Sub-Processors
Service infrastructure
These sub-processors host or process data inside the Involv intranet Service:
| Sub-processor | Purpose | Data hosting | Transfer safeguard |
|---|---|---|---|
| Microsoft Corporation | Azure hosting, Microsoft 365 platform, Microsoft Entra ID authentication | EU (West Europe / North Europe regions) | DPF + EU SCCs + supplementary measures (Schrems II) |
| Cloudflare Inc. | CDN, bot detection, DDoS protection | Global edge network; EU processing for EU visitors | DPF + SCCs |
Website & marketing tools
These sub-processors handle data collected via involv-intranet.com. All non-essential cookies are enabled only after explicit visitor consent via our cookie banner.
| Sub-processor | Purpose | Consent | Data hosting | Transfer safeguard |
|---|---|---|---|---|
| HubSpot Inc. | CRM, marketing automation, forms, live chat, meetings, knowledge base | Functional + analytics (cookies); legitimate interest (CRM records of B2B prospects) | EU (Frankfurt, Germany) | DPF + SCCs |
| Google LLC | Google Analytics 4, Google Ads, server-side Tag Manager (via collector.involv-intranet.com), YouTube video embeds |
Analytics + marketing | USA | DPF |
| Microsoft Corporation — Clarity | Heatmaps and session recordings (sensitive fields auto-masked) | Analytics | USA | DPF |
| Meta Platforms Ireland Ltd. | Meta Pixel for Facebook/Instagram retargeting and conversion measurement | Marketing | Ireland (EU controller) + USA (processing) | DPF |
| CookieScript UAB | Cookie consent management platform (banner, preference centre, consent log) | Strictly necessary (no consent needed for the consent tool itself) | EU (Lithuania) | None required (EEA) |
| Referly Inc. | Affiliate / partner referral tracking, B2B visitor identification | Marketing | USA — Dover, Delaware | DPF / SCCs |
International transfers
For sub-processors located outside the European Economic Area (notably the United States), we rely on the following safeguards:
- EU–U.S. Data Privacy Framework (DPF): for processors certified under the DPF (adequacy decision of 10 July 2023, Implementing Decision C(2023) 4745). Certification status can be verified at dataprivacyframework.gov.
- Standard Contractual Clauses (SCCs): 2021 SCCs (Implementing Decision 2021/914), supplemented by a documented Transfer Impact Assessment (TIA) following the Schrems II judgment (CJEU, 16 July 2020).
You can request a copy of the relevant safeguards or our TIA summaries via [email protected].
Notification of changes
When we plan to engage a new sub-processor or replace an existing one for processing customer personal data, we will:
- Update this page with the proposed new sub-processor and the effective date;
- Notify customer administrators on file by email, at least 30 days before the change takes effect;
- Allow customers to object to the new sub-processor on reasonable data protection grounds within the notification period, as specified in our DPA.
To subscribe to email updates about changes to this list, contact [email protected] with the subject “Subscribe — sub-processor updates”.
Contact
For questions about our sub-processors, to object to a new sub-processor, or to request safeguards documentation:
Email: [email protected]
