Sub-processors
How we use sub-processors
Imageplus uses a limited number of third-party service providers to deliver its services. These providers act as sub-processors under GDPR Article 28 where they process personal data on behalf of our clients.
We apply a minimal and quality-first approach to sub-processors. Every provider is assessed before adoption against security posture, certifications, data location, contractual terms, transfer mechanisms and reputation. Sub-processors are reviewed annually as part of our ISMS cycle.
The sub-processors applicable to a specific engagement depend on the services provided. Engagement-specific sub-processors are documented in the applicable DPA annex, SLA, statement of work or other engagement documentation.
Imageplus distinguishes between:
Imageplus internal operations
The tools and providers used by Imageplus to deliver advisory, engineering, support, hosting, maintenance and operational services.
Client systems and client-requested architectures
The providers used inside systems, applications, workflows or AI pipelines designed, built, integrated or maintained by Imageplus on behalf of a client.
Where a client instructs Imageplus to build or maintain a system using specific providers, those providers form part of the client-approved architecture and are documented for that engagement.
Infrastructure
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure for client platforms and data | EU/EEA where configured | No Chapter V transfer for EU/EEA processing; SCCs where non-EEA transfers or remote access apply. ISO 27001, ISO 27017, SOC 1/2/3. |
| Google Cloud Platform (GCP) | Compute, storage and AI/ML workloads where applicable | EU/EEA where configured | No Chapter V transfer for EU/EEA processing; SCCs where non-EEA transfers or remote access apply. ISO 27001, SOC 1/2/3. |
| DigitalOcean | Infrastructure for smaller engagements | EU/EEA where configured | No Chapter V transfer for EU/EEA processing; SCCs where non-EEA transfers or remote access apply. ISO 27001, SOC 2. |
| Cloudflare | DNS, edge protection, CDN and website hosting via Workers where applicable | Global edge network / Anycast routing | EU-US Data Privacy Framework where applicable; SCCs and supplementary measures where required. ISO 27001, SOC 2. |
| Cloudways | Managed hosting for applicable engagements | EU/EEA where configured | No Chapter V transfer for EU/EEA processing; SCCs where non-EEA transfers or remote access apply. SOC 2. |
| GitHub | Source code repository and issue/project management | United States / global service | EU-US Data Privacy Framework where applicable; SCCs where required. ISO 27001, SOC 2. Client personal data is never stored in source code repositories. |
Communications and email
| Provider | Role | Location | Transfer mechanism |
|---|---|---|---|
| Google Workspace | Company email, calendar and document collaboration | United States / global service | EU-US Data Privacy Framework where applicable; SCCs where required. ISO 27001, SOC 1/2/3. |
| AuthSMTP | Transactional and general email delivery | United Kingdom | UK adequacy decision, currently valid until 27 December 2031. |
| Drip | Email marketing and mailing operations for applicable client engagements | United States | EU-US Data Privacy Framework where applicable; SCCs where required. |
AI providers and client architectures
Imageplus distinguishes between its own internal use of AI tools and the AI architectures it designs, builds, integrates or maintains for clients.
For Imageplus internal operations, Imageplus does not submit client personal data or client confidential data to cloud AI services. Where internal AI assistance is required for work involving client personal data or confidential information, Imageplus uses locally hosted or controlled environments designed to keep that data within the Imageplus perimeter.
For client systems, the applicable AI architecture depends on the engagement. Imageplus may design, build or maintain systems using one of three deployment tiers:
Tier 1 · API-based AI services
Data is sent to an external model provider on each call.
Tier 2 · Cloud-hosted AI deployments
Models run within the client's enterprise cloud boundary, such as Azure OpenAI Service, AWS Bedrock or Google Vertex AI, depending on the selected provider, region and configuration.
Tier 3 · Open-weight, on-premise or sovereign cloud deployments
Models run on infrastructure controlled by the client, including on-premise or sovereign cloud environments.
The choice of tier is made as part of the engagement, based on the client's objectives, data sensitivity, regulatory obligations, infrastructure, cost, risk appetite and governance requirements.
Where a client application or automated pipeline uses an external AI provider, that provider is documented in the applicable offer, SLA, statement of work, DPA annex or engagement documentation, together with the relevant data flow, location, transfer mechanism and safeguards.
Such providers are not used in all engagements.
| Provider | Role | Applicable context | Location | Transfer mechanism |
|---|---|---|---|---|
| Anthropic | AI API provider for client applications or pipelines where expressly agreed | Engagement-specific / Tier 1 | United States | EU-US Data Privacy Framework where applicable; SCCs where required. |
| OpenAI | AI API provider for client applications or pipelines where expressly agreed | Engagement-specific / Tier 1 | United States / global service | EU-US Data Privacy Framework where applicable; SCCs where required. |
| Google Gemini / Vertex AI | AI model provider or cloud-hosted AI service where expressly agreed | Engagement-specific / Tier 1 or Tier 2 | United States, global service or client-selected cloud region depending on configuration | EU-US Data Privacy Framework, SCCs, or cloud-provider DPA depending on configuration. |
| AWS Bedrock | Cloud-hosted AI service where expressly agreed | Engagement-specific / Tier 2 | Client-selected AWS region | Existing AWS DPA; SCCs where non-EEA transfers or remote access apply. |
| Azure OpenAI Service | Cloud-hosted AI service where expressly agreed | Engagement-specific / Tier 2 | Client-selected Azure region | Existing Microsoft/Azure DPA; SCCs where non-EEA transfers or remote access apply. |
For processing involving personal data or client confidential data within Imageplus's own operations, locally hosted open-weight models running on Imageplus-controlled infrastructure are used unless otherwise expressly agreed and documented for the engagement.
Full details are available on the AI and data page.
Analytics and tag management
Imageplus does not use analytics or tag management tools on imageplus.be. As stated in our Privacy notice and Cookie notice, this website runs no analytics, tracking or marketing cookies.
Where a client engagement includes analytics or tag management as part of the client-approved architecture, the applicable providers are documented in the engagement's DPA annex, SLA, statement of work or other engagement documentation. Such providers are not used in all engagements. These tools are not strictly necessary and are implemented only where the client has a valid consent mechanism in place.
| Provider | Role | Applicable context | Location | Transfer mechanism |
|---|---|---|---|---|
| Google Analytics (Google Ireland Limited) | Website and application audience measurement, where included in the client-approved architecture | Engagement-specific / client system | Contracted with Google Ireland Limited (EEA); onward processing may involve Google LLC infrastructure outside the EEA | Governed by the Google Ads Data Processing Terms. Processing within an adequate country requires no Chapter V transfer mechanism; onward transfers outside the EEA are covered by EU Standard Contractual Clauses, or an alternative transfer solution where Google has adopted one. |
| Google Tag Manager (Google Ireland Limited) | Tag and script container management for client websites or applications, where included in the client-approved architecture | Engagement-specific / client system | Contracted with Google Ireland Limited (EEA); onward processing may involve Google LLC infrastructure outside the EEA | Governed by the Google Ads Data Processing Terms. Processing within an adequate country requires no Chapter V transfer mechanism; onward transfers outside the EEA are covered by EU Standard Contractual Clauses, or an alternative transfer solution where Google has adopted one. Tags loaded via the container are documented separately for the engagement. |
Sub-processor changes
Imageplus notifies clients of sub-processor additions or replacements with at least 30 days' prior written notice. Clients have the right to object on reasonable grounds relating to data protection within that notice period.
This page is updated to reflect current sub-processors. For change notifications specific to your engagement, refer to your applicable SLA, DPA, statement of work or other engagement documentation.