Search the documentation...

Reference

Suppliers & Subcontractors

Suppliers & Subcontractors

GDPR

Compliant

DORA

Compliant

ISO 27001

Q1 2026

Key security principles at Onesurance

End-to-end encryption for all data in transit and at rest

Multi-factor authentication required for all users

24/7 security monitoring with automated incident detection

Data residency within the EU (Azure West Europe)

ISO 27001 certification in preparation (target Q1 2026)

End-to-end encryption for all data in transit and at rest

Certifications and Standards

Onesurance to the highest security and compliance standards in the financial sector. Below you will find an overview of our current certifications and roadmap.

Certification

Description

Status

TRUST CENTER - SUPPLIERS & SUBCONTRACTORS

Onesurance & Subprocessors
Last updated: December 2024

Our Policy

At Onesurance , we carefully Onesurance the external parties we work with. We understand that working with third parties involves potential risks to the security and privacy of customer data. That is why we have a rigorous vendor management program that ensures that every third party that has access to customer data meets the same high security and compliance standards as we do.

Vendor Management Framework

Vendor Selection Process

1. Business Need Assessment
• Requirement definition: Clear business case
• Alternatives analysis: Build vs. buy evaluation
• Risk assessment: Identify potential risks

2. Vendor Evaluation
• Security questionnaire: Standardized questionnaire
• Compliance verification: Certificates, attestations
• Financial stability: Company health check
• References: References from existing customers
• Technical capabilities: POC/demo if relevant

3. Security Assessment
Evaluation criteria:
• Information security program: ISMS, policies, procedures
• Compliance: ISO 27001, SOC 2, GDPR, other relevant
• Data handling: Where is data stored/processed
• Access controls: Who has access to which data
• Encryption: At rest and in transit
• Incident response: Procedures and track record
• Business continuity: BC/DR plans
• Insurance: Cyber liability coverage

4. Legal Review
• Contract review: Terms, liabilities, indemnifications
• Data Processing Agreement (DPA): GDPR-compliant DPA required
• SLA terms: Performance, availability, support
• Termination clauses: Data return/deletion procedures
• Liability and insurance: Adequate coverage

5. Approval Process
• Technical approval: CTO/Security team
• Compliance approval: FG/Legal team
• Financial approval: CFO (budget)
• Executive approval: For high-risk/high-value vendors

6. Onboarding
• Contract execution: Signed agreements
• Access provisioning: Minimal necessary access
• Documentation: Vendor details in register
• Communication: Relevant teams informed
• Monitoring setup: Performance and security monitoring

Ongoing Vendor Management

Annual Reviews
• Security posture: Updated security assessments
• Compliance status: Current certifications verified
• Performance: SLA compliance review
• Risks: Reassess risk profile
• Contracts: Review and renewal

Continuous Monitoring
• Performance metrics: Uptime, response times, quality
• Security incidents: Vendor breaches monitored
• Compliance changes: New certifications, lapses
• Financial health: Ongoing stability monitoring
• News monitoring: M&A, leadership changes, incidents

Incident Management
• Vendor incidents: Notification requirements in contract
• Impact assessment: Evaluate impact on Onesurance
• Response coordination: Joint incident handling if necessary
• Communication: Update customers if affected
• Post-incident: Lessons learned, plan adjustments

Offboarding
• Data return/deletion: Per contract and GDPR
• Access revocation: All access removed
• Final audit: Verification of data handling
• Documentation: Offboarding completion logged
• Lessons learned: Process improvements

Subprocessors (GDPR Context)

Definition

Subprocessors are third parties that process personal data on behalf of Onesurance the context of our services to customers. Under the GDPR, we have specific obligations for subprocessors.

Current Subprocessors

1. Microsoft Corporation (Azure Cloud Services)
• Service: Cloud infrastructure and platform services
• Role: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS)
• Data processing location: Azure West Europe (Amsterdam, NL)
• Data types: All customer data on our platform
• Purpose: Hosting, compute, storage, database, security services
• Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II
• GDPR compliance: EU Standard Contractual Clauses (SCCs)
• Website: azure.microsoft.com
• Privacy policy: privacy.microsoft.com
• DPA: Microsoft Online Services DPA (standard)
• Sub-subprocessors: Microsoft's approved subprocessor list
• Additional info: Microsoft is an ISO-certified data processor

2. Bonsai Software B.V. (Development Services)
• Service: Software development and maintenance support
• Role: Development partner for platform features
• Data processing location: Netherlands (EU)
• Data types: Development/staging data (anonymized where possible)
• Purpose: Product development, bug fixes, technical support
• Certifications: N/A (small company)
• GDPR compliance: DPA in place
• Access: Limited, controlled access to staging environments
• Security: NDA signed, access controls, monitoring
• Additional info: EU-based, subject to GDPR

Future Subprocessors

We commit to notifying customers of new subprocessors:
• Notification: Minimum 30 days prior to engagement
• Method: Email notification to contract contact
• Objection right: Customers may object (contract terms)
• Alternative: If objection and no alternative → contract termination possible

Subprocessor Obligation and (GDPR)

Contractual Guarantees

Data Processing Agreement (DPA) Requirements:
• Scope: Clear definition of processing
• Instructions: Processing only on instruction Onesurance
• Confidentiality: Confidentiality of processors
• Security: Appropriate technical and organizational measures
• Sub-subprocessors: Onesurance consent Onesurance
• Assistance: Assistance with GDPR compliance (DPIAs, data subject requests)
• Deletion/return: Data return or deletion after contract termination
• Audit: Right to audit subprocessor
• Breach notification: Immediate notification in case of data breaches
• Data location: No transfer outside the EU without adequate safeguards

Monitoring & Enforcement:
• Contract compliance: Regular reviews
• Performance metrics: Tracked and reported
• Security audits: Annual assessment
• Incident tracking: All incidents logged
• Remediation: Action plans for issues
• Termination: In case of non-compliance or significant breach

Supplier Security Requirements

Minimum Requirements

All Vendors (Non-Personal Data):
• Secure access: Strong authentication, MFA encouraged
• Encryption: Data in transit (TLS 1.2+)
• Logging: Access logs maintained
• Confidentiality: NDA signed
• Background checks: For personnel with access

Subprocessors (Personal Data):
Additional requirements:
• DPA: GDPR-compliant Data Processing Agreement
• Encryption: Both at rest (AES-256) and in transit (TLS 1.3)
• Access controls: Role-based, least privilege
• Audit trail: Comprehensive activity logging
• Certifications: ISO 27001 or SOC 2 strongly preferred
• Incident response: Defined procedures, notification requirements
• Data location: EU/EEA or adequate protection
• Business continuity: BC/DR plans in place
• Insurance: Cyber liability coverage
• Background checks: For all personnel with data access

Preferred Certifications
• ISO 27001: Information Security Management
• SOC 2 Type II: Security, Availability, Confidentiality
• ISO 27017: Cloud Security
• ISO 27018: Cloud Privacy
• ISO 27701: Privacy Information Management
• CSA STAR: Cloud Security Alliance certification

Data Flows & Processing Locations

Data Processing Locations

All data processing occurs within the EU:
• Primary: Azure West-Europe (Amsterdam, Netherlands)
• Backup: Azure North-Europe (Dublin, Ireland)
• No processing outside: EU/EEA

International Data Transfers

Current status: No international data transfers

If future transfers become necessary:
• Adequacy decision: Preferred mechanism (EU Commission)
• Standard Contractual Clauses: EU SCCs will be used
• Transfer Impact Assessment: Conducted per EDPB guidelines
• Additional safeguards: Encryption, access controls
• Customer notification: Advance notice to affected customers
• Documentation: All transfers documented

Third-Party Tools & Services

Development & Operations

GitHub (Code Repository)
• Purpose: Source code version control
• Data: Code, documentation, no customer data
• Location: Global (enterprise account)
• Security: SSO, 2FA, branch protection
• Privacy: Separate from production

Azure DevOps (CI/CD)
• Purpose: Build, test, deployment pipelines
• Data: Code, build artifacts, no customer data
• Location: West Europe
• Security: Azure AD integration, RBAC
• Privacy: No customer data processed

Monitoring Tools (Integrated with Azure)
• Azure Monitor: Infrastructure and application monitoring
• Application Insights: Performance monitoring
• Log Analytics: Centralized logging
• Azure Sentinel: SIEM
• Location: All West Europe
• Data: Logs, metrics, no sensitive customer data isolated

Security & Compliance Tools

Built-in Azure Services:
• Azure Security Center: Posture management
• Azure Defender: Threat protection
• Azure Firewall: Network security
• Azure Key Vault: Secrets management
• All: Native Azure, EU regions, Microsoft DPA

Business & Support Tools

Microsoft 365 (Email, Productivity)
• Purpose: Internal email, documents, collaboration
• Data: Business communications, no customer operational data
• Location: EU data centers
• Security: Enterprise E5, DLP, encryption
• DPA: Microsoft Cloud Agreement

Slack (Optional - Internal Communication)
• Purpose: Team messaging (if used)
• Data: Internal discussions only
• Location: EU region available
• Security: Enterprise Grid, SSO, DLP
• Restriction: No customer data shared

Customer Visibility & Control

Subprocessor List

• Public list: This document serves as our subprocessor list
• Updates: Kept current, version controlled
• Notifications: Email alerts for new subprocessors
• Accessibility: Available via Trust Center at all times

Customer Rights

Notification:
• New subprocessors: 30 days advance notice
• Changes: Material changes to existing subprocessors
• Method: Email to contract contact

Objection:
• Timeframe: 14 days after notification
• Process: Written objection with reasons
• Resolution: Good-faith discussion
• Alternative: If no resolution → termination option

Audit:
• Request process: Via onesurance
• Frequency: Reasonable intervals (e.g., annual)
• Scope: Subprocessor security and data handling
• Cost: May be subject to reasonable fees
• Reports: Summary reports shared
• Remediation: Issues addressed promptly

Vendor Risk Management

Risk Categories

High Risk:
• Access to production customer data
• Critical infrastructure dependencies
• Single source dependencies
• Location outside EU/EEA
• Examples: Cloud provider (Azure)

Medium Risk:
• Limited production access
• Non-critical services
• Alternatives available
• EU-based
• Examples: Development partners

Low Risk:
• No customer data access
• Internal tools only
• Easily replaceable
• Examples: Office supplies, marketing tools

Risk Mitigation

Contractual:
• Strong DPAs with liability clauses
• SLAs with penalties
• Insurance requirements
• Audit rights
• Termination rights

Technical:
• Least privilege access
• Encryption mandatory
• Activity monitoring
• Regular security assessments
• Incident response integration

Operational:
• Alternative vendors identified
• Exit strategies documented
• Regular reviews
• Performance monitoring
• Incident escalation procedures

Vendor Incident Response

Notification Requirements

Vendors must notify Onesurance:
Immediately: Security incidents affecting our data
Within 24 hours: Service disruptions affecting availability
Within 72 hours: Compliance or certification changes

Onesurance

In the event of a vendor incident:

  1. Assessment: Impact on Onesurance customers (within 4 hours)

  2. Containment: Immediate actions to limit impact

  3. Customer notification: If customer data is affected (see Template 06)

  4. Regulatory notification: If required by GDPR/DORA

  5. Remediation: Collaborate with vendor on fixes

  6. Review: Post-incident assessment

  7. Improvement: Contract or relationship changes if needed

Vendor Termination

Vendor failures leading to termination:
• Significant security breach
• Loss of required certifications
• Repeated SLA violations
• Non-compliance with DPA
• Financial instability
• Acquisition by competitor

Termination Procedure

  1. Notification: Formal termination notice

  2. Transition: Activate alternative vendor or internal solution

  3. Data: Return or deletion of all data

  4. Access: Revocation of all access

  5. Verification: Audit of data handling

  6. Documentation: Termination completion certified

Transparency & Reporting

Regular Reporting

To Management:
• Monthly: Vendor performance metrics
• Quarterly: Vendor risk assessments
• Annual: Comprehensive vendor review

To Customers:
• On request: Subprocessor list (this document)
• Proactive: New subprocessor notifications
• As needed: Vendor incident communications

Audit & Compliance

• Internal audits: Annual vendor compliance review
• External audits: Available during customer audits
• Regulatory: Documentation for AP, auditors
• Certifications: Vendor certs verified annually

Due Diligence Documentation

What We Maintain

For each vendor/subprocessor:
• Vendor profile: Company info, contacts, contracts
• Security assessment: Initial and annual reviews
• Certifications: Copies of ISO, SOC reports
• DPA: Signed Data Processing Agreements
• Risk assessment: Current risk profile
• Performance: SLA compliance, incidents
• Communication: Change notifications, incident reports

Availability

• Internal: Full documentation for security/compliance teams
• Customers: Summaries available on request
• Regulators: Full documentation for auditors, AP
• Updates: Quarterly review, upon changes

Contact & Updates

For questions about suppliers and subprocessors:
• Data Protection Officer: onesurance
• Vendor management: onesurance
• Subprocessor notifications: Automatic via email

Subscribe for updates:
• New subprocessors: Contact onesurance
• Vendor incidents: Via status page + email
• Policy changes: Via Trust Center updates

Last updated: December 2024
Onesurance .V. | Breda, Netherlands | Chamber of Commerce: 87521997

Current Subprocessors:

  1. Microsoft Corporation (Azure) - Cloud Infrastructure - EU

  2. Bonsai Software B.V. - Development Services - Netherlands

Last updated: December 2024
Version: 1.0