TRUST CENTER - LEVERANCIERS & SUBVERWERKERS

Onesurance Leveranciers & Subverwerkers
Laatst bijgewerkt: December 2024

Ons Beleid

Bij Onesurance selecteren we zorgvuldig de externe partijen waarmee we samenwerken. We begrijpen dat wanneer we met derden werken, dit potentiële risico's met zich meebrengt voor de beveiliging en privacy van klantgegevens. Daarom hebben we een rigoureus vendor management programma dat ervoor zorgt dat elke derde partij die toegang heeft tot klantgegevens aan dezelfde hoge security en compliance standaarden voldoet als wijzelf.

Vendor Management Framework

Vendor Selectie Proces

1. Business Need Assessment
• Requirement definition: Duidelijke business case
• Alternatieven analysis: Build vs. buy evaluatie
• Risk assessment: Potentiële risico's identificeren

2. Vendor Evaluation
• Security questionnaire: Gestandaardiseerde vragenlijst
• Compliance verification: Certificaten, attestations
• Financial stability: Bedrijfshealth check
• References: Referenties van bestaande klanten
• Technical capabilities: POC/demo indien relevant

3. Security Assessment
Evaluatie criteria:
• Information security program: ISMS, policies, procedures
• Compliance: ISO 27001, SOC 2, GDPR, andere relevante
• Data handling: Waar wordt data opgeslagen/verwerkt
• Access controls: Wie heeft toegang tot welke data
• Encryption: At rest en in transit
• Incident response: Procedures en track record
• Business continuity: BC/DR plans
• Insurance: Cyber liability coverage

4. Legal Review
• Contract review: Terms, liabilities, indemnifications
• Data Processing Agreement (DPA): AVG-compliant DPA vereist
• SLA terms: Performance, availability, support
• Termination clauses: Data return/deletion procedures
• Liability en insurance: Adequate coverage

5. Approval Process
• Technical approval: CTO/Security team
• Compliance approval: FG/Legal team
• Financial approval: CFO (budget)
• Executive approval: Voor high-risk/high-value vendors

6. Onboarding
• Contract execution: Signed agreements
• Access provisioning: Minimal necessary access
• Documentation: Vendor details in register
• Communication: Relevant teams informed
• Monitoring setup: Performance en security monitoring

Ongoing Vendor Management

Annual Reviews
• Security posture: Updated security assessments
• Compliance status: Current certifications verified
• Performance: SLA compliance review
• Risks: Reassess risk profile
• Contracts: Review en renewal

Continuous Monitoring
• Performance metrics: Uptime, response times, quality
• Security incidents: Vendor breaches monitored
• Compliance changes: New certifications, lapses
• Financial health: Ongoing stability monitoring
• News monitoring: M&A, leadership changes, incidents

Incident Management
• Vendor incidents: Notification requirements in contract
• Impact assessment: Evaluate impact op Onesurance
• Response coordination: Joint incident handling indien nodig
• Communication: Update customers indien affected
• Post-incident: Lessons learned, plan adjustments

Offboarding
• Data return/deletion: Per contract en AVG
• Access revocation: All access removed
• Final audit: Verification van data handling
• Documentation: Offboarding completion logged
• Lessons learned: Process improvements

Subverwerkers (AVG/GDPR Context)

Definitie

Subverwerkers zijn derden die persoonsgegevens verwerken namens Onesurance in het kader van onze dienstverlening aan klanten. Onder de AVG hebben we specifieke verplichtingen voor subverwerkers.

Huidige Subverwerkers

1. Microsoft Corporation (Azure Cloud Services)
• Service: Cloud infrastructure en platform services
• Rol: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS)
• Data processing locatie: Azure West-Europe (Amsterdam, NL)
• Data types: Alle klantgegevens op ons platform
• Purpose: Hosting, compute, storage, database, security services
• Certificeringen: ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II
• AVG compliance: EU Standard Contractual Clauses (SCCs)
• Website: azure.microsoft.com
• Privacy policy: privacy.microsoft.com
• DPA: Microsoft Online Services DPA (standaard)
• Sub-subprocessors: Microsoft's approved subprocessor list
• Additionele info: Microsoft is ISO-certified data processor

2. Bonsai Software B.V. (Development Services)
• Service: Software development en maintenance support
• Rol: Development partner voor platform features
• Data processing locatie: Netherlands (EU)
• Data types: Development/staging data (anonymized waar mogelijk)
• Purpose: Product development, bug fixes, technical support
• Certificeringen: N/A (small company)
• AVG compliance: DPA in plaats
• Access: Limited, controlled access to staging environments
• Security: NDA signed, access controls, monitoring
• Additionele info: EU-based, subject to AVG

Future Subprocessors

We committeren ons om klanten op de hoogte te stellen van nieuwe subverwerkers:
• Notification: Minimum 30 dagen voorafgaand aan engagement
• Method: Email notification naar contract contact
• Objection right: Klanten kunnen bezwaar maken (contract terms)
• Alternative: Indien bezwaar en geen alternatief → contract termination mogelijk

Subverwerker Verplichting en (AVG)

Contractuele Waarborgen

Verwerkersovereenkomst (DPA) Vereisten:
• Scope: Duidelijke definitie van verwerking
• Instructions: Alleen verwerken op instructie Onesurance
• Confidentiality: Vertrouwelijkheid van verwerkers
• Security: Passende technische en organisatorische maatregelen
• Sub-subprocessors: Toestemming Onesurance vereist
• Assistance: Assistentie bij AVG-naleving (DPIA's, verzoeken betrokkenen)
• Deletion/return: Data return of deletion na einde contract
• Audit: Right to audit subprocessor
• Breach notification: Onmiddellijke melding bij data breaches
• Data location: Geen transfer buiten EU zonder adequate waarborgen

Monitoring & Enforcement:
• Contract compliance: Regular reviews
• Performance metrics: Tracked en reported
• Security audits: Annual assessment
• Incident tracking: All incidents logged
• Remediation: Action plans voor issues
• Termination: Bij non-compliance of significant breach

Supplier Security Requirements

Minimale Vereisten

All Vendors (Non-Personal Data):
• Secure access: Strong authentication, MFA encouraged
• Encryption: Data in transit (TLS 1.2+)
• Logging: Access logs maintained
• Confidentiality: NDA signed
• Background checks: Voor personnel met toegang

Subprocessors (Personal Data):
Additional requirements:
• DPA: AVG-compliant Data Processing Agreement
• Encryption: Both at rest (AES-256) en in transit (TLS 1.3)
• Access controls: Role-based, least privilege
• Audit trail: Comprehensive activity logging
• Certifications: ISO 27001 or SOC 2 strongly preferred
• Incident response: Defined procedures, notification requirements
• Data location: EU/EEA or adequate protection
• Business continuity: BC/DR plans in place
• Insurance: Cyber liability coverage
• Background checks: For all personnel with data access

Preferred Certifications
• ISO 27001: Information Security Management
• SOC 2 Type II: Security, Availability, Confidentiality
• ISO 27017: Cloud Security
• ISO 27018: Cloud Privacy
• ISO 27701: Privacy Information Management
• CSA STAR: Cloud Security Alliance certification

Data Flows & Processing Locations

Data Processing Locations

All data processing occurs within the EU:
• Primary: Azure West-Europe (Amsterdam, Netherlands)
• Backup: Azure North-Europe (Dublin, Ireland)
• No processing outside: EU/EEA

International Data Transfers

Current status: No international data transfers

If future transfers become necessary:
• Adequacy decision: Preferred mechanism (EU Commission)
• Standard Contractual Clauses: EU SCCs will be used
• Transfer Impact Assessment: Conducted per EDPB guidelines
• Additional safeguards: Encryption, access controls
• Customer notification: Advance notice to affected customers
• Documentation: All transfers documented

Third-Party Tools & Services

Development & Operations

GitHub (Code Repository)
• Purpose: Source code version control
• Data: Code, documentation, no customer data
• Location: Global (enterprise account)
• Security: SSO, 2FA, branch protection
• Privacy: Separate from production

Azure DevOps (CI/CD)
• Purpose: Build, test, deployment pipelines
• Data: Code, build artifacts, no customer data
• Location: West-Europe
• Security: Azure AD integration, RBAC
• Privacy: No customer data processed

Monitoring Tools (Integrated with Azure)
• Azure Monitor: Infrastructure en application monitoring
• Application Insights: Performance monitoring
• Log Analytics: Centralized logging
• Azure Sentinel: SIEM
• Location: All West-Europe
• Data: Logs, metrics, no sensitive customer data isolated

Security & Compliance Tools

Built-in Azure Services:
• Azure Security Center: Posture management
• Azure Defender: Threat protection
• Azure Firewall: Network security
• Azure Key Vault: Secrets management
• All: Native Azure, EU regions, Microsoft DPA

Business & Support Tools

Microsoft 365 (Email, Productivity)
• Purpose: Internal email, documents, collaboration
• Data: Business communications, no customer operational data
• Location: EU datacenters
• Security: Enterprise E5, DLP, encryption
• DPA: Microsoft Cloud Agreement

Slack (Optional - Internal Communication)
• Purpose: Team messaging (if used)
• Data: Internal discussions only
• Location: EU region available
• Security: Enterprise Grid, SSO, DLP
• Restriction: No customer data shared

Customer Visibility & Control

Subprocessor List

• Public list: This document serves as our subprocessor list
• Updates: Kept current, version controlled
• Notifications: Email alerts voor nieuwe subprocessors
• Accessibility: Available via Trust Center at all times

Customer Rights

Notification:
• New subprocessors: 30 dagen advance notice
• Changes: Material changes to existing subprocessors
• Method: Email to contract contact

Objection:
• Timeframe: 14 dagen na notification
• Process: Written objection with reasons
• Resolution: Good-faith discussion
• Alternative: If no resolution → termination option

Audit:
• Request process: Via dpo@onesurance.ai
• Frequency: Reasonable intervals (e.g., annual)
• Scope: Subprocessor security en data handling
• Cost: May be subject to reasonable fees
• Reports: Summary reports shared
• Remediation: Issues addressed promptly

Vendor Risk Management

Risk Categories

High Risk:
• Access to production customer data
• Critical infrastructure dependencies
• Single source dependencies
• Location outside EU/EEA
• Examples: Cloud provider (Azure)

Medium Risk:
• Limited production access
• Non-critical services
• Alternatives available
• EU-based
• Examples: Development partners

Low Risk:
• No customer data access
• Internal tools only
• Easily replaceable
• Examples: Office supplies, marketing tools

Risk Mitigation

Contractual:
• Strong DPAs with liability clauses
• SLAs with penalties
• Insurance requirements
• Audit rights
• Termination rights

Technical:
• Least privilege access
• Encryption mandatory
• Activity monitoring
• Regular security assessments
• Incident response integration

Operational:
• Alternative vendors identified
• Exit strategies documented
• Regular reviews
• Performance monitoring
• Incident escalation procedures

Vendor Incident Response

Notification Requirements

Vendors must notify Onesurance:
• Immediately: Security incidents affecting our data
• Within 24h: Service disruptions affecting availability
• Within 72h: Compliance or certification changes

Onesurance Response

Upon vendor incident:

1. Assessment: Impact on Onesurance and customers (within 4h)

2. Containment: Immediate actions to limit impact

3. Customer notification: If customer data affected (see Template 06)

4. Regulatory notification: If required by AVG/DORA

5. Remediation: Work with vendor on fixes

6. Review: Post-incident assessment

7. Improvement: Contract or relationship changes if needed

Vendor Termination

Vendor failures leading to termination:
• Significant security breach
• Loss of required certifications
• Repeated SLA violations
• Non-compliance with DPA
• Financial instability
• Acquisition by competitor

Termination Procedure

1. Notification: Formal termination notice

2. Transition: Activate alternative vendor or internal solution

3. Data: Return or deletion of all data

4. Access: Revocation of all access

5. Verification: Audit of data handling

6. Documentation: Termination completion certified

Transparency & Reporting

Regular Reporting

To Management:
• Monthly: Vendor performance metrics
• Quarterly: Vendor risk assessments
• Annual: Comprehensive vendor review

To Customers:
• On request: Subprocessor list (this document)
• Proactive: New subprocessor notifications
• As needed: Vendor incident communications

Audit & Compliance

• Internal audits: Annual vendor compliance review
• External audits: Available during customer audits
• Regulatory: Documentation for AP, auditors
• Certifications: Vendor certs verified annually

Due Diligence Documentation

What We Maintain

For each vendor/subprocessor:
• Vendor profile: Company info, contacts, contracts
• Security assessment: Initial en annual reviews
• Certifications: Copies of ISO, SOC reports
• DPA: Signed Data Processing Agreements
• Risk assessment: Current risk profile
• Performance: SLA compliance, incidents
• Communication: Change notifications, incident reports

Availability

• Internal: Full documentation for security/compliance teams
• Customers: Summaries available on request
• Regulators: Full documentation for auditors, AP
• Updates: Quarterly review, upon changes

Contact & Updates

Voor vragen over leveranciers en subverwerkers:
• Functionaris Gegevensbescherming: dpo@onesurance.ai
• Vendor management: dpo@onesurance.ai
• Subprocessor notifications: Automatic via email

Subscribe voor updates:
• New subprocessors: Contact dpo@onesurance.ai
• Vendor incidents: Via status page + email
• Policy changes: Via Trust Center updates

Laatst bijgewerkt: December 2024
Onesurance B.V. | Breda, Nederland | KvK: 87521997

Current Subprocessors:

1. Microsoft Corporation (Azure) - Cloud Infrastructure - EU

2. Bonsai Software B.V. - Development Services - Netherlands

Last updated: December 2024
Version: 1.0