Third Party Processors

NCC Group uses Processors to support the delivery of our services to you.

A Processor is an external service provider (Third Party) or another member of NCC Group that is enlisted to deliver the service to you, where we are delivering a service to you in the role of controller. Therefore, this page doesn’t include the processing activities and services we deliver in the role of processor. More information on the latter can be found on our Sub-processor page.

To deliver our service to you we may share certain personal information with one or more processors. We have written contracts between NCC Group and all our processors, which include obligations in relation to technical and organisational measures and compliance with applicable privacy laws.

Whether any processor is used for any particular client engagement will depend on the country in which services are provided, the nature of the services and any specific client terms or processes agreed.

The below provides information about the most important processors we may use to deliver services to you depending on specific service procured:

	Service provider	Services	Personal data
General	Amazon	Public cloud services	We use cloud services for hosting. Depending on the specific customer situation, a variety of personal data may be processed. See also the Privacy Policy.
	Atlassian	Productivity platform	We use productivity software hosted in the cloud. In that case, the following personal data are usually processed:
	ContractPodAI	Contract management software	Name, business contact information (such as e-mail address and phone number, (digital) signature)
	DocuSign	Digital signing	Name, business contact information (such as e-mail address and phone number), (digital) signature
	Kantata	Project planning software	Name, business contact information (such as e-mail address and phone number)
	Microsoft	Public cloud services, communication, connectivity and productivity platform	We use cloud services for hosting and purchase software for our daily office operations. Depending on the customer's specific situation, a variety of personal data may be processed. See also [link]
	Salesforce	Contract management (including possibly registration of potential customers )	Name, business contact information (such as e-mail address and phone number), (digital) signature. If applicable: data on opt-in and opt-out.
	Workday Finance	Invoicing Software	Name, business contact information (such as e-mail address and phone number), (digital) signature
Consultancy & Implementations	Security Academy	Training coursesand awareness	Fox-IT and Security Academy collaborate in providing cyber security training. To this end, the following personal information is typically shared: Name, business contact information (such as email address and phone number).
Digital Forensics & Incident Response	Amazon	Public cloud services for our Global Investigation Environment	The Department of Digital Forensics & Incident Response has developed a highly isolated environment to securely process investigation materials in the cloud. Depending on the specific customer situation, a variety of personal data may be processed. See also Privacy Policy
	Broadcom; CrowdStrike; SentinelOne;	Endpoint security monitoring software	Depending on the customer's specific situation, we may choose to deploy security monitoring resources in Incident Response. In that case, the following personal data are typically processed: Contact information (name, address, e-mail address, phone number, job title); Electronic identification data (such as IP address, MAC address, numberIMEI, cookies, computer name, user name, connection times). In addition, other personal data may be processed that can be derived from customer-specific keywords, Internet history or behavioral activities through the use of company resources.
	Intermax Cloudsourcing	Private cloud services for hosting in case of deployment of security monitoring tools	We use a private cloud service to host our security monitoring services. See specific security monitoring party for more information on the personal data to be processed.
	Reveal / Zylab	EDiscovery software	Depending on the customer's specific situation, we may choose to use eDiscovery in Incident Response. The following personal data are typically processed for this purpose: Name, business contact information (e-mail address and phone numbers). In addition, other are personal data processed that can be derived from customer-specific keywords, Internet history or behavioral activities through the use of company resources.
	ServiceNow	Ticket and reporting software in deployment of security monitoring tools	We use ServiceNow for the ticketing and reporting process when deploying our security monitoring services. In that case, the following personal data are processed: Name, business contact information (such as e-mail address and phone number)
Technical Assurance Services	DigitalOcean Hetzner Linode Vultr Trans IP	Public cloud services	We use cloud services for hosting. Depending on the customer's specific situation, a variety of personal data may be processed. See also Privacy Policy

A full list of the subsidiaries of NCC Group plc who may be engaged to support the delivery of our services to you is available here.

Further information regarding the Third Party processors used by NCC Group, for the specific services we provide to you, can be obtained from your local contact/account manager.

If you have questions related to the privacy compliancy you can also ask for further information via dataprotection@nccgroup.com

Last updated: 1 April 2025

NCC Group Third Party Processors