NCC Group uses sub-processors to support the delivery of our services to you.
A sub-processor is an external service provider or another member of NCC Group that is enlisted to deliver the service to you, where we are delivering a service to you in the role of processor. Therefore, this page doesn’t include the processing activities and services we deliver in the role of controller.
To deliver our service to you we may share certain personal information with one or more sub-processors. We have written contracts between NCC Group and all our sub-processors, which include obligations in relation to technical and organisational measures and compliance with applicable privacy laws.
Whether any sub-processor is used for any particular client engagement will depend on the country in which services are provided, the nature of the services and any specific client terms or processes agreed.
The below provides information about the sub-processors we may use to deliver services to you:
|
Name |
Processing activity |
Processing location |
| Amazon |
|
Multi-region: EU, UK, US and APAC Europe (Frankfurt) Region is the primary choice by default. Other regions are dependent on client choice: Europe
United States
APAC
|
|
Microsoft |
Azure (for hosting, security data analytics and connectivity layer), Office 365 (several office applications) and EntraID (for active directory) |
Multi-region: EU, UK and US
Mentioned regions are the primary choice by default. Other regions are dependent on client choice |
Sub-processors we use, depending on specific service procured:
|
Service line
|
Name
|
Processing activity |
Processing location (primary choice by default)
|
|
Consulting and Implementation |
Mindgame
|
Awareness campaign tool
|
DigitalOcean-hosted: Europe (Amsterdam) Region
|
|
Digital Forensic Incident Response |
Reveal Data Corporation |
eDiscovery platform service |
AWS-hosted: Europe (Frankfurt) Region
(potentially also in UK and US for support on a case-by-case basis) |
|
ZyLAB ONE |
eDiscovery platform service |
Azure-hosted: West Europe (Netherlands) Region |
|
|
Managed Services |
Amazon |
Amazon Web Services (for hosting, connectivity layer and middleware) |
Europe (Frankfurt) Region |
|
|
Broadcom (VMWare Carbon Black) |
Security data analytics service (Endpoint protection) |
AWS-hosted: by default Europe (Frankfurt) Region - NA and APAC customers: US Central (Iowa) Region
& GCP-hosted: by default Europe West (Belgium) Region - NA and APAC customers: US East (South Carolina) Region |
|
|
CrowdStrike |
Security data analytics service (Endpoint protection)
|
AWS-hosted: - By default: Europe (Frankfurt) Region - NA and APAC NA customers: US Central (Iowa) Region
|
|
|
CyCognito |
External Attack Surface Management Service |
GCP-hosted: Europe West (Belgium) Region
(potentially also in Israel in case of support) |
|
|
IASME |
Vulnerability scan & audit platform service |
Azure-hosted: UK (London) Region |
|
|
Intermax Cloudsourcing |
Private hosting service |
NL (Amsterdam, Rotterdam, Delft) |
|
|
Microsoft |
Hosting (Azure Cloud), security data analytics service (Azure Sentinel), connectivity layer (Azure Lighthouse), and active directory (EntraID) |
West Europe (Netherlands) Region, North Europe (Ireland) Region, UK South (London) Region |
|
|
|
Unified Cyber Platform (UCP) enrichment / automation engine |
UK South (London) Region
For EU-only clients, the option for onboarding in West Europe (NL) region and North Europa (Ireland) Region is available |
|
|
Qualys |
Internal & External Attack Surface Management Services |
Oracle-hosted: Region by choice of Client
Primary choice of NCC Group per Client location: · EU: Europe (Amsterdam) Region · UK: UK (London) Region · NA: US (Phoenix) Region · APAC: Australia (Sydney) Region
Qualys support: India and the US |
|
|
Searchlight Cyber |
Web monitoring service |
Digital Ocean & AWS hosted: Europe (London) Region |
|
|
SentinelOne |
Security data analytics service (Endpoint protection) |
AWS-hosted: · By default: Europe (Frankfurt) Region · NA and APAC customers: US East (Virginia) Region |
|
|
ServiceNow |
Security incident management platform service |
Azure-hosted: UK South (London) Region |
|
|
Splunk |
Security data analytics (SIEM) service |
AWS hosted: Region by choice of Client.
Primary choice of NCC Group per Client location: · EU: Europe (Frankfurt) Region · UK: Europe (London) Region · NA: US West (N. California) Region · APAC: Asia Pacific (Sydney) Region |
|
|
Thinkst Canary |
Threat detection and deception service |
AWS-hosted: Region by choice of Client.
Primary choice of NCC Group per Client location: · EU: Europe (Ireland) Region, · UK: Europe (London) Region · NA: US West (N. California) Region · APAC: Asia Pacific (Sydney) Region |
|
|
Umbrio (Davinsi) |
Support service |
Azure-hosted: West Europe Region (NL) |
|
Technical Assurance Services |
Digital Ocean |
Hosting (Digital Ocean Cloud) Self service linux machines for short term projects |
Multi region: EU, UK, US and APAC
· EU: Europe (Frankfurt) or Amsterdam) · UK: Europe (London) · NA: US (New York or San Francisco), Canada (Toronto) · APAC: Australia (Sydney), Singapore |
|
|
Horizon3.ai (NodeZero) |
Providing automated testing services |
AWS-hosted: · NA: US West (Oregon) Region · EU: Europe (Frankfurt) Region |
A full list of the subsidiaries of NCC Group plc who may be engaged to support the delivery of our services to you is available here
Further information regarding the sub-processors used by NCC Group, for the specific services we provide to you, can be obtained from your local contact/account manager.
If you have questions related to the legal basis used for a specific transfer, you can ask for further information from dataprotection@nccgroup.com
Last updated: October 15, 2024