Subprocessors

When providing our services, we engage third-party companies as service providers to support our business, for instance to provide computing and storage services. Please also see our Privacy Policy for further information.

General concept

Our goal is to use as few third-party providers as possible, and to keep the majority of the data in one single place. We chose Google Cloud as our core computing and storage facility, using Google Ireland for our EU-based clients, and Google USA for everyone else.   All employee-specific data like name, email, gender and also their reviews, feedback and recognition data stays in the Google Cloud.  The only true exception is email: We do send emails to staff when something new has happened, like a praise from a peer, or their manager signed their review, or a 1:1 is about to start. Those mails contain some confidential data (name, email, content snippets). Most of these mails can get deactivated by the client, and for EU clients we use an EU-based email provider.

Beyond this, we make use of a few additional sub-processors to help deliver our service. We ensured to pick only respectable companies that put a major focus on security, encrypting data in transit and at rest. We use these providers to  communicate with customers, to charge for our services, to analyze usage patterns, or to deliver in-app notifications.

We don’t share confidential data of  “regular employees” with these systems. But we do share names and email addresses of SI admin users or business contacts, and those who specifically reach out to us. Otherwise we’d not be able to create bills, respond to support inquiries, or communicate product news. We also share high-level usage data (“company X has 12 review cycles with 934 reviews in total”) with select subprocessors so we can offer client assistance proactively, and so we can analyze usage and trends to help improve our product offering.

Defaults and Options

New clients are by default hosted on the US Google servers, unless they  Clients on the EU server automatically use SendInBlue rather than Sendgrid as an email provider.

By default our clients are hosted on the US Google server and make use of Sendgrid for email delivery. New clients may immediately sign up using our EU server at https://eu.small-improvements.com. Existing clients can be easily transferred to the EU Google datacenter by requesting a move via support@small-improvements.com, and will then automatically make use of SendInBlue, a French email sending system.

Most emails can be adjusted or deactivated by clients in case they don’t want to share some of this content via email at all.

Additional integrations like with Slack, Google Calendar or HRIS tools can be set up by clients on their own. We don’t list these optional processors below, since it’s up to every organization if they for instance whish to send confidential data to Slack.

Subprocessor Overview

SystemData sharedDefault VendorEU AlternativeOpt-Out possible?
Application Hosting

All sensitive data is hosted here, including
employee names, email, gender, performance reviews,
recognition, and more.

Google Cloud
by: Google LLC
1600 Amphitheatre Pkwy
Mountain View, CA 94043, USA


Security Policy

Google Cloud
by: Google Ireland Ltd
Gordon House Barrow Street
Dublin 4, D04E5W5 Ireland

Security Policy

No
Email DeliveryUser names and email addresses
Excerpts of confidential data like praise, 1:1 notes and more.

Sendgrid
by: Twilio Inc.
375 Beale Street, Suite 300
San Francisco, CA 94105, USA

Security Policy

SendInBlue
55 rue d’Amsterdam
75008 Paris, France

Security & Privacy Policy

No, but most mails can get deactivated by the client
Customer Relationship
Company names and usage statistics
Names and email addresses of admins and business contacts

Hubspot, Inc.

25 First Street, 2nd Floor
Cambridge, MA 02141, USA

Security Policy

May 2021 (see below)
Customer InvoicingCompany name and billing information
Business contact names
Staff headcounts and coarse usage statistics

Chargebee Inc.

340 S Lemon Ave #1537
Walnut, CA, 91789, USA
Security Policy

or

Freshbooks
by: 2ndSite Inc.
1655 Dupont St.
Suite 250 Toronto, Ontario
M6P 3T1 Canada
Security Policy

Yes: Manual invoice creation possible at surcharge.
Please let us know upfront.
Customer phone supportCustomer phone numbers only

Aircall.io Inc.
82 Nassau St #958
New York, NY 10038, USA
Security Policy

Landline phone servicesOutbound: We only call US clients with Aircall
Inbound: Use our landline office number to call us
Support Desk
Company name
Administrator names and emails
Company headcount
Potentially confidential information that is sent to us via mail

Help Scout
Help Scout PBC
100 City Hall Plaza, 5th Floor
Boston, MA 02108, USA

Security Policy

Dixa
Dixa ApS, company no. 36561009
Vimmelskaftet 41A, 1 Sal.
1161 Copenhagen S, Denmark

Security Policy

May 2021 (see below):  EU clients can email us at suppport-eu@small-improvements.com
so tickets get processed at Dixa rather than at Help Scout

Cloud Spreadsheet servicesCompany names
Anonymized usage statistics
Survey results from admin users

Airtable
by Formagrid, Inc.
799 Market St, Floor 8
San Francisco, CA 94103, USA

Security Policy

No
In-app User guidanceCompany names and statistics
Admin names and email addresses

Appcues Inc.

54 Canal Street # 324
Boston, MA 02114, USA
May 2021 (see below)
 Internal Statistics
and Dashboards

Company names and usage statistics
Anonymized company statistics

Redash
by: Databricks Inc.
160 Spear Street, 13th Floor
San Francisco, CA 94105, USA

Privacy Policy

No

Planned changes

Our plan is that as of May 2021 clients will be able to deactivate information-sharing with our CRM Hubspot and with our User Guidance tool Appcues.

As of May 2021 we also plan to provide a dedicated EU-based helpdesk system.

The systems which clients can’t opt our from (and for which no EU-based alternative exists) only store highly anonymized data about clients.

Return to Privacy Policy