Decypher Technologies List of Subcontractors
Last Updated: 04/08/2026
As part of delivering our IT and cybersecurity services to our Clients, Decypher Technologies Inc. (“Decypher,” “we,” “us,” or “our”) may engage third-party service providers (each, a “Subcontractor” or “Sub-processor”) who may process Personal Data on our behalf. This List of Subcontractors provides transparency regarding the identity, location, and role of each Subcontractor we engage in delivering our Services. Our engagement of Subcontractors is governed by our contractual obligations under applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), Colorado Privacy Act (CPA), California Consumer Privacy Act (CCPA/CPRA), and other relevant privacy regulations.
Subprocessor Definition and Engagement Standards
A Subcontractor, as defined in this document, is any third-party entity engaged by Decypher that has or may have access to Personal Data in the course of providing services that support our delivery of IT managed services, cybersecurity solutions, compliance consulting, or related offerings to our Clients. Decypher maintains strict standards for Subcontractor engagement and requires each Subcontractor to enter into written agreements that impose substantially the same data protection obligations that apply to Decypher under our contractual arrangements with Clients. These obligations include, but are not limited to: processing Personal Data only on documented instructions; implementing appropriate technical and organizational security measures; maintaining confidentiality; assisting with data subject rights requests; and providing cooperation in the event of a data breach or security incident. All Subcontractors must demonstrate compliance with applicable data protection laws and industry-standard security practices before being authorized to process Personal Data on behalf of Decypher.
Changes to Subcontractors and Client Notification
Decypher reserves the right to add, remove, or replace Subcontractors as necessary to deliver and improve our Services, respond to technological changes, or optimize our service delivery model. When Decypher intends to engage a new Subcontractor or replace an existing Subcontractor that will have access to Personal Data, we will provide advance notice to affected Clients in accordance with the terms of our applicable service agreements and Data Processing Agreements (DPAs). Unless otherwise specified in your DPA, Decypher will provide a minimum of thirty (30) calendar days’ advance notice of such changes by updating this List of Subcontractors and notifying Clients via email to the primary contact address on file. If a Client objects to a new or replacement Subcontractor on reasonable grounds relating to data protection, the Client must notify Decypher in writing within seven (7) calendar days of receiving notice of the change. Decypher will work with the Client in good faith to address such concerns, which may include using commercially reasonable efforts to make available an alternative solution or, if no mutually acceptable resolution can be reached, allowing the Client to suspend or terminate the affected Services in accordance with the applicable service agreement without penalty.
Subcontractor Categories and Disclosed Information
The Subcontractors listed in this document are organized by functional category to provide clarity regarding their role in our service delivery. For each Subcontractor, we disclose the following information: (1) the Subcontractor’s legal name and/or trade name; (2) the primary jurisdiction(s) or geographic location(s) where the Subcontractor processes or may process Personal Data; (3) a description of the services or functions performed by the Subcontractor; and (4) the category of Personal Data that may be accessible to the Subcontractor. Decypher distinguishes between two types of Subcontractors: Core Infrastructure Subcontractors, which provide essential services necessary for the operation and delivery of our platform and services (such as cloud hosting, data storage, network infrastructure, and security monitoring), and Service-Specific Subcontractors, which support particular features, functionalities, or service offerings that may be utilized depending on the Client’s selected services or configuration. Certain Subcontractors may process Personal Data in jurisdictions outside the European Economic Area (EEA), United Kingdom, or United States; where applicable, Decypher ensures that appropriate data transfer mechanisms are in place, including Standard Contractual Clauses (SCCs), adequacy decisions, or other legally compliant transfer frameworks as required by applicable data protection laws.
| Subcontractor Name | Location(s) | Service Description | Categories of Personal Data | Data Transfer Mechanism |
|---|---|---|---|---|
| Microsoft Corporation (Azure / Microsoft 365) | United States (multiple regions); European Union (Netherlands, Ireland, Germany); Global data centers | Cloud hosting services, email services (Microsoft 365/Exchange Online), document storage and collaboration, identity and access management, backup services | All categories of Personal Data processed through Decypher Services, including email addresses, names, email content and attachments, user authentication data, documents, system configuration data, operational logs | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US; EU-US Data Privacy Framework (for certified services) |
| CrowdStrike, Inc. | United States | Endpoint detection and response (EDR/XDR), threat intelligence, security monitoring, malware detection and response | Endpoint data, security event logs, threat indicators, system configuration data, device identifiers, process execution data | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| ThreatLocker, Inc. | United States (Orlando, Florida) | Application allowlisting and ringfencing, storage control, network access control, endpoint security policy enforcement, zero-trust application control | Device identifiers, process execution data, application usage logs, system configuration data, network access logs, file activity records, user activity data | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Arctic Wolf Networks, Inc. | United States (Minnesota); Canada (Ontario); Germany (Frankfurt) | Managed detection and response (MDR), 24×7 security operations center (SOC) monitoring, threat hunting, incident response, cloud security monitoring, vulnerability management | Security event logs, network traffic data, endpoint telemetry, threat intelligence data, incident response data, user activity logs, system configuration data | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US and Canada; adequacy decision for Canada |
| Zscaler, Inc. | United States (California); Global data centers across 160+ locations worldwide including United States, European Union, Asia-Pacific | Zero Trust network access (ZTNA), secure web gateway (SWG), cloud firewall, data loss prevention (DLP), browser isolation, secure internet and cloud application access | Network traffic data, IP addresses, HTTP/HTTPS request data, user authentication credentials, web activity logs, application access logs, DNS query data, SSL/TLS inspection data | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Datto, Inc. (Kaseya company) | United States; Canada | Backup and disaster recovery services, business continuity, data restoration | All categories of client data subject to backup, including documents, emails, system images, database backups, user files | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Datto, Inc. (Kaseya company) | United States; Canada | IT documentation platform, credential management, and configuration data storage | System configuration data, device identifiers, network information, client contact information, administrative credentials, operational logs | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US; adequacy decision for Canada |
| ConnectWise LLC | United States | Remote monitoring and management (RMM), patch management, remote support, IT ticketing and service desk | System configuration data, device identifiers, network information, support ticket content, technician activity logs, client contact information | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Kaseya Limited | United States; Ireland | Remote monitoring and management (RMM), patch management, remote access, automated IT management | System configuration data, device identifiers, network information, patch deployment data, remote session logs | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Cisco Systems, Inc. (Meraki) | United States; Global network locations | Network infrastructure management, firewall administration, wireless access point management, traffic monitoring and analytics | Network traffic data, device MAC addresses, IP addresses, network configuration data, user device information, network usage logs | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Proofpoint, Inc. | United States | Email security and threat protection, anti-phishing, anti-malware, email filtering, data loss prevention (DLP) | Email addresses, email content, email headers and metadata, sender/recipient information, attachment data, threat intelligence data | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| AutoElevate (CyberFox) | United States | Endpoint privilege access management, application installation control, elevation policy enforcement, automated privilege request handling | Application installation requests, user identity data, elevation event logs, endpoint configuration data, process execution data | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Acronis International GmbH | United States (US data centers); Switzerland (headquarters only; no client data stored) | Backup and disaster recovery services, local and cloud backup, business continuity, data restoration | All categories of client data subject to backup, including documents, emails, system images, database backups, user files | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Tenable, Inc. (Nessus) | United States | Vulnerability scanning and assessment, network security scanning, compliance auditing | IP addresses, system configuration data, vulnerability scan results, network topology data, device identifiers | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| RapidFire Tools | United States | Security and compliance assessment tools, system configuration scanning, compliance reporting | System configuration data, security assessment results, compliance scan data, device information | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
| Global Relay Communications Inc. | Canada; United States | Email archiving and retention, regulatory compliance archiving, e-discovery support | Email addresses, archived email content and attachments, email metadata, communication records | Standard Contractual Clauses (SCCs) where applicable; adequacy decision for Canada |
| Okta, Inc. | United States; Global data centers | Identity and access management (IAM), single sign-on (SSO), multi-factor authentication (MFA), user provisioning | User authentication credentials, email addresses, names, authentication logs, device information, MFA enrollment data | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US; EU-US Data Privacy Framework (for certified services) |
| KnowBe4, Inc. | United States | Security awareness training, phishing simulation, compliance training, user risk scoring | User email addresses, names, training completion records, phishing simulation click data, user risk scores | Standard Contractual Clauses (SCCs) for transfers from EEA/UK to US |
Contact Information and Additional Assistance
For questions regarding this List of Subcontractors, to request additional information about any specific Subcontractor listed herein, to subscribe to receive email notifications of changes to this list, or to exercise any rights under your Data Processing Agreement related to Subcontractors, please contact Decypher’s Legal Team at [email protected]. Upon reasonable written request and subject to applicable confidentiality obligations, Decypher will provide Clients with additional information regarding a Subcontractor’s processing activities, security measures, or data protection practices to the extent necessary for the Client to verify compliance with applicable data protection laws. Clients who have audit rights under their Data Processing Agreement may exercise such rights in accordance with the terms specified in the DPA, provided that any audit of a Subcontractor shall be subject to the Subcontractor’s reasonable policies, confidentiality requirements, and the coordination procedures set forth in the applicable service agreement. This List of Subcontractors is reviewed and updated periodically to reflect changes in Decypher’s service delivery model and technology infrastructure. Decypher maintains internal records of all Subcontractor changes, including the dates of authorization, modification, or termination of each Subcontractor relationship. This document was last updated on the date indicated at the beginning of this List of Subcontractors and supersedes all prior versions.