Schedule a Demo

Schedule a Demo

Schedule a Demo

DARWINBOX Sub Processors

Data Sub-processors

Darwinbox uses certain sub-processors and content delivery networks to assist it in providing the Darwinbox HRMS Platform as described in the Service contract. Defined terms used herein shall have the same meaning as defined in the contract.

What is a Sub-processor?

A sub-processor is a third-party data processor engaged by Darwinbox, who has or potentially will have access to or process Service Data (which may contain Personal Data). Darwinbox engages different types of sub-processors to perform various functions as explained in the tables below.

Due Diligence

Darwinbox undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process Service Data.

Contractual Safeguards

Darwinbox generally requires its sub-processors to satisfy equivalent obligations as those required from Darwinbox(as a Data Processor) as set forth in Darwinbox Data Processing Agreement(“DPA”), including but not limited to the requirements to:

  • Process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions (as communicated in writing to the relevant sub-processor by Darwinbox);
  • In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • Provide regular training insecurity and data protection to personnel to whom they grant access to Personal Data;
  • Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Darwinbox is contractually committed to adhere to in so far as they are equally relevant to the sub-processor’s processing of Personal – Data on Darwinbox’s behalf and provide an annual certification that evidence compliance with this obligation. In the absence of such certification, Darwinbox reserves the right to audit the sub-processor;
  • Promptly inform Darwinbox about any actual or potential security breach; and Cooperate with Darwinbox to deal with requests from data controllers, data subjects, or data protection authorities, asapplicable.

Third-party service providers which incidentally have access to Your Service Data in Innovation Services and are used to provide specific features or components of the product outside of the core hosting of Service Data (“Innovation Service Specific sub-processors”) are regularly reviewed by Darwinbox to ensure they work towards implementing each of the standards described in this Section. However, Innovation Service Specific sub-processors may not currently meet all of the measures identified above.

This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information here in is only provided to illustrate Darwinbox’s engagement process for sub-processors as well as to provide the actual list of third-party sub-processors and content delivery networks used by Darwinbox as of the date of this policy (which Darwinbox may use in the delivery and support of its Services).

If you are a Darwinbox Subscriber and wish to enter our DPA, please email us at

Process to Engage New Sub-processors:

For all Subscribers who have executed Darwinbox’s standard DPA, Darwinbox will provide notice via this policy of updates to the list of sub-processors that are utilized or which Darwinbox proposes to utilize to deliverits Services. Darwinbox undertakes to keep this list updated regularly to enable its clients to stay informed of the scope of sub-processing associated with the Darwinbox Services.

Pursuant to the DPA, a client may object in writing to the processing of it’s Personal Data by a new sub-processor within thirty (30) days following the update of this policy and such objection shall describe Subscriber’s legitimate reason(s) for objection. If a client does not object during such a time period, the new sub-processor(s) shall be deemed accepted. 

If a Subscriber objects to the use of a new sub-processor pursuant to the process provided under the DPA, Darwinbox shall have the right to cure the objection through one of the following options (to be selected at Darwinbox’s sole discretion):

  1. Darwinbox will cease to use the new sub-processor with regard to Personal Data;
  2. Darwinbox will take the corrective steps requested by Subscriberin its objection (which steps will be deemed to resolve Subscriber’s objection) and proceed to use the sub-processor to process Personal Data; or
  3. Darwinbox may cease to provide or Subscriber may agree not to use (temporarily or permanently)the particular aspect of a Darwinbox Service that would involve use of the sub-processor to process Personal Data. 

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

The following is an up-to-date list(as of the date of this policy) of the names and locations of Darwinbox sub-processors and content delivery networks:

Infrastructure Sub-processors - Service Data Storage and Processing

Darwinbox owns or controls access to the infrastructure that Darwinbox uses to host and process Service Data submitted to the Services, other than as set forth herein. Currently, the Darwinbox production systems used for hosting Service Data for the Services are located in co-location facilities in India and Singapore and in the infrastructure sub-processors listed below. Subscriber accounts are typically established in one of these regions based on where the Subscriber is located but may be shifted among locations to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged by Darwinbox in the storage of Service Data. Darwinbox also uses additional services provided by these sub-processors to process Service Data as needed to provide the Services. Infrastructure sub-processors donot have control of customer data and Darwinbox owns and manages data with in the service providers infrastructure. In case of data center failure Darwinbox ensures data availability within geographies agreed between customers and Darwinbox.

Entity Name
Entity Type
Entity Country
Amazon Web Services, Inc.
Cloud Service Provider
India, USA, and multiple other countries
Microsoft, Inc.
Cloud Service Provider
India, Singapore, USA, and multiple other countries
Service Specific Sub-processors

Darwinbox works with certain third parties to provide specific functionality within the Services. These providers are the sub-processors set forth below. In order to provide the relevant functionality these sub-processors access Service Data. Their use is limited to the indicated Services. If Subscriber has purchased the Darwinbox HRMS service, the sub-processors used forthe Suites will be in accordance with the sub-processors listed forthe underlying Services that make up the Darwinbox HRMS service as applicable and detailed in this policy.

Entity Name
Entity Country
Sub-processors privacy statement
Sendgrid, Inc.
Sendgrid, Inc. (“Sendgrid”) is an email campaign service provider used within Darwinbox platform to send notification emails and dashboards to End-Users. The primary information Sendgrid has access to is the email addresses of recipients of the emails and the content of the emails themselves. The content of the emails may include the dashboards Subscriber has chosen to include in the email campaign.
United States. en-us/legal/privacy
MongoDB, Inc. (Atlas) https://www.mongodb. com/cloud/atlas
MongoDB Atlas is a Cloud hosting service for MongoDB. Darwinbox may store user data and authorization information in a MongoDB database hosted by Atlas.
United States.
https://www.mongodb .com/cloud/trust
Microsoft Office 365
Darwinbox uses Microsoft office 365 for infrastructure processes such as email, sharePoint & security services
India., Inc., Inc is a product analytics application with in-app guidance and user feedback capabilities, enabling even nontechnical teams to deliver better product experiences to their customers or employees. The primary information that Pendo has access to is the data that is stored in Darwinbox such as Employee id and last login details, etc.
Raleigh, The United States of America. page/
Scroll to Top