Skip to navigation Skip to main content Skip to footer

NCC Group Sub-processors

NCC Group uses sub-processors to support the delivery of our services to you.

A sub-processor is an external service provider or another member of NCC Group that is enlisted to deliver the service to you, where we are delivering a service to you in the role of processor. Therefore, this page doesn’t include the processing activities and services we deliver in the role of controller.  

To deliver our service to you we may share certain personal information with one or more sub-processors. We have written contracts between NCC Group and all our sub-processors, which include obligations in relation to technical and organizational measures and compliance with applicable privacy laws.  

Whether any sub-processor is used for any particular client engagement will depend on the country in which services are provided, the nature of the services and any specific client terms or processes agreed. 

The below provides information about the sub-processors we may use to deliver services to you: 

Name

Processing activity

Processing location
Amazon

Amazon Web Services (for hosting, connectivity layer and middleware) 

Multi-region: EU, UK, US and APAC

Europe (Frankfurt) Region is the primary choice by default. Other regions are dependent on client choice:

Europe

  • Europe (Ireland) Region 
  • Europe (London) Region 
  • Europe (Paris) Region 

 

United States 

  • US East (Ohio) Region 
  • US East (Northern Virginia) Region 
  • US West (Oregon) Region 
  • US West (Northern California) Region 

APAC 

  • Asia Pacific (Singapore) Region 
  • Australia (Sydney) Region 

Microsoft 

Azure (for hosting, security data analytics and connectivity layer), Office 365 (several office applications) and EntraID (for active directory) 

Multi-region: EU, UK and US 

- West Europe (Netherlands) Region 

- North Europe (Ireland) Region 

- UK South (London) Region (regarding all e-mail data) 

Mentioned regions are the primary choice by default. Other regions are dependent on client choice 

 

Sub-processors we use, depending on specific service procured:  

Service line 

Name 

Processing activity 

Processing location 

(primary choice by default)  

Consulting and Implementation 

Mindgame 

Awareness campaign tool 

DigitalOcean-hosted: Europe region 

Digital Forensic Incident Response 

Reveal Data Corporation 

eDiscovery platform service 

AWS-hosted: Europe (Ireland) Region 

(in connection with the “Ask”-feature: Europe (Frankfurt) Region) 

(potentially also in UK and US for support on a case-by-case basis) 

Managed Services 

Amazon 

Amazon Web Services (for hosting, connectivity layer and middleware) 

Europe (Frankfurt) Region 

 

CrowdStrike

Security data analytics service (Endpoint protection)

AWS-hosted:
- By default: Europe (Frankfurt) Region
- US customers: US Central (Iowa) Region

-

CyCognito 

External Attack Surface Management Service  

GCP-hosted: Europe West (Belgium) Region 

(potentially also in Israel in case of support) 

-

IASME 

Vulnerability scan & audit platform service 

Azure-hosted: UK (London) Region 

-

Intermax Cloudsourcing 

Private hosting service 

NL (Amsterdam, Rotterdam, Delft) 

-

Microsoft 

Hosting (Azure Cloud), security data analytics service (Azure Sentinel), connectivity layer (Azure Lighthouse), and active directory (EntraID) 

West Europe (Netherlands) Region, North Europe (Ireland) Region, UK South (London) Region 

-

Searchlight Cyber 

Web monitoring service 

Digital Ocean & AWS hosted: Europe (London) Region 

-

ServiceNow 

Security incident management platform service 

Azure-hosted: UK South (London) Region

For EU-only clients, the option for onboarding in West Europe (NL) region and North Europa (Ireland) Region is available 

-

Splunk 

Security data analytics (SIEM) service  

AWS hosted: Region by choice of Client.

Primary choice of NCC Group per Client location:

  • Mainland Europe: Europe (Frankfurt) Region
  • UK: Europe (London) Region
  • US: US West (N. California) Region
  • APAC: Asia Pacific (Sydney) Region

-

Thinkst Canary 

Threat detection and deception service 

AWS hosted: Region by choice of Client.

Primary choice of NCC Group per Client location:

  • Mainland Europe: Europe (Frankfurt) Region
  • UK: Europe (London) Region
  • US: US West (N. California) Region
  • APAC: Asia Pacific (Sydney) Region

-

Umbrio (Davinsi) 

Support service 

Azure-hosted: West Europe Region (NL) 

-

VMware (Carbon Black) 

Security data analytics service (Endpoint protection) 

AWS-hosted: Europe (Frankfurt) Region 

 

A full list of the subsidiaries of NCC Group plc who may be engaged to support the delivery of our services to you is available here

Further information regarding the sub-processors used by NCC Group, for the specific services we provide to you, can be obtained from your local contact/account manager. 

If you have questions related to the legal basis used for a specific transfer, you can ask for further information from dataprotection@nccgroup.com  

 

 

Last updated: October 15, 2024