Euronext Corporate Solutions B.V
Sub-Processor disclosure statement

Processing activities may be undertaken by:

• Intra-group entities operating under a Binding Intra-Group Agreement (“IGA”); and
• External third-party providers engaged in connection with discrete Pass-Through Services or ECS Solution components.

Each Sub-processor is subject to ongoing risk assessments, vendor due diligence, and is required to implement appropriate technical and organisational measures (“TOMs”).

 

2. Definitions

For the purposes of this Statement:

• “Personal Data” has the meaning set forth in the GDPR.
• “Sub-processor” means any third party or ECS affiliate engaged in the processing of Personal Data on behalf of ECS Group clients.
• “Pass-Through Services” means services delivered by third-party vendors directly supporting ECS Solutions under ECS’s control and supervision.
• “IGA” refers to the Binding Intra-Group Agreement among Euronext affiliates governing shared data processing activities.
• “TOMs” refers to technical and organisational measures designed to ensure data security and compliance.

 

3. Intra-Group processing arrangements

3.1 Scope of Processing

The following functional domains may be supported by ECS Group affiliates under the IGA:

• IT services & security: Platform development, systems maintenance, vulnerability management, and threat monitoring.
• Infrastructure management: Cloud provisioning, hosting services, and business continuity.
• Client support operations: Technical support, helpdesk functionality, and interface management.

3.2 Safeguards

All intra-group entities:

• Are contractually bound by the same data protection obligations as ECS Group;
• Operate in accordance with ECS Group’s privacy and security policies, including the ECS Standard;
• Are expressly prohibited from conducting any processing activities beyond those set forth in the DPA or associated Service Agreements.

3.3 Participating intra-group entities

Operational coverage	ECS entity	Processing activities	Jurisdiction
Group-wide	Euronext Corporate Solutions B.V.	IT management, customer support, analytics	Netherlands
Group-wide	Euronext Technologies Unipessoal, LDA	Infrastructure management, security, technical support	Portugal

 

 

 

---

 

4. Third-Party Sub-Processors

 

4.1 iBabs (Board Management Software)

Sub-Processor	Purpose of Processing	Location	Legal Basis	Contractual Safeguards	Transfer Mechanism
CYSO Hosting	Cloud hosting infrastructure	Netherlands (EEA)	Performance of contract	DPA executed	EEA-based processing

 

 

 

4.2 LIABILITYLOG (Compliance Tracking Platform)

Sub-Processor	Purpose of processing	Location	Contractual safeguards	Transfer mechanism
Sinch Sweden AB	SMS delivery for 2FA	Sweden (EEA)	DPA	Sweden; other EU locations*

 

 

 

*While Sweden has been identified as a processing location for the Verification API used, Sinch also lists “EU” as a general processing region for related services. Additional EU locations may apply depending on system routing and redundancy.

 

4.3 INSIDERLOG (Insider List Management Tool)

Sub-Processor	Purpose of Processing	Location	Contractual Safeguards	Transfer Mechanism
Sinch Sweden AB	SMS delivery for 2FA	Sweden (EEA)	DPA	Sweden; other EU locations*
One.com Group AB	Hosting, domain and email services (optional)	Sweden (EEA)	DPA	EEA

 

 

 

 

*While Sweden has been identified as a processing location for the Verification API used, Sinch also lists “EU” as a general processing region for related services. Additional EU locations may apply depending on system routing and redundancy.

 

4.4 TRADELOG (Personal account dealing compliance)

Sub-Processor	Purpose of Processing	Location	Contractual Safeguards	Transfer Mechanism
apirsentralen ASA	Provision CSD Data, storing trading data, authenticating users, providing SMS notifications, second-line support, maintenance, development and security within the TradeLog platform.	Oslo,Norway, France, Portugal, Sweden	DPA	EEA
One.com Group AB	Hosting, domain and email services (optional for clients)	Sweden (EEA)	DPA	EEA

 

4.5 IR.Manager (Investor Relations Management)

Sub-Processor	Purpose of Processing	Hosting Location	Legal Basis	Contractual Safeguards	Transfer Mechanism
IR Soft	Shareholder data, client communications	AWS (Ireland), Microsoft Azure	Legitimate interest	DPA	EEA

 

4.6 Shareholder Analysis (Intra-Group Only)

All Personal Data processed for Shareholder Analysis is exclusively handled by ECS Group affiliates under the IGA. No external Sub-processors are engaged for this purpose.

5. Pass-Through Service Providers

In the course of delivering ECS Solutions, ECS may engage third-party providers to deliver discrete service components. These providers are contractually integrated under the following principles:

• ECS entities may engage such providers only where permitted under the third-party’s terms;
• The same or equivalent data protection and security measures as required by ECS’s DPA apply; and
• Transfer mechanisms align with GDPR standards, including reliance on adequacy decisions or SCCs, where applicable.

6. Governance, Review, and Reservation of Rights

All Sub-processor engagements are subject to ECS Group’s internal vendor risk management framework, including periodic reassessments and ongoing monitoring. ECS Group reserves the right to amend this Statement as necessary to reflect updates in its processing ecosystem or legal obligations.

Any material changes to Sub-processor engagements will be communicated to clients in accordance with the DPA.

7. Contact

Questions regarding this Statement or requests related to data subject rights may be directed to the ECS Group’s Data Protection Officer at:

dpo.ecs@euronext.com 

This Statement was last updated in June 2025 and supersedes any prior disclosures.