Privacy
List of Sub Processors
Welcome to Qoria’s sub-processor page where we publish our list of sub-processors authorised to process Personal Data for Qoria’s products. Qoria performs due diligence on the information security practices and data protection compliance of all sub-processors and requires each to commit to written obligations regarding their security controls and applicable regulations for the protection of personal data.
This list includes all sub-processors currently engaged by Qoria that may process Personal Data; however not all sub-processors provide services to all customers. The sub-processors applicable to a customer depend on the products used by that customer with Qoria.
Please note: where a sub processor entry below lists multiple locations, the region used is where the customer is located, with the default location listed first for customers who reside in a location where the provider has no presence.
| Legal Entity Name | Product(s) | Purpose of Processing | Categories of Personal Data | Data Subjects | Country of Processing | Transfer Mechanism | DPF | Security / DPA |
|---|---|---|---|---|---|---|---|---|
|
Google LLC |
Classwize, Pulse, Monitor, Record Manager, Filter |
Cloud infrastructure (GCP), storage and processing, data visualisation (Looker, Charts), push notifications (Firebase) |
Varies by service: authentication tokens, cloud-stored application data, analytics events, IP addresses |
Students/children, teachers, parents/guardians, school administrators (varies by service) | United States; EU/UK regions Australia (Per customer location) |
EU SCCs; UK IDTA; EU-US DPF certified | Yes | ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3; |
|
Microsoft Corporation |
Monitor, Record Manager, Filter |
Cloud infrastructure (Azure), storage and processing, content classification |
Application data, content flagged for review, device identifiers |
Students/children, teachers, school administrators | US (US customers), UK (all others). | EU SCCs; UK IDTA; EU-US DPF certified | Yes | ISO 27001, SOC 1/2/3, CSA STAR; |
|
Amazon Web Services, Inc. |
Qustodio |
Cloud infrastructure, compute, and data storage |
Application data hosted on AWS infrastructure |
Parents/children | United States | EU SCCs; UK IDTA; EU-US DPF certified | Yes | ISO 27001, SOC 1/2/3, CSA STAR; |
|
Datadog, Inc. |
Filter, Classwize, Pulse, Monitor |
Application performance monitoring, infrastructure observability, log management |
System logs, application performance metrics, error traces. May include IP addresses or user IDs in logs. |
Indirect processing only system-level data. No direct student PII. | United States GCP |
EU SCCs; UK IDTA; EU-US DPF certified | Yes | SOC 2 Type II, ISO 27001; |
|
Cockroach Labs, Inc. |
Classwize, Filter |
Distributed SQL database hosting for identity and relationship data |
Names, email addresses, usernames, parent/guardian details, teacher details, classroom relationships, groups |
Students/children, parents/guardians, teachers, school administrators | US, EU, UK, or Australia, GCP (depending on customer location) | EU SCCs; UK IDTA where applicable. | Yes | SOC 2 Type II; |
|
PostHog, Inc. |
Filter, Classwize, Pulse, Monitor |
In-app product usage analytics (aggregated user interaction data for feature improvement) |
User IDs, session data, feature interaction events, IP addresses |
School administrators, teachers. No direct student PII processed. | AWS Germany, Frankfurt | EU SCCs (2021/914); UK IDTA Addendum | Yes | SOC 2 Type II; |
|
The Rocket Science Group LLC d/b/a Mailchimp (Intuit) |
Filter, Qustodio |
Transactional email delivery and email marketing communications if enabled |
Email addresses, email delivery metadata, names |
School administrators, parents/guardians | United States | EU SCCs; UK IDTA; EU-US DPF certified (Intuit) | Yes | SOC 2 Type II; |
|
Stream.io B.V. / Stream.io Inc. |
Classwize |
In-app messaging and activity feed infrastructure |
User IDs, message content, activity feed events |
Teachers, students/children (classroom activity) | Netherlands (EU); United States | EU entity (NL) for EU data; US entity under EU SCCs | No | SOC 2 Type II; |
|
Apple Inc. |
Pulse, Qustodio |
Mobile app distribution (App Store), push notification delivery (APNs) |
Device tokens, push notification metadata |
Parents/guardians (Pulse app users) | United States | EU SCCs; EU-US DPF certified | Yes | ISO 27001, SOC 2; |
|
Mailjet SAS (Sinch Group) |
Monitor, Record Manager, Filter |
Transactional and notification email delivery |
Email addresses, email content, delivery metadata |
School administrators, teachers, designated safeguarding leads | France (EU) | EU entity (France) — no restricted transfer for EU/UK customers | N/A | ISO 27001; |
|
OVHcloud (OVH Groupe SAS) |
Record Manager |
Cloud infrastructure and data hosting |
Application data, recorded sessions, stored files |
Students/children, teachers, school administrators | France (EU) | EU entity (France) — no restricted transfer for EU customers | N/A | ISO 27001, SOC 1/2, HDS; |
|
Redstor Limited |
Record Manager |
Cloud backup and disaster recovery |
Encrypted backup data (application database contents) |
Students/children, teachers, school administrators (as stored in backups) | United Kingdom | UK entity — UK adequacy decision applies | N/A | ISO 27001; |
|
PDFcrowd s.r.o. |
Record Manager |
HTML-to-PDF document conversion |
Report content converted to PDF (may include student names, incident data) |
Students/children, teachers (as referenced in reports) | Czech Republic (EU) | EU entity (Czech Republic) — no restricted transfer | N/A | Various Security certifications |
|
PDFShift |
Filter |
SaaS HTML-to-PDF converter |
Report content converted to PDF (may include student names, incident data) |
Students/children, teachers (as referenced in reports) | France (OVH) | EU entity | N/A | Https and API restrictions |
|
Artifex Software, Inc. (DocRaptor) |
Record Manager |
HTML-to-PDF/Excel document generation |
Report content converted to documents (may include student names, incident data) |
Students/children, teachers (as referenced in reports) | United States | EU SCCs; UK IDTA | No | Various Security certifications |
|
Azeus Systems Ltd |
Record Manager |
Care management platform (AzeusCare) |
Case records, care notes, individual identifiers |
Students/children (looked-after/safeguarding), social workers | United Kingdom; Hong Kong | UK operations; TIA required for HK processing. EU SCCs where applicable. | N/A | ISO 27001; |
|
Clickatell (Pty) Ltd |
Record Manager |
SMS notification delivery |
Mobile phone numbers, SMS message content |
Parents/guardians, school administrators | South Africa; United States | EU SCCs; UK IDTA. TIA conducted for South Africa. | N/A | ISO 27001; |
|
rsync.net, Inc. |
Filter |
Encrypted off-site backup storage |
Encrypted backup data |
Students/children, teachers, school administrators (encrypted; no direct access) | Switzerland | EU SCCs; UK IDTA. Data stored in Switzerland (CH adequacy). | No | Data at rest encrypted. |
|
Braze, Inc. |
Qustodio |
Push notification delivery, in-app messaging, customer engagement communications |
Device tokens, user IDs, engagement event data, email addresses |
Parents/guardians (Qustodio app users) | United States | EU SCCs; UK IDTA; EU-US DPF certified | Yes | SOC 2 Type II, ISO 27001; |
|
Chargebee Inc. / Chargebee Technologies Pvt. Ltd |
Qustodio |
Subscription billing and revenue management |
Billing contact name, email, subscription plan details, payment metadata (no card numbers) |
Parents/guardians (paying subscribers) | United States | EU SCCs; UK IDTA. | No | SOC 1/2 Type II, PCI DSS; |
|
Cleverbridge GmbH / Cleverbridge Inc. |
Qustodio |
E-commerce and digital subscription management |
Purchaser name, email, billing address, purchase history |
Parents/guardians (paying subscribers) | Germany (EU); United States | EU entity (Germany) for EU customers; US entity under EU SCCs | No | PCI DSS; |
|
PayPal, Inc. / PayPal (Europe) S.à r.l. et Cie, S.C.A. |
Qustodio |
Payment processing (Braintree gateway) |
Payment transaction data, billing name, email. Qoria does not store card numbers. |
Parents/guardians (paying subscribers) | United States; Luxembourg (EU) | EU entity (Luxembourg) for EU customers; US entity under EU SCCs; EU-US DPF certified | Yes | PCI DSS Level 1, SOC 1/2; |
|
Segment.io, Inc. (subsidiary of Twilio Inc.) |
Qustodio |
Customer data platform — event routing and analytics integration |
User IDs, event data, device identifiers, IP addresses |
Parents/guardians (Qustodio app users) | United States | EU SCCs; UK IDTA; EU-US DPF certified (Twilio) | Yes | SOC 2 Type II, ISO 27001; |
|
Stripe, Inc. / Stripe Payments Europe Ltd |
Qustodio |
Payment processing and subscription billing |
Payment transaction data, billing name, email. Qoria does not store card numbers. |
Parents/guardians (paying subscribers) | United States; Ireland (EU) | EU entity (Ireland) for EU customers; US entity under EU SCCs; EU-US DPF certified | Yes | PCI DSS Level 1, SOC 1/2; |
|
Zendesk, Inc. |
Customer Support |
Customer support ticketing, live chat, help centre management. |
Support requester name, email, support ticket content. No student behavioural data shared. |
School administrators, parents/guardians, IT staff (support requesters only) | Germany (EU) | N/A | Yes | SOC 2 Type II, ISO 27001; |
|
ChurnZero, Inc. |
Customer Support |
Customer success management and usage analytics |
Account admin names, email addresses, product usage metrics, business scores |
School administrators, IT staff. No student data. | United States | EU SCCs; UK IDTA | Yes | SOC 2 Type II; |
|
HubSpot, Inc. |
Customer Support |
Customer relationship management, marketing automation, support ticketing |
Contact names, email addresses, organisation details, support interactions |
School administrators, IT staff, procurement contacts. No student data. | United States; Germany (EU) | EU SCCs; UK IDTA; EU-US DPF certified | Yes | SOC 2 Type II, ISO 27001; |