Search in Trust Center…

Back to overview

Subcontractors

We carefully select external parties and understand that working with third parties involves potential risks. That is why we have a rigorous vendor management program in place to ensure that every third party meets the same high security and compliance standards as we do.

Selection

Evaluation Criteria

When selecting new suppliers, we assess:

Security & Compliance

  • Information security management system (ISMS)

  • Relevant certifications (ISO 27001, SOC 2)

  • Data handling and encryption practices

  • Incident response capabilities

  • Business continuity planning

Legal & Contractual

  • GDPR-compliant Data Processing Agreement (DPA)

  • Adequate liability and insurance coverage

  • Clear SLA terms and support commitments

  • Data return/deletion procedures

Operational

  • Financial stability

  • Technical capabilities

  • References and track record

  • Data processing location (EU required)

Our Policy

All subprocessors who have access to personal data must meet strict criteria:

  • GDPR-compliant Data Processing Agreement (DPA)

  • Adequate security certifications (ISO 27001, SOC 2)

  • EU data residency

  • Encryption at rest and in transit

  • Incident response procedures

  • Business continuity planning

Overview of Subcontractors

For a complete overview of all subprocessors Onesurance by Onesurance , please refer to our subprocessor list.

New subprocessors:
We notify customers 30 days prior to engaging new subprocessors, with the right to object in accordance with the contract.

Your Rights as a Customer

Notification of New Subprocessors

Advance Notice: 30 days

  • Via email to your contract contact person

  • For each new subprocessor

  • For material changes to existing subprocessors

Objection Right

Timeframe: 14 days after notification

  • Written objection with reasons

  • Good-faith discussion about alternatives

  • Contract termination option if no solution is found

Audit Law

Process via onesurance

  • Reasonable intervals (e.g., annually)

  • Subprocessor security and data handling

  • Summary reports are shared

  • Issues are promptly addressed

Security Requirements

All sub-processors must comply with strict security and GDPR requirements.

Data Processing Locations

All data processing within the EU - see Infrastructure & Architecture

Ongoing Management

Continuous Oversight

Annual Reviews

  • Security posture updates

  • Compliance status verification (certificates)

  • Performance and SLA compliance

  • Risk reassessment

Monitoring

  • Performance metrics tracking

  • Security incident monitoring

  • Compliance changes

  • Financial health

Incident Management

  • Vendor breach notification requirements

  • Impact assessment on Onesurance

  • Customer communication if affected

  • Post-incident improvements

Vendor Incidents

Notification Requirements

Vendors must Onesurance :

  • Immediately: Security incidents affecting our data

  • Within 24 hours: Service disruptions

  • Within 72 hours: Compliance changes

Our Response

In the event of vendor incidents:

  1. Impact assessment (within 4 hours)

  2. Immediate containment actions

  3. Customer notification (if data is affected)

  4. Regulatory notification (if required)

  5. Remediation with vendor

  6. Post-incident review

Risk Management

Onesurance various procedures in place to coordinate risk management.

Transparency

Regular Reporting

To Customers:

  • Subprocessor updates (30 days in advance)

  • Vendor incident communications (if applicable)

  • Annual compliance updates

Documentation Available:

  • Vendor security assessments (summary)

  • Certifications verification

  • DPA documentation

  • Upon request via onesurance