Sub-processor Policy and Register
This Policy governs how Zoiko Tech Inc. appoints, manages, reviews, replaces, and removes third-party processors that may process Customer Data in connection with the ZoikoTime platform.
ZoikoTime will not authorize a sub-processor to process Customer Data unless the sub-processor has passed vendor due diligence, is subject to a written agreement imposing appropriate data protection obligations, and meets ZoikoTime's security and compliance standards.
1. Purpose and Legal Status
This Sub-processor Policy and Register governs how Zoiko Tech Inc., acting through the ZoikoTime platform, appoints, manages, reviews, replaces, and removes third-party processors that may process Customer Data in connection with the ZoikoTime platform.
This Policy is incorporated by reference into the ZoikoTime Terms of Service, the ZoikoTime Data Processing Addendum, applicable order forms, and any enterprise agreement that expressly references it. It is designed for customers, procurement teams, privacy teams, security teams, legal reviewers, auditors, and enterprise governance stakeholders who require a clear, defensible, and operational sub-processor register.
2. Controller, Processor, and Sub-processor Roles
For Customer Data processed under the ZoikoTime DPA, Customer is generally the controller or business, and Zoiko Tech Inc. is generally the processor or service provider. Sub-processors process Customer Data on behalf of Zoiko Tech Inc., under Zoiko Tech Inc.'s instructions, and only for the purposes described in the authorized sub-processor register.
ZoikoTime remains responsible for the performance of its sub-processors to the extent required by the applicable DPA, the Terms of Service, and applicable data protection law.
A sub-processor may not process Customer Data for its own independent commercial purposes, sell Customer Data, use Customer Data for cross-customer profiling, or train general-purpose models on Customer Data without express written authorization from Zoiko Tech Inc. and the applicable Customer.
3. Authorized Sub-processor Register
ZoikoTime maintains an authorized sub-processor register identifying each sub-processor, corporate location, service function, categories of Customer Data processed, processing location, and applicable transfer safeguards. The current register is available through the ZoikoTime Trust Center or upon request.
Sub-processors are classified as:
- Core sub-processors: Required to operate the Service or its security baseline
- Conditional sub- processors: Used only if Customer enables a specific feature, communication channel, payment method, integration, region, or support workflow
- Enterprise-restricted sub-processors: May be disabled, region-locked, or substituted under an enterprise agreement where commercially and technically feasible
4. Sub-processor Due Diligence Standard
Before authorizing a sub-processor, ZoikoTime performs risk-based due diligence proportionate to the sensitivity of the data, the criticality of the service, and the jurisdictions involved. Minimum review criteria include:
- Corporate identity, legal status, ownership, contracting entity, and operational locations
- Information security controls including access control, encryption, vulnerability management, logging, and incident response
- Privacy posture including role classification, processing purpose, data minimization, retention, deletion, and data subject assistance
- Relevant assurance materials: SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27701, penetration test summaries, or equivalent evidence
- Data protection terms including processor obligations, confidentiality, breach notification, return or deletion, and audit support
- Geographic processing footprint and any restricted transfer mechanisms required for EU, UK, Swiss, or other regulated personal data
5. Notification of New or Replacement Sub-processors
ZoikoTime will provide advance notice of new or replacement sub-processors through the ZoikoTime Trust Center, customer-facing legal documentation, or direct customer notification where required under the applicable DPA. The notice period is at least 10 business days for standard customers and at least 30 days for enterprise customers with contractual notice requirements, unless security, legal, or operational urgency requires a shorter period.
Notice will identify the new sub-processor's name, service function, data categories, processing location, and applicable transfer safeguards.
6. Customer Objection Rights and Resolution Process
Where a Customer has a legitimate privacy, security, or compliance concern about a new sub- processor, Customer may notify ZoikoTime in writing within the applicable objection window. ZoikoTime will work in good faith to assess the concern, consider whether the concern can be addressed through alternative configuration or technical measures, and, if the concern cannot be resolved, discuss options including Customer termination rights under the applicable agreement.
Objection rights apply only where Customer has a legitimate privacy or security basis for the objection. A general preference against a vendor, commercial considerations, or non-specific concerns do not constitute a valid objection basis for SCC or DPA purposes.
7. International Transfers and Transfer Safeguards
Where sub-processors process Customer Data outside the EEA, UK, or other jurisdictions with restricted transfer requirements, ZoikoTime ensures appropriate transfer safeguards are in place. Mechanisms may include:
- European Commission Standard Contractual Clauses (Module 3: Processor-to-Processor)
- UK International Data Transfer Addendum to the EU SCCs
- UK International Data Transfer Agreement
- Adequacy decisions where applicable
- Supplementary technical and organizational measures where required by Transfer Impact Assessments
Contact ZoikoTime
For questions about this document or your legal rights:
- Email: sales@zoikotime.com
- Tel: 1-631-833-9395
- Toll-free: 1-800-484-5574