Subprocessor List
Third parties Jombone Inc. engages to deliver the Jombone Staffing Operations Platform.
About This List
Jombone Inc. (“Jombone”) engages the third-party service providers identified below (“Subprocessors”) to process Customer Data in the course of delivering the Jombone Staffing Operations Platform (the “Platform”). This list is maintained pursuant to Jombone’s Master Services Agreement (Exhibit A — Data Processing Addendum, Section A4) and Jombone’s Privacy Policy.
Each Subprocessor has been subject to Jombone’s due-diligence process and is contractually obligated to data-protection standards comparable to those Jombone owes its Customers. Subprocessors are organized below by functional category. Use of an “Optional” Subprocessor depends on Customer’s Order Form configuration or specific feature activation.
How We Notify You of Changes
Jombone updates this page at least fourteen (14) days before engaging any new Subprocessor that will process Customer Personal Data. Customers may also subscribe to email notifications by writing to [email protected] with the subject line “Subprocessor Notification Subscription.”
If a Customer has reasonable data-protection grounds to object to a new Subprocessor, the Customer should email [email protected] within fourteen (14) days of the notification. The objection and resolution process is described in the Data Processing Addendum.
Core Infrastructure
The foundation of the Platform. These Subprocessors are essential and cannot be opted out of.
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| Amazon Web Services, Inc. (AWS) Seattle, WA, USA | Cloud infrastructure hosting (compute, storage, database, networking, key management, backups) | All Customer Data processed by the Platform, including candidate, Worker, End-Client, and Customer records; encrypted at rest (AES-256) and in transit (TLS 1.2+) | United States; Canada | Essential |
| Cloudflare, Inc. San Francisco, CA, USA | Content delivery network, DDoS protection, web application firewall | Network metadata, IP addresses, request headers; no Personal Data stored at rest | Global edge network | Essential |
Authentication and Identity
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| Auth0 (Okta, Inc.) San Francisco, CA, USA | Authentication, SSO, multi-factor authentication, identity management | Authorized User email, name, login metadata, hashed password, session tokens, MFA factor data | United States | Essential |
AI and Machine Learning
Used to power AI matching, AI screening agents, AI sourcing, and the JScore. Jombone uses commercially reasonable efforts to obtain “no training on Customer Data” configurations from these providers.
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| OpenAI, L.L.C. San Francisco, CA, USA | Large-language-model inference for AI matching, AI screening agents, and AI sourcing | Candidate resumes/profiles, job descriptions, screening interview responses (no Customer financial or government-identifier data sent to OpenAI) | United States | Essential |
| Anthropic, PBC San Francisco, CA, USA | Large-language-model inference (fallback/routing for AI matching and screening) | Candidate resumes/profiles, job descriptions, screening interview responses | United States | Essential |
Communications
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| Twilio Inc. San Francisco, CA, USA | SMS messaging (shift offers, schedule changes, verification codes, alerts) | Worker and Authorized User phone numbers, message content, delivery metadata | United States; Canada (for CA messaging) | Essential |
| SendGrid (Twilio Inc.) Denver, CO, USA | Transactional and operational email delivery | Recipient email addresses, message content, delivery metadata | United States | Essential |
| Nylas, Inc. San Francisco, CA, USA | Email and calendar integration (Customer connects Customer’s own Google Workspace or Microsoft 365 mailbox) | Email subject lines, message bodies, attachments, calendar event metadata associated with the connected mailbox | United States | Optional |
| Intercom, Inc. San Francisco, CA, USA | In-app chat and customer support messaging | Authorized User name, email, support-conversation content, page-visit metadata | United States; Ireland (EU support tier; not active for Jombone) | Essential |
Background Checks and Credentialing
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| Certn Inc. Victoria, BC, Canada | Criminal background, identity verification, education/employment verification, credit checks (where requested) | Candidate full name, date of birth, government identifiers, address history, employment history, education history, consent records, check results | Canada; United States | Optional |
eSignature and Document Management
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| SignNow, Inc. (airSlate Inc.) Boston, MA, USA | Electronic signature workflows for onboarding documents, offer letters, contracts, tax forms | Signer name, email, IP address, signature image, audit trail, document content (W-4, TD1, employment agreements, NDAs, onboarding forms) | United States | Essential |
Maps, Location, and Routing
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| Google LLC (Google Maps Platform) Mountain View, CA, USA | Address geocoding, mapping display, distance and routing calculations, geo-fencing | Worksite addresses, Worker location (where geo-fencing is enabled by Customer), shift route data | United States; global edge | Essential |
Job Distribution
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| JobTarget LLC East Hartford, CT, USA | Multi-board job posting and distribution to external job boards (Indeed, LinkedIn, ZipRecruiter, niche boards, etc.) | Job posting content (title, description, location, pay range), Customer brand metadata, application redirect URLs | United States | Optional |
Analytics, Compliance, and Operations
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| Drata Inc. San Diego, CA, USA | Continuous compliance monitoring, SOC 2 evidence collection, controls automation | Jombone internal-system metadata, employee-access metadata, configuration evidence (no Customer Data content) | United States | Essential |
| Datadog, Inc. New York, NY, USA | Application performance monitoring, log management, infrastructure observability | System logs, performance metrics, error traces (Personal Data is filtered/redacted before ingestion) | United States | Essential |
| Mixpanel, Inc. San Francisco, CA, USA | Product usage analytics (in-app feature usage patterns, not Customer Data content) | Authorized User identifier (pseudonymous), event names, session metadata, browser/device type | United States | Optional |
Payment Processing (Jombone Subscription Billing Only)
The Subprocessors below process Jombone’s subscription billing — i.e., Customer’s payment of Jombone subscription fees. None of these Subprocessors processes Worker wages, Customer payroll, or End-Client invoicing; those are handled by Customer’s own payroll provider and bank, outside the Platform. Jombone does not move funds for Customer (see MSA Section 4.3).
| Subprocessor | Purpose | Data Categories Processed | Processing Region | Status |
|---|---|---|---|---|
| Stripe, Inc. San Francisco, CA, USA | Subscription billing, invoice payment processing | Customer billing contact name and email, payment-method tokens (full card data is held by Stripe, not Jombone) | United States | Essential |
Where Subprocessors Are Located
Most Subprocessors are headquartered in the United States. Certn (background checks) is headquartered in Canada. Cloudflare and Google Maps operate on global edge networks but route Customer Data through US/Canadian regions for Jombone’s deployment. Jombone does not transfer Customer Personal Data to jurisdictions outside the United States and Canada except via routine network routing or where required to deliver a specific Customer-requested feature.
How Jombone Vets Subprocessors
- Security and privacy due diligence prior to engagement, including review of independent certifications (SOC 2, ISO 27001) where available
- Written contracts imposing data-protection obligations comparable to those Jombone owes its Customers, including the requirements of the CCPA/CPRA, PIPEDA, and applicable US state privacy laws
- Restrictions on the Subprocessor’s use of Customer Data, including (where the provider offers the option) opting out of model training on Customer Data
- Ongoing monitoring through Jombone’s compliance program (Drata)
- Incident notification obligations on the Subprocessor, with Jombone passing relevant notifications on to affected Customers
Customer Rights
Under the Master Services Agreement (Exhibit A — DPA), Customer has the right to:
- Receive at least 14 days’ advance notice of new Subprocessors processing Personal Data
- Object to a new Subprocessor on reasonable data-protection grounds within 14 days of notice
- Where an unresolved objection persists, terminate the affected services with 30 days’ written notice (without triggering early-termination acceleration)
- Request documentation of Jombone’s due-diligence and contractual safeguards with respect to any Subprocessor