Vendors & Sub-processors
Transparent overview of all parties that process personal data on behalf of Onesurance, including our due diligence and management processes.
Sub-processor management at a glance
- Transparent sub-processor management — Complete overview of all sub-processors and their role
- 30-day advance notification — Clients are informed at least 30 days before any new sub-processor is engaged
- Due diligence at onboarding — Security assessment and compliance verification for every new sub-processor
Sub-processors Overview
| Sub-processor | Service | Data Location | Compliance | DPA |
|---|---|---|---|---|
| Microsoft Azure | Cloud Infrastructure | West-Europe (EU) | SOC 2, ISO 27001, GDPR | Yes |
| Bonsai Software B.V. | AI Agent Development | Rotterdam, NL | DPA March 2025 | Yes |
| Microsoft Entra ID | Identity & Access Management | EU | GDPR | Yes |
| ID Business Intelligence | Data aggregation & processing | Netherlands | GDPR | Yes |
| ANVA | Data aggregation & processing | Netherlands | GDPR | Yes |
| Orq.AI | AI Agent Platform | EU | GDPR | Yes |
| Azure OpenAI | AI model hosting & inference | EU | GDPR | Yes |
| Google Vertex | AI model hosting & inference | EU | GDPR | Yes |
| Microsoft Power BI | Business Intelligence | EU | GDPR | Yes |
Microsoft Azure
Microsoft Azure is our primary cloud infrastructure and platform provider. All Onesurance services run exclusively in the Azure West-Europe region.
Service
Cloud infrastructure and platform services — compute, storage, networking, databases and machine learning.
Data Location
West-Europe (Netherlands / Dublin). All data remains within the European Union.
Certifications
- SOC 2 Type II — Independently audited security controls
- ISO 27001 / 27017 / 27018 — Information security, cloud security and privacy in the cloud
- GDPR — Full compliance with the General Data Protection Regulation
- EU SCCs — Standard Contractual Clauses for international data transfers
Security
- Enterprise-grade security — Multi-layered security architecture with advanced threat detection
- 24/7 physical security — Data centres secured with permanent surveillance and access controls
- Biometric access — Physical access to data centres requires biometric verification
Sub-processor Management
Our sub-processor management process ensures transparency and gives clients control over who processes their data.
Management Processes
- 30-day advance notification — Clients are informed at least 30 days before a new sub-processor is engaged
- Client objection rights — Clients have the right to object to new sub-processors
- Due diligence before onboarding — Every potential sub-processor undergoes a comprehensive security and compliance assessment
- DPA and security requirements mandatory — All sub-processors must sign a Data Processing Agreement and meet our security requirements
- Annual reviews — All sub-processors are reassessed annually for security and compliance
Due Diligence
Before any party is engaged as a sub-processor, they undergo a thorough assessment process to ensure they meet our security and compliance standards.
Assessment Process
- Pre-onboarding security assessment — Comprehensive evaluation of technical and organisational security measures
- Compliance verification — Verification of adherence to applicable laws and regulations (GDPR, sector-specific requirements)
- Contractual arrangements — Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) are established
- Annual reviews — Periodic reassessment of all active sub-processors
- Documentation available to clients — Clients can request access to relevant due diligence documentation
Important Notes
Development partner without production access
De Voorhoede is our development partner but does not have access to production environments or production data. They work exclusively in isolated development environments.
Questions About Our Vendors?
Our Data Protection Officer is happy to assist you with questions about sub-processors, data processing agreements or due diligence.