DOCUMENTATION

Ironstone's processors and subprocessors

Ironstone (“Ironstone”) uses selected sub-vendors in providing our services. These sub-vendors operate as Ironstone's sub-processor, where Ironstone acts as a processor on our customer's behalf. For processing activities where Ironstone operates as a Controller, the sub-vendor operates as a processor. 

Ironstone processes your personal information in strict accordance with the General Data Protection Regulation ("GDPR") and has signed Data Processor Agreements with all our sub-vendors. Ironstone will only process personal information to the extent necessary to provide our Services or for business support purposes.

Ironstone performs due diligence on the information security practices and data protection compliance of all processors and sub-processors and requires each to commit to written obligations (Data Processor Agreements) regarding their technical and organizational activities related to security controls and applicable regulations for the protection of our customer's personal data.

 

Processing of personal data where Ironstone operates a controller

As a controller, Ironstone process personal data for the purpose of operating our business support systems, i.e. for providing our clients with support services, storing contact information, issuing invoices, bookkeeping etc. These are personal data that we collect from our customers, and that we process for our own purposes, and which do not encompass our customers' data as stored on their tenants in the cloud.

Below is a list of all processors of personal data:

The following companies operate as third-party vendors, cf. Operational Service Agreement, and where their products and services are expressly licensed directory to customers, and where our customers have signed a Data Processor Agreement.Please consult our Data Processor Agreement for information on the use and change of sub-processors.

Sub-Processors

Spektra Systems

  • Organization number:
  • Address: 8201 164TH AVE NE, Suite 200, Redmond, WA 98052-7615
  • System: CSP Control Center (C3)
  • Description of processing: Generates billing data and analysis for Microsoft CSP customers.
  • Processing location:
    • Storage: EU
    • Support protected by SCC and TIA: handled from India
  • Security:
  • Added to this page: 01.05.2022
  • Contact:
  • Types of personal data processed on behalf of the customer: Username and email address of users in Entra ID
  • Special categories of personal data: None

Pistachio AS

  • Organization number: NOR: 929575717
  • Address: Karvesvingen 7, 0579 Oslo
  • System: Pistachio App
  • Description of processing: Conducting security awareness training and phishing simulations.
  • Processing location: Storage: EU
  • Security:
  • Added to this page: May 2025
  • Contact: privacy@pistachioapp.com
  • Types of personal data processed on behalf of the customer: Name, email address, role, and interaction data (e.g., clicks, reporting), training progress
  • Special categories of personal data: None

Site24x7 (Zoho Corporation)

  • Organization number:
  • Address: Beneluxlaan 4B, 3527 HT Utrecht, The Netherlands
  • System: Zoho Corporation
  • Description of processing: Monitoring customers’ infrastructure and services to ensure availability and stability.
  • Processing location:
    • Storage: EU
    • Support protected by SCC and TIA: handled from India
  • Security:
  • Added to this page: 23.09.2019
  • Contact:
  • Types of personal data processed on behalf of the customer: Customer’s technical contacts in the form of email and name or phone number used when an infrastructure alarm is triggered.
  • Special categories of personal data: None

Tungsten Automation Corporation

  • Organization number: SWE: 5565813176
  • Address: Vasagatan 16, c/o Convendum, 111 20 Stockholm, Sweden
  • System: Printix
  • Description of processing: Enabling secure and efficient printing via a cloud-based print solution.
  • Processing location: Storage: EU
  • Security: https://www.printix.net/dpa
  • Added to this page: 23.09.2019
  • Contact: gdpr.privacy@tungstenautomation.com
  • Types of personal data processed on behalf of the customer: Name; email address; user ID; print logs (e.g., document name, time, printer, device)
  • Special categories of personal data: None

Komplett ASA

  • Organization number: NOR: 980213250
  • Address: Østre Kullerød 4, 3241 Sandefjord
  • System: ServiceDesk (support)
  • Description of processing: Delivery of support services.
  • Processing location: Work is performed in Ironstone’s systems (Freshservice and FreshCaller).
  • Contact: personopplysning@komplett.no
  • Types of personal data processed on behalf of the customer: See Freshservice and FreshCaller.
  • Special categories of personal data: It is possible for the customer’s users to send emails containing sensitive personal data. In such cases, Komplett informs the user that this is not desired and then deletes the inquiry. If the user’s email concerns support or troubleshooting, Komplett will handle the request in accordance with the agreement and send a separate email reproducing the inquiry with the date and time of receipt. The original email is then deleted.

Eccera IT Solutions AS

  • Organization number: NOR: 982896932
  • Address: Grønnegata 52, 2317 Hamar
  • System: ServiceDesk (support)
  • Description of processing: Delivery of support services.
  • Processing location:
    • Storage: EU
    • Supplier’s own sub-processors:
      • Uses TopDesk, which has offices in several countries outside the EU, but access is restricted so that data can only be processed and accessed from within the EU/EEA.
  • Contact: dag.lien@centric.eu
  • Types of personal data processed on behalf of the customer: Information in emails submitted as support requests (the message itself, email addresses, contact info in signature or free text).
  • Special categories of personal data: It is possible for the customer’s users to send emails containing sensitive personal data; these are deleted after notification.

ConnectWise

  • Organization number: M20000009101
  • Address: 400 North Tampa Street, Suite 130, Tampa, FL 33602
  • System: ScreenConnect
  • Description of processing: Remote control in connection with support. No data storage – only real-time viewing of the desktop during an active session.
  • Processing location:
    • Storage: EU, Amsterdam
    • DPF certification from the USA (company is US-based)
    • SCC and TIA for sub-processors
  • Contact: privacy@connectwise.com
  • Security: https://www.connectwise.com/platform/psa/slas
  • Added to this page: 2025
  • Types of personal data processed on behalf of the customer: All information visible on the user’s desktop during an active session (may include documents, emails, program windows, etc.).
  • Special categories of personal data: If the user has open documents containing sensitive data, the technician may gain access. The user is asked to close documents/windows before work starts.

Freshworks Inc. – Freshservice

  • Address: Freshworks GmbH, Neue Grünstraße 17, 10179 Berlin, Germany
  • System: Freshservice
  • Description of processing: Handling of customer inquiries, support requests, agreements, and contact information (ITSM).
  • Processing location:
    • Storage: EU
    • Support protected with DPF certification, SCC, and TIA: handled from the USA and India
  • Contact: dpo@freshworks.com
  • Security:
  • Added to this page: 01.05.2022
  • Types of personal data processed on behalf of the customer: Name; email address; phone number; position; organization; content of inquiries (may include system data, error descriptions, documents, and internal notes); attachments.
  • Special categories of personal data: It is possible for the customer’s users to send emails containing sensitive information; such content is deleted after notification.

Freshworks Inc. – FreshCaller

  • Address: Freshworks GmbH, Neue Grünstraße 17, 10179 Berlin, Germany
  • System: FreshCaller
  • Description of processing: Handling of customer inquiries by phone.
  • Processing location:
    • Storage: EU
    • Support protected with DPF certification, SCC, and TIA: handled from the USA and India
  • Security:
  • Added to this page: 01.05.2022
  • Contact: dpo@freshworks.com
  • Types of personal data processed on behalf of the customer: Name; email address; phone number; position; organization; content of inquiries (may include system data, error descriptions, documents, and internal notes); attachments.
  • Special categories of personal data: Customers may disclose sensitive personal data over the phone; users are informed that this is not desired.

Sinch AB

  • Organization number: SWE: 5568828908
  • Address: Lindhagensgatan 112, 112 51 Stockholm, Sweden
  • System: Sinch Engage
  • Description of processing: Sending SMS to customers and users.
  • Processing location:
    • Storage: EU
    • Support protected by SCC and TIA: handled from the USA
  • Security:
  • Added to this page: 21.01.2020
  • Contact: dpo@sinch.com
  • Types of personal data processed on behalf of the customer: Phone number
  • Special categories of personal data: None

AvePoint Deutschland GmbH

Microsoft – Partner Center

  • Organization number: NOR: 957485030
  • Address: Dronning Eufemias gate 71, 0194 Oslo
  • System: Partner Center
  • Description of processing: Access to and administration of licenses and services as part of the CSP program.
  • Processing location:
    • Storage: EU
    • Support protected with DPF certification: handled by Microsoft Global Support from:
      • North America: USA, Canada
      • Latin America: Brazil, Mexico, Costa Rica
      • Asia-Pacific: Australia, India, Japan, Malaysia, New Zealand, Singapore, South Korea, Taiwan, the Philippines
      • Middle East and Africa: Egypt, Israel, Qatar, South Africa, Kenya, Nigeria, Morocco, United Arab Emirates, Tunisia, Ghana
  • Contact: privacy@microsoft.com
  • Types of personal data processed on behalf of the customer: Contact information – name, email address, username, phone number, group/role membership.
  • Special categories of personal data: None

Microsoft – Azure

  • Organization number: NOR: 957485030
  • Address: Dronning Eufemias gate 71, 0194 Oslo
  • System: Azure
  • Description of processing:
    • Infrastructure for IT services delivered as part of the agreement.
    • Structuring and presentation of the customer’s Microsoft data via the Ironstone portal.
  • Processing location:
    • Storage: EU
    • Support protected with DPF certification: handled by Microsoft Global Support from:
    • North America: USA, Canada
    • Latin America: Brazil, Mexico, Costa Rica
    • Asia-Pacific: Australia, India, Japan, Malaysia, New Zealand, Singapore, South Korea, Taiwan, the Philippines
    • Middle East and Africa: Egypt, Israel, Qatar, South Africa, Kenya, Nigeria, Morocco, United Arab Emirates, Tunisia, Ghana
  • Security: http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46
  • Added to this page: 23.09.2019
  • Contact: privacy@microsoft.com
  • Types of personal data processed on behalf of the customer: Name; email address; username; position; department; phone number; group/role membership; login history; IP address; MFA status; possible profile picture and custom attributes.
  • Special categories of personal data: None

Microsoft – Microsoft 365

  • Organization number: NOR: 957485030
  • Address: Dronning Eufemias gate 71, 0194 Oslo
  • System: Microsoft 365
  • Description of processing:
    Email (Exchange Online): secure and stable email service
    File sharing and document management (OneDrive and SharePoint): efficient sharing and collaboration
    Collaboration and meeting tools (Teams): chat, meetings, and collaboration
    Office applications (Word, Excel, PowerPoint, Outlook): daily office work
  • Processing location:
    • Storage: EU
    • Support protected with DPF certification: handled by Microsoft Global Support (same regions as above).
  • Security: http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46
  • Added to this page: 23.09.2019
  • Contact: privacy@microsoft.com
  • Types of personal data processed on behalf of the customer:
    • Exchange Online: name, email address, content of email messages, metadata (timestamps, IP address, logs), attachments
    • OneDrive/SharePoint: name, user information, document content, sharing logs, access control, version history
    • Teams: user profiles, meeting recordings, messages, shared screen content, activity data
    • Office applications: document content, metadata, contact information, data processed in Excel
  • Special categories of personal data: None, unless emails containing such data are sent; if so, they are deleted after notification.

 

Ironstone Affiliates

Ironstone AB

  • The purpose of the processing: In respect of Ironstone’s Affiliates, groups of individuals located in different offices may have a need to access Customer data for service delivery purposes and/or business support purposes.
  • Locations (transfer mechanism where outside of the EEA): Sweden
  • Date added to this page: 23.09.2019

Ironstone AS

  • The purpose of the processing: In respect of Ironstone’s Affiliates, groups of individuals located in different offices may have a need to access Customer data for service delivery purposes and/or business support purposes.
  • Locations (transfer mechanism where outside of the EEA): Norway
  • Date added to this page: 23.09.2019

Ironstone Holding AS

  • The purpose of the processing: In respect of Ironstone’s Affiliates, groups of individuals located in different offices may have a need to access Customer data for service delivery purposes and/or business support purposes.
  • Locations (transfer mechanism where outside of the EEA): Norway
  • Date added to this page: 23.09.2019