Sub-processor List Attic Security
Version 1.0 (English edition) — last updated 25 June 2026
English edition of the authoritative Dutch version; in the event of any discrepancy, the Dutch version prevails.
What is a sub-processor
A sub-processor is an external organisation that processes personal data on Attic's instructions in order to make our services possible. Examples: our hosting provider, our CRM system, our payment processor.
With every sub-processor we have concluded a data processing agreement (DPA) that is at least equivalent to our own DPA with customers. We remain responsible to you for these sub-processors' compliance.
How we manage sub-processors
- Selection — at contracting we assess sub-processors on security, privacy and compliance maturity
- Periodic reassessment — at least annually we verify whether the sub-processor still meets our requirements
- Location policy — we process personal data exclusively within the European Economic Area (EEA)
- Transparency — this list is public and is updated on every change
Sub-processors — Service data
These sub-processors support our MDR services (continuous monitoring and IVON, our AI-driven response agent). They process personal data from customers' Microsoft 365 environments on our instructions.
| Sub-processor | Purpose | Processing location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Hosting of our backend infrastructure including storage of incident data, audit trail and customer configuration | Germany (primary) and Finland (secondary) | DPA under GDPR Art. 28; ISO 27001 certified |
| Microsoft Corporation (Azure + Azure AI Foundry) | Cloud infrastructure for continuous monitoring and AI inference for IVON | Microsoft Azure region West Europe + Sweden Central | DPA under GDPR Art. 28; Microsoft Online Services DPA |
Note on Azure AI Foundry: IVON uses a language model (Claude by Anthropic) that is hosted by Microsoft within Azure AI Foundry. Anthropic itself receives no customer data via this route — Microsoft is contractually responsible for data handling — and for that reason is not a sub-processor of Attic.
Sub-processors — Customer relationship data
These sub-processors support our customer relationship, sales, support and billing. They process personal data of customer contacts, not the service data from the Microsoft 365 environment.
| Sub-processor | Purpose | Processing location | Safeguard |
|---|---|---|---|
| Zendesk Inc. | Customer support and ticket management (planned migration to HubSpot) | EU region | DPA under GDPR Art. 28 |
| HubSpot Inc. | CRM and customer relationship management | EU region | DPA under GDPR Art. 28 |
| Chargebee Inc. | Billing and subscription management | EU region | DPA under GDPR Art. 28 |
| Stripe Inc. | Payment processing (via Chargebee) | EU region | DPA under GDPR Art. 28; PCI-DSS certified |
| Functional Software Inc. (Sentry) | Error detection and debugging (planned replacement by the self-hosted GlitchTip) | EU region | DPA under GDPR Art. 28 |
Technical infrastructure (not a GDPR sub-processor)
For full transparency we also name the following tools, which do not process personal data and are therefore not GDPR sub-processors:
| Tool | Purpose | Location |
|---|---|---|
| Zabbix | System monitoring (infrastructure metrics only, no personal data) | Our infrastructure (Hetzner, EU) |
| GlitchTip | Error tracking, self-hosted solution | Our infrastructure (Hetzner, EU) |
Changes to our sub-processor list
In the event of a change — a new sub-processor or a replacement — we inform customers at least 30 days in advance. Within that period you have the right to object on reasoned grounds related to data protection, in accordance with our data processing agreement (DPA).
This public list serves as notification to the public; in addition, we inform you by email of material changes.
No transfer outside the EU
All of the sub-processors above process your personal data exclusively within the European Economic Area (EEA). We do not transfer personal data to countries outside the EEA.
Should transfer outside the EEA become necessary in the future, this will take place exclusively under the applicable safeguards of Chapter V GDPR (such as Standard Contractual Clauses or adequacy decisions) and this list will be amended beforehand.
Contact
Questions about this sub-processor list or our sub-processor choices:
Privacy questions: privacy@atticsecurity.com
Privacy contact: privacy@atticsecurity.com — Erik Remmelzwaal
Version history
- v1.0 — 25 June 2026 — Initial public list, published in parallel with Privacy Statement v1.0 and DPA v1.0