| Sub-processor | Purpose of Processing | Location |
|---|---|---|
Salesforce | The purpose of processing personal data within Salesforce includes enabling efficient sales operations, maintaining accurate and centralized client records, supporting real-time data synchronization across systems, and ensuring compliance with data protection regulations. Salesforce is subject to privacy governance measures such as Data Processing Agreements and Privacy Impact Assessments, and its use aligns with principles of transparency, data minimization, and accuracy. | California |
AWS Cloud | The purpose of processing data using AWS Cloud includes hosting critical platforms which rely on AWS data centers for secure, scalable, and high-performance operations. AWS enables the deployment of virtual computing environments, object storage , and advanced services, which are used for data analytics, application hosting, and enterprise automation. It supports the processing of personally identifiable information (PII) and customer data across various business functions, and is governed by certifications such as SOC 2 and ISO 27001 to ensure compliance and data protection. AWS Cloud’s infrastructure underpins Envestnet’s digital ecosystem, making it essential for operational continuity, privacy compliance, and innovation. | Seattle |
Oracle Cloud | The purpose of processing data using Oracle Cloud includes managing procurement workflows, purchase requisitions, and financial transactions across departments. It enables automation of requisition approvals, purchase order generation, and integration with corporate and wealth product families, thereby streamlining financial operations and reducing manual errors. Oracle Cloud processes personally identifiable information (PII) and is governed by ISO 27001 and SOC 2 certifications. Its infrastructure is hosted in USA-based AWS data centers, ensuring scalability, security, and compliance with enterprise IT standards. | Texas |
Zendesk | The purpose of processing personal data within Zendesk includes handling service requests, managing client interactions, and supporting operational workflows across teams. As a subprocessor, Zendesk handles personally identifiable information (PII) and is subject to privacy governance measures such as Data Processing Agreements (DPAs), data validation protocols, and incident response standards. This ensures compliance with internal privacy policies and regulatory obligations while enabling efficient and secure client support. | California |
Workday | The purpose of processing personal data using Workday includes maintaining accurate employee records, enabling real-time reporting and analytics, supporting absence and time-off management, and facilitating updates to personal, educational, and government ID information. Workday processes sensitive employee data and is governed by certifications including SOC 1 Type II, SOC 2 Type II, SOC 3, ISO/IEC 27001, and ISO/IEC 27701. Its infrastructure is hosted on AWS data centers in the United States, ensuring secure and scalable data processing aligned with Envestnet’s privacy and compliance standards. | California |
Snowflake | The purpose of processing data using Snowflake includes supporting data lake architecture, extract generation, and premium services such as insights, report writer functionality, and real-time analytics. As a subprocessor, Snowflake handles personally identifiable information (PII) and is governed by certifications such as SOC 2 and ISO/IEC 27001. Its infrastructure is hosted in USA-based AWS data centers, ensuring compliance with Envestnet’s privacy and data protection standards. | Montana |
Microsoft | The purpose of processing personal data using Microsoft includes enabling productivity through Microsoft 365 applications (e.g., Outlook, Teams, Word, Excel), facilitating secure communication and collaboration, and supporting enterprise-wide document management and data governance. Microsoft services are used to generate, store, and transmit personal data such as employee information, client communications, and privacy documentation, making it a critical subprocessor in Envestnet’s data ecosystem. As a subprocessor, Microsoft is subject to Data Processing Agreements (DPAs) that define its obligations regarding data protection, breach notification timelines, and support for data subject rights. These agreements ensure that Microsoft processes only the minimum necessary personal data for authorized purposes and complies with applicable privacy laws and internal governance standards. | Washington |
ComplySci | The purpose of processing personal data using ComplySci includes tracking and approving employee activities such as outside employment, investment club participation, and expert network engagements, all of which are subject to regulatory scrutiny and internal ethical standards. ComplySci is also used to administer mandatory compliance training for new hires and covered persons, including affirmations and Code of Ethics modules, which are accessed via single sign-on (SSO) through Okta. The platform supports the submission and review of holdings reports, conflict disclosures, and whistleblower policies, ensuring that employees remain compliant with federal regulations and internal governance frameworks. As a subprocessor, ComplySci handles personally identifiable information (PII) and is included in Envestnet’s Business Continuity Program, with successful recovery testing documented for Q4 2024. | New York |
CrowdStrike | The purpose of processing data using CrowdStrike includes deploying enterprise agents on Windows and Linux systems to monitor and prevent malicious activity from the earliest stages of system boot. CrowdStrike’s Falcon Forensics and Falcon cloud-managed detection tools are used to collect forensic data, detect threats, and perform advanced analytics such as file hashing, network data dumps, and process enumeration. The platform also supports purple teaming exercises to validate and improve detection capabilities across the SOC and offensive security teams. Kernel-level drivers enforce inline prevention of malware and are updated with Rapid Response Content to adapt to evolving threats without modifying system code. As a subprocessor, CrowdStrike handles sensitive system and user data and is integrated into Envestnet’s broader security and privacy governance framework, including subprocessors documentation and risk tiering. | California |
Aravo | The purpose of processing data using Aravo includes managing vendor onboarding, evaluating privacy and security risks, and tracking subprocessors with access to personally identifiable information (PII). Aravo facilitates the configuration of risk attributes such as residual risk scores, engagement criticality, and screening tiers, which are used to classify vendors and prioritize assessments. It also supports SLA tracking, delegation logic, and GDPR-related triggers, ensuring that regulatory obligations are met across a diverse third-party base. As a subprocessor, Aravo handles sensitive vendor and employee data and is integrated into Envestnet’s privacy governance framework, including Data Processing Addendums (DPAs) and internal documentation templates. | San Francisco |
Our Trusted Subprocessors: Transparency in Action
We believe transparency is the foundation of trust. This page highlights our top subprocessors - partners who we vet through a rigorous Third Party Management program. Through a risk-based approach, we trust these partners to help us deliver secure and compliant services. For each, we’ve listed their location and the specific purpose for which they process personal data. By sharing this information, we empower our clients to independently validate our privacy practices and reinforce our commitment to responsible data stewardship.