Aiven Oy (herein ‘’Aiven’’) uses certain Subprocessors (including Aiven Affiliates) and subcontractors to assist in providing Aiven Services (Cloud Services and Support Services) to its customers. This page explains the difference between a Subprocessor and subcontractor of Aiven and specifies the services and tasks provided by the Subprocessors and subcontractors.
What is a Subprocessor?
Subprocessors are Aiven Affiliates and third parties necessary to participate in processing the personal and other data Customer has input to the Cloud Services (‘’Customer Data’’) in order for Aiven to provide the Services to the Customer as agreed.
Subprocessors are divided into three categories:
Aiven back-end service providers
Aiven infrastructure service providers.
What is a subcontractor?
Subcontractors are Aiven service providers who provide Aiven the services necessary to provide the Services to Customer, but who do not participate in processing the data Customer has input into the Cloud Services.
Aiven provides its Services from multiple different locations through Aiven Affiliates. The employees of Aiven Affiliates may participate in the processing of Customer Data when Support Services are provided if and to the extent Aiven Support Personnel configure the Cloud Services as part of Support Services. Note, that even though the Aiven Affiliate employees participate in processing of the Customer Data, no personal data transfer takes place as Aiven employees only process the metadata (e.g. information whether the Cloud Service is active or not) of the Cloud Services in which the Customer Data is stored, and the Customer Data never leaves the location chosen by Customer.
As the definition of processing is wide under the GDPR, Aiven classifies the Affiliates’ employees as Subprocessors of Aiven even though Aiven Affiliates do not access or see the Customer Data when processing service metadata. Aiven Affiliate employees may access and have visibility to the Customer Data only if separately requested by and agreed with the Customer.
Aiven back-end Subprocessors
Aiven back-end Subprocessors provide Aiven with the infrastructure that enables Aiven to run back-end services for managing and monitoring the Cloud Services. The provided back-end services (i.e. management plane) are used by Aiven to manage and monitor, and to ensure the integrity and availability of the Cloud Services and the Customer Data included therein. The back-end services or the back-end service Subprocessors are only used to deploy and manage the Cloud Services and the Customer Data is not accessed.
The Aiven back-end services, their provider, location and functions are listed below.
Aiven infrastructure Subprocessors
Aiven controls access to the infrastructure that Aiven uses to host, store and process the Customer Data input to the Cloud Services. The Subprocessor and location/region depend on which Subprocessor and region Customer chooses independently to select. Customer Data will stay in the region selected by the Customer but may be shifted and co-located between different data centers within the region chosen by the Customer to ensure performance and availability of the Cloud Services.
The infrastructure Subprocessors don’t have logical access to the Customer Data as Aiven does not store encryption keys directly on US-based Cloud Service Provider Key Management Systems such as Azure Key Vault, AWS KMS, and GCP KMS. Instead, Aiven utilizes its own Key Management System running on Aiven controlled virtual machines within European GCP data centers ensuring compliance with the Schrems II decision.
Aiven uses certain third parties listed below to provide specific functionality within the Services. The subcontractors may process Cloud Service metadata and personal data of the Customer’s contact persons if and as provided by the Customer, in which processing Aiven acts as the data controller determining the means and purposes of the processing as needed to respond to customer requests, to arrange invoicing, and to communicate internally and externally with regards to the Customers use of Cloud Services.
No Customer Data uploaded to the Cloud Services is processed by the subcontractor nor can Customer determine the means and purposes of the processing of services provided by Aiven’s subcontractors, hence Customer does not act as a data controller towards the subcontractors listed below.