NCC Group uses sub-processors to support the delivery of our services to you.
A sub-processor is an external service provider or another member of NCC Group that is enlisted to deliver the service to you, where we are delivering a service to you in the role of processor. Therefore, this page doesn’t include the processing activities and services we deliver in the role of controller.
To deliver our service to you we may share certain personal information with one or more sub-processors. We have written contracts between NCC Group and all our sub-processors, which include obligations in relation to technical and organisational measures and compliance with applicable privacy laws.
Whether any sub-processor is used for any particular client engagement will depend on the country in which services are provided, the nature of the services and any specific client terms or processes agreed.
The below provides information about the sub-processors we may use to deliver services to you:
| Name | Processing activity | Processing location |
| Amazon |
Amazon Web Services (for hosting, connectivity layer and middleware) |
Multi-region: EU, UK, US and APAC Europe (Frankfurt) Region is the primary choice by default. Other regions are dependent on client choice: Europe
United States
APAC
|
|
Digital Ocean |
Digital Ocean Cloud (for hosting and computing) |
Europe & North-America regions |
|
Microsoft |
Azure (for hosting, security data analytics and connectivity layer), Office 365 (several office applications) and EntraID (for active directory) |
Multi-region: EU, UK and US - West Europe (Netherlands) Region - North Europe (Ireland) Region - UK South (London) Region (regarding all e-mail data) Mentioned regions are the primary choice by default. Other regions are dependent on client choice |
Sub-processors we use, depending on specific service procured:
|
Service line |
Name |
Processing activity |
Processing location (primary choice by default) |
|
Consulting and Implementation |
Mindgame |
Awareness campaign tool |
DigitalOcean-hosted: Europe region |
|
Digital Forensic Incident Response |
Reveal Data Corporation |
eDiscovery platform service |
AWS-hosted: Europe (Ireland) Region (in connection with the “Ask”-feature: Europe (Frankfurt) Region) (potentially also in UK and US for support on a case-by-case basis) |
|
Managed Services |
Amazon |
Amazon Web Services (for hosting, connectivity layer and middleware) |
Europe (Frankfurt) Region |
|
- |
CyCognito |
External Attack Surface Management Service |
GCP-hosted: Europe West (Belgium) Region (potentially also in Israel in case of support) |
|
- |
IASME |
Vulnerability scan & audit platform service |
Azure-hosted: UK (London) Region |
|
- |
Intermax Cloudsourcing |
Private hosting service |
NL (Amsterdam, Rotterdam, Delft) |
|
- |
Microsoft |
Hosting (Azure Cloud), security data analytics service (Azure Sentinel), connectivity layer (Azure Lighthouse), and active directory (EntraID) |
West Europe (Netherlands) Region, North Europe (Ireland) Region, UK South (London) Region |
|
- |
Searchlight Cyber |
Web monitoring service |
Digital Ocean & AWS hosted: Europe (London) Region |
|
- |
ServiceNow |
Security incident management platform service |
Azure-hosted: UK South (London) Region |
|
- |
Splunk |
Security data analytics (SIEM) service |
AWS-hosted: Europe (Frankfurt) Region |
|
- |
Thinkst Canary |
Threat detection and deception service |
AWS-hosted: Europe (Ireland) Region |
|
- |
Umbrio (Davinsi) |
Support service |
Azure-hosted: West Europe Region (NL) |
|
- |
VMWare Carbon Black) |
Security data analytics service (Endpoint protection) |
AWS-hosted: Europe (Frankfurt) Region |
As part of our global service delivery, personal data may be processed at our main delivery sites in the United Kingdom, the Netherlands, the United States, Australia, the Philippines, Spain, and Singapore. As a transfer mechanism, we rely on a group wide Intra Group Agreement that protects transfers of personal data internally to the group, incorporating the Standard Contractual Clauses.
A full list of the subsidiaries of NCC Group plc who may be engaged to support the delivery of our services to you:
|
Service type |
Name |
Location |
|
Corporate support services |
NCC Group plc |
UK |
|
- |
NCC Group Corporate Limited |
UK |
|
- |
NCC Group, LLC |
US |
|
- |
NCC Group (Americas) Inc |
US |
|
Cyber security |
NCC Group Security Services Limited |
UK |
|
- |
NCC Group Accumuli Security Limited |
UK |
|
- |
NCC Group Signify Solutions Limited |
UK |
|
- |
NCC Group Audit Limited |
UK |
|
- |
Payment Software Company Limited |
UK |
|
- |
Fox-IT BV |
Netherlands |
|
- |
NCC Group Security Services Espana, S.L. |
Spain |
|
- |
NCC Group A/S |
Denmark |
|
- |
NCC Group Cyber Security Portuguesa Unipessoal LDA |
Portugal |
|
- |
NCC Group Deutschland GmbH |
Germany |
|
- |
NCC Group Security Services Inc |
US |
|
- |
NCC Group Cyber Security (Americas) LLC |
US |
|
- |
Payment Software Company Inc |
US |
|
- |
NCC Group Security Services Corp |
Canada |
|
- |
NCC Group Pty Limited |
Australia |
|
- |
NCCGroup Private Ltd |
Singapore |
|
- |
NCC Group Asia Inc |
Philippines |
|
Software resilience / Escode |
NCC Services Ltd |
UK |
|
- |
NCC Group Escrow Limited |
UK |
|
- |
NCC Group Escrow Europe BV |
Netherlands |
|
- |
NCC Group Escrow Europe (Switzerland) AG |
Switzerland |
|
- |
NCC Group FZ-LLC |
United Arab Emirates |
|
- |
NCC Group Escrow Associates LLC |
US |
|
- |
NCC Group Software Resilience (NA) LLC |
US |
Further information regarding the sub-processors used by NCC Group, for the specific services we provide to you, can be obtained from your local contact/account manager.
If you have questions related to the legal basis used for a specific transfer you can ask for further information from dataprotection@nccgroup.com
Last updated: 25 July 2024