Version 1.0 - April 2026
Overview
SecBox (operated by SecBox S.r.l.) engages the following sub-processors to deliver its services, in accordance with GDPR Art. 28. Each sub-processor is bound by a Data Processing Agreement (DPA) that imposes data protection obligations equivalent to those between SecBox and its customers.
Any addition, replacement, or removal of a sub-processor will be communicated to affected customers with at least 30 days advance notice, as specified in the DPA. Customers who object may exercise their rights under the DPA by contacting [email protected].
Current Sub-Processors
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Hosting Provider (cPanel/Apache) | Server infrastructure and storage - hosts all customer-facing application data | European Union | EU residency - no international transfer |
| Google LLC (Google Analytics 4) | Anonymized site traffic analytics, activated only after visitor consent | USA | Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework (DPF) |
| Chatwoot (self-hosted on SecBox infrastructure) | Website chat service (EVA commercial assistant), pre-sales conversation handling, and contact context storage | European Union | EU residency - self-hosted on Hetzner (Finland) |
| MiniMax (HAILUO AI PTE. LTD.) | Large language model responses for the EVA chat assistant (activated only when visitor grants specific consent for the chat widget) | Singapore | Standard Contractual Clauses (SCCs) for non-EU transfer |
Transfer Summary
| Region | Sub-processors | Safeguard |
|---|---|---|
| European Union | Hosting Provider, Chatwoot (self-hosted) | EU residency - GDPR applies directly |
| United States of America | Google LLC | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Singapore | MiniMax (HAILUO AI) | Standard Contractual Clauses under GDPR Art. 46 |
Notes on US Transfers
Google LLC is certified under the EU-US Data Privacy Framework (DPF), recognized by the European Commission as providing an adequate level of protection (Commission Implementing Decision of 10 July 2023). In addition, Standard Contractual Clauses (Module 2: Controller to Processor) govern the transfer as a supplementary safeguard.
Google Analytics 4 is configured with IP anonymization enabled. No advertising features or cross-site tracking are activated.
Updates and Notifications
SecBox will notify customers of any change to this sub-processor list at least 30 days before the change takes effect. Notifications are sent to the email address registered in the customer account or as specified in the executed DPA.
To receive sub-processor update notices or to raise an objection, contact: [email protected]
The current version of this list is always available at secbox.net/subprocessors/.
Data Processing Agreement
Full data processing terms - including technical and organizational measures, audit rights, and data subject assistance obligations - are governed by the Data Processing Agreement.
Customers who require a signed DPA should contact [email protected].