Subprocessors Privacy Policy

1. Overview and Purpose

One Model Inc. ("One Model," "we," "us," or "our") engages certain third-party service providers ("Sub-processors") to Process Subscriber Personal Data on our behalf in connection with the delivery of the One Model People Analytics platform and One AI products (collectively, the "Services").

This page satisfies One Model's transparency obligations under:

EU/UK GDPR – Article 28(1) (sub-processor authorization and transparency)
CCPA/CPRA (California) – Section 1798.100 et seq. (disclosure of service providers)
PIPEDA (Canada) – Schedule 1, Principle 4.1.3 (accountability for third-party transfers)
Australian Privacy Act 1988 (Cth) – APP 8 (cross-border disclosure of personal information)

Unless expressly stated otherwise, capitalized terms used on this page have the meanings set out in the One Model Data Processing Agreement ("DPA"), which is incorporated into your Subscriber agreement or available upon request at privacy@onemodel.co.

2. Sub-processor Obligations

One Model contractually requires each Sub-processor to comply with obligations that are no less protective than those imposed on One Model under applicable privacy laws and the DPA. These obligations include, at minimum:

Processing Personal Data only on documented instructions from One Model and for no other purpose;
Implementing appropriate technical and organizational security measures consistent with applicable law (including GDPR Art. 32, NIST SP 800-53, and ISO 27001 where applicable);
Assisting One Model in responding to data subject rights requests (access, correction, deletion, portability, objection) within required timeframes;
Notifying One Model without undue delay upon becoming aware of a Personal Data breach;
Deleting or returning all Personal Data upon termination of the engagement, and certifying deletion upon request;
Not engaging further sub-processors without prior written authorization from One Model;
Permitting and contributing to audits and inspections as required by applicable law; and
Complying with applicable cross-border transfer requirements, including executing Standard Contractual Clauses or equivalent mechanisms where required.

3. Current Sub-processors

The following Sub-processors are currently authorized to Process Subscriber Personal Data in connection with the Services. One Model conducts due diligence on all Sub-processors prior to engagement and periodically reviews their compliance.

Sub-processor	Legal Entity & Country	Service Category	Data Processed	Processing Location(s)	Transfer Mechanism	Privacy Reference
Amazon Web Services (AWS)	Amazon Web Services, Inc. — USA	Cloud infrastructure & hosting (all core platform functionality)	All categories of Subscriber Personal Data stored or processed within the One Model platform, including HR and workforce data	US (East); Canada; EU (Ireland); Australia — region determined by Subscriber configuration at onboarding	EU SCCs (Module 2); UK IDTA; PIPEDA accountability; AWS Australia DPA	aws.amazon.com/compliance/gdpr-center
OpenAI	OpenAI, LLC — USA	AI model inference (One AI features, where enabled by Subscriber)	Subscriber-submitted prompts and relevant contextual data as configured by the Subscriber	United States	EU SCCs (Module 2); UK IDTA	openai.com/policies/privacy-policy
Zendesk	Zendesk, Inc. — USA	Customer support ticketing and implementation coordination	Support request content; Subscriber contact information	United States	EU SCCs (Module 2); UK IDTA	zendesk.com/company/privacy-and-data-protection
Smartsheet	Smartsheet Inc. — USA	Project and onboarding management	Contact information; project task and milestone data	United States	EU SCCs (Module 2); UK IDTA	smartsheet.com/legal/privacy

Scope Note: This table covers Sub-processors that Process Subscriber Personal Data — i.e., data handled on behalf of enterprise customers pursuant to a DPA. Sub-processors involved solely in processing data collected through our Website and marketing activities are disclosed in our Privacy Policy.

4. International Data Transfers

Where Sub-processors are located outside the jurisdiction in which Personal Data originates, One Model ensures appropriate safeguards are in place before any transfer occurs.

4.1 EU / EEA Transfers (GDPR, Chapter V)

All transfers of Personal Data from the EEA to Sub-processors in third countries (including the United States) are governed by Standard Contractual Clauses (SCCs) adopted under European Commission Decision 2021/914, Module 2 (Controller-to-Processor). Where required, a Transfer Impact Assessment (TIA) is conducted prior to transfer.

4.2 UK Transfers (UK GDPR / Data Protection Act 2018)

All transfers from the UK are governed by the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office, or by SCCs with an approved UK Addendum.

4.3 Canadian Transfers (PIPEDA, Schedule 1 – Principle 4.1.3)

One Model remains accountable for Personal Information transferred to Sub-processors in foreign jurisdictions. We require Sub-processors to provide a comparable level of protection through contractual means. Canadian residents are notified that their Personal Information may be subject to disclosure to foreign authorities under the laws of the Sub-processor's jurisdiction.

4.4 Australian Transfers (Privacy Act 1988 (Cth), APP 8)

Before disclosing Personal Information to an overseas Sub-processor, One Model takes reasonable steps to ensure the recipient does not breach the Australian Privacy Principles ("APPs"). Where Sub-processors are located in countries without an adequacy finding, One Model relies on contractual protections equivalent to the APPs. One Model remains accountable for such disclosures under APP 8.1.

Copies of applicable transfer mechanisms are available upon request at privacy@onemodel.co.

5. CCPA/CPRA — Service Provider Disclosures (California)

For purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), Sub-processors listed in Section 3 act as Service Providers to One Model. Each Service Provider is contractually prohibited from:

Retaining, using, or disclosing Personal Information for any purpose other than performing the Services specified in their agreement with One Model;
Retaining, using, or disclosing Personal Information for a commercial purpose outside the direct business relationship with One Model;
Selling or sharing Personal Information; and
Combining Personal Information received from One Model with Personal Information received from other sources, except as permitted by the CCPA/CPRA.

California residents (including employees of Subscribers) who wish to exercise their CCPA/CPRA rights should contact their employer (the Subscriber) in the first instance, or contact One Model at privacy@onemodel.co.

6. Changes to This Sub-processor List

6.1 Notification of Changes

One Model will provide Subscribers with advance written notice of any intended addition or replacement of Sub-processors. Notice will be provided by:

Updating this page and the "Last Updated" date above; and
Sending email notification to Subscribers who have registered for updates (see Section 8).

Notice period: At least 30 days prior to the new Sub-processor commencing Processing, unless a shorter period is required due to an emergency or legal obligation, in which case One Model will notify Subscribers as soon as reasonably practicable.

6.2 Right to Object (GDPR)

Subscribers who have reasonable, documented grounds to object to the engagement of a new Sub-processor on data protection grounds must submit a written objection to privacy@onemodel.co within the notice period. One Model will work in good faith to address the objection. If the parties cannot resolve the objection within 30 days, either party may terminate the affected Services on written notice, in accordance with the applicable Subscriber agreement.

6.3 Historic Versions

Prior versions of this Sub-processor list are retained by One Model and are available upon written request at privacy@onemodel.co.

7. Data Subject Rights and Complaints

One Model's role with respect to Subscriber Personal Data is that of a Data Processor (EU/UK GDPR) / Service Provider (CCPA/CPRA) / third-party processor (PIPEDA). Requests from individuals to exercise their data subject rights (access, correction, deletion, portability, objection) in respect of Personal Data processed through the One Model platform should be directed to the Subscriber (Data Controller/Business) in the first instance.

Where One Model receives a data subject request directly, we will promptly forward it to the relevant Subscriber and assist as required under the DPA and applicable law.

For privacy complaints that cannot be resolved directly, individuals may escalate to the relevant supervisory authority listed in Section 10.

8. Subscribe for Updates

To receive advance notifications when this Sub-processor list is updated, please fill out the form below.

10. Supervisory Authorities

Individuals who are not satisfied with One Model's response to a data protection concern may lodge a complaint with the relevant supervisory authority:

Jurisdiction	Governing Law	Authority	Contact
United States (Federal)	FTC Act; sectoral laws	U.S. Federal Trade Commission	ftc.gov
United States (California)	CCPA/CPRA	California Privacy Protection Agency (CPPA)	cppa.ca.gov
European Union	GDPR	Relevant EU Member State supervisory authority / EDPB	edpb.europa.eu
United Kingdom	UK GDPR / DPA 2018	Information Commissioner's Office (ICO)	ico.org.uk
Canada	PIPEDA	Office of the Privacy Commissioner of Canada	priv.gc.ca
Australia	Privacy Act 1988 (Cth)	Office of the Australian Information Commissioner (OAIC)	oaic.gov.au

This Sub-processor list should be reviewed by qualified legal counsel prior to publication. It does not constitute legal advice.