Last updated: April 2023

To support delivery of our Services, Virtual Vaults may engage and use data processors with access to certain client data (each, a "Subprocessor"). This page provides you with information about the identity and location of each Subprocessor.

Virtual Vaults currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and send out email and/or SMS notifications. Before engaging any third party Subprocessor, Virtual Vaults performs an audit in order to evaluate their privacy, security and confidentiality practices.

Primary Subprocessor

Data that is uploaded by our customers is only processed by our primary Subprocessor. Data is only processed in the region that is chosen by the customer.

# 

Supplier 

Legal entity 

Activities 

Security compliance 

Data storage location 

Protection data transfers outside EU 

Microsoft 

Microsoft Ireland Operations Ltd. 

Primary hosting service. Data that is uploaded by customers is only stored here. 

ISO/IEC 27001:2013  

ISO/IEC 27017:2015  

SOC 1 type II 

SOC 2 type II 

SOC 3 

HIPAA / HITECH 

Baseline Informatiebeveiliging Rijksdienst standard (BIR 2012) 

EU

GB

DE

Standard Contractual Clauses 

 

Supporting Subprocessors

These Subprocessors do not have access to data that is uploaded by our customers. Virtual Vaults ensures that all Subprocessors comply with the European privacy laws.

# 

Supplier 

Legal entity 

Activities 

Security compliance 

Data storage location 

Protection data transfers outside EU 

DocuSign 

DocuSign Inc. 

Electronic signing 

ISO 27001 

SOC 1 type II 

SOC 2 type II 

PCI DSS 

CSA STAR Program 

APEC PRP 

EU 

Binding Corporate Rules 

Sendgrid 

Twilio Ireland Ltd. 

Sending emails 

SOC2 Type II 

PCI-DSS 

International 

Binding Corporate Rules 

Standard Contractual Clauses 

Twilio 

Twilio Ireland Ltd. 

Sending SMS and making phone calls 

ISO/IEC 27001 

ISO/IEC 27017 

ISO/IEC 27018 

Cloud Security Alliance 

APEC CBPR & PRP Participation 

International 

Binding Corporate Rules 

Standard Contractual Clauses 

Zendesk 

Zendesk Inc. 

Support application 

SOC 2 Type II 

ISO 27001:2013 

ISO 27018:2014 

ISO 27701:2019 

FedRAMP LI-SaaS 

PCI-DSS 

HIPAA 

HDS 

EU 

N/A 

Drift 

Drift.com Inc. 

Sales automation 

platform 

SOC II Type 2 

Cloud Security Alliance 

US 

Standard Contractual Clauses 

Mailchimp 

Mailchimp c/o The Rocket Science Group, LLC 

Email marketing 

ISO/IEC 27001 

SOC II Compliant PCI DSS Certification 

 

US 

Standard Contractual Clauses 

Templafy 

Master It Solutions BV 

Email signature solution 

ISO/IEC 27001 

ISO/IEC 27017 

SOC 2 type II 

SOC 3 

EU 

N/A 

Appcues 

Appcues Inc. 

Application user onboarding 

SOC 2 type II 

 

US 

Standard Contractual Clauses 

10 

Signal Sciences 

Fastly Inc. 

Web application firewall 

ISO/IEC 27001:2013 

SOC 2 type II 

PCI DSS 

HIPAA 

US 

Standard Contractual Clauses 

11 

Outreach 

Outreach Corporation 

Sales automation 

platform 

ISO/IEC 27001 

ISO/IEC 27701 

SOC 2 type II 

Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) 

HIPAA 

International 

Standard Contractual Clauses 

12 

Chargebee 

Chargebee Inc. 

Billing and invoice management 

ISO/IEC 27001 

SOC 1 type II 

SOC 2 type II 

PCI-DSS Level 1 Service Provider. 

HIPAA 

EU 

N/A

If you are a current Virtual Vaults customer with an active data processing agreement in place, you may subscribe to receive notifications whenever there's a change to this list of Subprocessors. You have the right to submit a written objection in the event that we appoint a new Primary Subprocessor, or if the Primary Subprocessor's data processing activities are relocated outside of the EEA. Please send your written objections to legal@virtualvaults.com within 14 days of receiving such notification. Should you object, you are entitled to terminate your agreement within this 14-day period.