. The following table describes legal entities, processing activity and countries engaged by Front in the processing and/or storage of Personal Data.

¹ The entity country for this sub-processor will depend on the region chosen for your Front account. If you choose the United States Service Region the sub-processor location is primarily the United States, and we use the United States service region option with that subprocessor. If you choose the EU Service Region the sub-processor location will primarily be one of the European Union countries listed.

The following entities are members of the Front Group. Accordingly, they function as sub-processors to provide the Services.

As explained above, Front’s Services may use content delivery networks (“CDNs”) to provide the Services, for security purposes, and to optimize content delivery. CDNs do not have access to Personal Data but are commonly used systems of distributed services that deliver content based on the geographic location of the individual accessing the content and the origin of the content provider. Website content served to website visitors and domain name information may be stored with a CDN to expedite transmission, and information transmitted across a CDN may be accessed by that CDN to enable its functions. The following describes use of CDNs by Front’s Services.