1. Home>

Entities involved in the processing of data

We share personal data with other legal entities within SD Worx group and with other legal entities for the purpose of delivering the agreed services, we thereby distinguish all processing activities by delivery method. Any public legal entities that we share data with are excluded in this overview but can be inferred from the overview under “data processed as part of legal obligations”, we are then either instructed by law to share data or we have expressly agreed the sharing of data with the customer such as there where the law instructs our customers to do so. Data may in this case be shared with foremost governmental agencies such as in the area of taxation, social healthcare, pensions, etc. but also private firms such as banks and insurers.
We are thus distinguishing four different groups of entities with whom we share data.
1. SD Worx group subsidiaries as sub-processors
2. External entities as sub processors
3. Entities assigned by law
4. Entities in the data lifecycle chain providing ancillary services for the customer

SD Worx group subsidiaries as sub-processors

Data Protection and Information Security are central functions within the SD Worx Group and all essential policies and controls are effectuated equally throughout all companies that form part of SD Worx Group. We therefore hold that data delivered for the purposes of our fulfilment of a contractual obligation to one of the subsidiaries of SD Worx Group is to be considered as data delivered to all subsidiaries of SD Worx Group. The data exchanged between subsidiaries may however be limited based on the delivery model chosen and the country of operations.

On premise (OP)

During a normal on-premise delivery, the customer has the database containing personal data in-house and we are therefore unable to access the data without permission from the customer. All requirements relating to GDPR compliance mentioned on www.aditro.com/gdpr are applicable to all our products but as the market has shifted towards a cloud service based model we do have more of our newer products available for this model which may mean that functionalities are delivered through an onsite custom installation. Please contact our consulting team for more information.

Outside of onsite installations and maintenance of our products we may be able to access personal data in the normal course of business such as when providing support. In this case you as a customer will be taking initial contact and need to be aware of privacy best practice and operating standards.

Support Services. Any data delivered to us that may contain personal data is not identified as such there where it concerns the normal day-to-day business activities. E-mail and support tickets send to us are send over a trusted network but are left unencrypted. Such E-mails may contain personal data send to us and the sender should be aware that no large amounts of data are send in the text body of the E-mail. In this case think before you send applies and customers will be made aware and our staff will be trained to avoid unnecessary sharing of data.

Technical support services. Customer data for testing or for resolving errors in software or in the handling of software is only used upon consent from customer and preferably within customer environment. The data delivered to us in form of any attachment is removed within two years. We are sending files that may likely contain larger records of personal data such as CSV (excel) or XML files only encrypted and reduce where possible unique identifiers such as personal identification numbers. Of any files delivered to us that may likely contain sensitive data please ensure to:

1. Send files encrypted;
2. Filter personal data and alter by for example anonymizing where possible.

Cloud (CL)

The information under “support services” and “technical support services” applies also to our cloud customers. Otherwise our software as a service will not entail the transfer of large data files as we already are in possession of the database. It is therefore also that we have a special responsibility towards your data. Your data is handled by our centralized Cloud Team with offices in Espoo, Finland. Here delivery management, change management, information security management are working close together to ensure both availability and integrity of your data. Under technical and organisational security measures you will be able to find more information on how your data is safeguarded and respected.

Business Process Outsourcing (BPO)

Business Process Outsourcing is foremost done through the entities marked with “BPO” in the company name and data received in the execution of tasks is normally not shared outside the country of operations.

Entity name Country Business ID Address Main processing activities Applicable for Delivery Model  
          OP CL
SD Worx Enterprise Finland Oy Finland 2644026-6 PO Box 201, 02631 Espoo, Finland Main processor for customers within private sector in Finland (excl. BPO customers) ; software support, maintenance and consultancy services for all customers in the private and public sectors X X
SD Worx Shared Services Finland Oy Finland 2644030-3 PO Box 201, 02631 Espoo, Finland Cloud hosting, development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy for all Cloud and BPO Customers of SD Worx in the Nordics   X
SD Worx BPO Finland Oy Finland 2644031-1 PO Box 201, 02631 Espoo, Finland Main processor for BPO customers in Finland. Business process outsourcing services in Finland; payroll, travel management and super user services    
SD Worx Estonia Oü Estonia 1.1E+07 Mäealuse 2/2
EE-12918 Tallinn, Estonia
Business process outsourcing services from Estonia, if and as agreed with the customer in the master agreement    
SD Worx Enterprise Sweden AB Sweden 556985-9829 Box 1102, 172 22 Sundbyberg, Sweden Main processor for customers within private sector in Sweden (excl. BPO customers); software support, maintenance and consultancy services for all customers X X
SD Worx Shared Services Sweden AB Sweden 556985-9811 Box 1102, 172 22 Sundbyberg, Sweden Cloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy   X
SD Worx BPO Sweden AB Sweden 556601-8080 Box 1102, 172 22 Sundbyberg, Sweden Main processor for BPO customers in Sweden; Business process outsourcing services in Sweden, payroll, travel management and super user services.    
SD Worx Enterprise Norway AS Norway 913 143 663 Trelastgata 3, 0191 Oslo Main processor for customers within private sector in Norway (excl. BPO customers); software support, maintenance and consultancy services for customers

Cloud development, support and maintenance; IT security; technical consultancy; software support, maintenance and consultancy

X X
SD Worx BPO Norway AS Norway 813 285 762 Trelastgata 3, 0191 Oslo Main processor for BPO customers in Norway. Business process outsourcing services in Norway; payroll, travel management and super user services    

External entities as sub-processors

As part of our service delivery we may use external parties, in the case where such external parties have access to personal data these are listed here. Based on the access to personal data these sub-processors have received a criticality status critical or major. There where the sub-processor is listed as critical the sub-processor is subject to an on-site audit according to our audit policy.

On-Premises (OP)

Technical Support Services, customer data only used upon consent from customer and preferably within customer environment. There are limited entities that may be involved in sub processing and this is only due access to support incidents or through additional products purchased.

Cloud

For cloud service management we have strategical partners for the provision of hosting services and back-ups management. Please find more information below.

Business Process Outsourcing (BPO)

As part of the business process outsourcing delivery model we have partnerships with companies foremost for the provision of ancillary services such as printing and postage of payslips, such ancillary services are always agreed on in the master agreement. Please find more information below.

General Information         Selection criteria          
Entity name Country of processing Business ID Address Main processing activities Delivery Model²     Countryᶾ Customer Scope Processor since4
          OP CLOUD BPO      
Microsoft AB Netherlands /EU 502052-1307 Microsoft Ireland Operations Limited One Microsoft Place, South County Industrial Park, Leopardstown, Dublin 18, D18 P521 Access to information from SD Worx support incidents for internal applications that may contain personal data. X X X NORDIC ALL May-18
Elisa Oyj* Finland 0116510-6 Ratavartijankatu 5 00520 Helsinki Hosting of all SD Worx cloud delivered applications   X X NORDIC ALL May-18
Fiarone Oy Finland 2342645-0 Nereis Business Garden
Postikatu 2
20250 Turku
Security Event Monitoring and Storage   X X NORDIC ALL Apr-20
ProACT Finland Oy Finland 1084241-2 Elimäenkatu 17-19 00510 Helsinki Proact Oy is Maintenance and hardware operations partner and service provider to SD Worx Cloud and Internal ICT operations   X X NORDIC ALL May-18
DNA Oyj Finland 0592509-6 Läkkisepäntie 21, 00620 Helsinki DNA / Telenor Finland is Service provider in area of Datacenter services and Datacenter infrastructure without access to any of SD Worx systems located in DNA Premises   X X NORDIC ALL Aug-20
Tom Sønderup I/S Denmark 3.2E+07 Jyllandsgade 9, 4100 Ringsted Partner for BPO Delivery in Denmark     X DK ALL May-18
Microsoft Azure Netherlands /EU 502052-1307 Microsoft Ireland Operations Limited One Microsoft Place, South County Industrial Park, Leopardstown, Dublin 18, D18 P521 Access to information from support incidents for Aditro Pay and hosting platform for Aditro Pay and SD Worx Analytics   X X SE BASED ON PURCHASED PRODUCT May-18
Rely Sweden AB Sweden 556744-5589 Gånstavägen 4, 749 43 Enköping Partner for HR (Personec HR) and TEIS and XAIS support X X X SE BASED ON PURCHASED PRODUCT May-18
Posti Group Oyj Finland 1531864-4 Postintaival 7, 00230 Helsinki Printing services, delivery services, transferring services to home addresses of pay slip or employment related information     X FI BASED ON AGREEMENT May-18
POSTI MESSAGING AS Norway 9.7E+08 Sven Oftedals vei 8A 0950 Oslo Printing services, delivery services, transferring services to home addresses of pay slip or employment related information     X NO BASED ON AGREEMENT May-18
Taavi Tarkvara OÜ Estonia 1E+07 Turu plats 5-17, Tallinn 11611, Eesti Payroll and HR software provider in Estonia.     X EE BASED ON AGREEMENT May-18
Lessor A/S Denmark 2420010 Engholm Parkvej 8 3450 Allerød SaaS delivery of Lessor payroll solution in Denmark   X X DK BASED ON AGREEMENT Jun-20
Evry Norge AS Norway 933 012 867 Postboks 4, 1330 Fornebu Hosting of Payroll solution dedicated for customer     X NO ONE CUSTOMER May-18
Talentech AB Sweden 556675-7810 Rosenlunds gatan 52, 118 63 Stockholm Recruitment software Reachmee as SaaS service (storage, system admin, support )   X X NORDIC RESELLER, BASED ON PURCHASED PRODUCT May-18
Iver Sverige AB Sweden 556575-3042 Sveavägen 143, 113 46 Stockholm Provision of hosting services for above mentioned ReachMee recruitment software.   X X NORDIC RESELLER, BASED ON PURCHASED PRODUCT May-18
Scrive AB Sweden 556816-6804 Grev Turegatan 11A, 114 46 Stockholm Partner to SD Worx to provide SaaS service and mobile apps for e-signing of documents   X X NORDIC RESELLER, BASED ON PURCHASED PRODUCT Dec-18
Ab Norlic Oy Finland 0592518-4 Koulukatu 23, 68600 Pietarsaari Support services for SD Worx solutions, cloud hosting and support services relating to Norlic Ontime   X X FI RESELLER, BASED ON PURCHASED SERVICE/ PRODUCT May-18
PostNord Strålfors AB Sweden 556102-9843 Terminalvägen 24 171 73 Solna Printing services, delivery services, transferring services to home addresses of pay slip or employment related information   X X SE BASED ON AGREEMENT May-18
ServiceNow Nederland BV Netherlands /EU (**) 5.3E+07 Hoekenrode 3, 1102 BR Amsterdam Customer support platform as a SaaS Service; storage and back-up of user account data, ticket data, log data (more information on processing by Sofigate is available at www.aditro.com/servicenow) X X X NORDIC ALL May-20
Sofigate Services Oy Finland 2181137-1 Teknikantie 12, FIN-02150 Espoo 2nd Line Support to SD Worx for ServiceNow X X X NORDIC ALL May-20

*Elisa Appelsiini Oy (1539836-5) was merged with its parent company Elisa Oyj 0116510-6, as per 31 December 2018.

** see also below under Data transferred outside of EU/EEA

Country The country from where personal data may be accessed
Relevant selection criteria:
Applicable for Delivery Model Choose the delivery model that is applicable to you as a customer to see which sub-processors may be involved in the processing of
personal data.
Country Here you see whether the sub processor is country specific or whether it applies to the Nordic region as a whole.
CUSTOMER SCOPE Here we have included several definitions to be able to determine if this sub processor is applicable to you.

ALL
This sub processor is applicable to all customers provided that the delivery model and country selection criteria are fulfilled.
ONE CUSTOMER
This sub processor is only applicable to one customer only, if in doubt please contact privacy@sdworx.com
BASED ON AGREEMENT
This sub processors fulfil additional services on top of our products, these services are if applicable to you found in the Master
Agreement.
BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities column.
RESELLER, BASED ON PURCHASED PRODUCT
This sub processor is only applicable when you have purchased the product named in the main processing activities, the product is
purchased through us and we perform our audit and controls relating to privacy and security towards this sub processor.

Data transferred outside EU/EEA

We have as part of our commitment to enrol equal requirements to our subcontractors and sub processors checked whether data will once within their domain be transferred to countries outside the EU/EEA. As of yet we are not and neither our processors transferring any data outside the EU/EEA. Any exclusions to this rule are always customer specific and expressly included in the data processing agreement with the customer.

As stated above, SD Worx Analytics and SD Worx Pay will be hosted by a third-party vendor, Microsoft Azure. Data hosted in the Microsoft Azure environment will be stored within the EU/EEA, but may in limited cases be accessed by Microsoft support resources located outside the EU/EEA as part of Microsoft’s support services, all such transfer will then be subject to the EU Standard Contractual Clauses, as set out in Microsoft’s Online Services Terms applicable from time to time (https://www.microsoft.com/en-us/trustcenter/Privacy/).

** As stated at www.aditro.com/servicenow, security log data (IP address, log on/log off data may in limited cases be accessed by ServiceNow employees also outside EU/EEA countries.

Entities assigned by law

Please see the overview of relevant laws that are observed under data processed as part of relevant legal obligations. Accounting laws may for example require us to store some source data that has been used for calculating relevant pay. Other laws may require us to share data directly with Tax Agencies.

Entities providing ancillary services

Entities that we may share data with are entities that provide ancillary services for our products. Payroll applications may transfer data towards Banks though our integration services. Please consult the master agreement you have with us as such sharing of data is expressly agreed.