Sub-processor List

Current list of sub-processors engaged by Tourbox Systems Limited to process personal data under the Data Processing Agreement.

Effective date: 2026-06-01 Β· Last updated: 2026-06-17

Schedule to the Data Processing Agreement

This Sub-processor List forms a schedule to the Data Processing Agreement ("DPA") between Tourbox Systems Limited (company number 15613075), registered at 125 Freshfield Road, Brighton, England, BN2 0BR ("Tourbox", "we", "us") and the Customer ("you", "Controller").

Capitalised terms not defined here have the meanings given in the DPA.

Current Sub-processors

The following sub-processors are authorised to process personal data on behalf of Tourbox in connection with the provision of the platform:

Core Platform Infrastructure

Sub-processorPurposeData ProcessedLocation
Hanko (Hanko GmbH)Passwordless authenticationEmail addresses, user identity, WebAuthn credentialsπŸ‡ͺπŸ‡Ί EU
Northflank (Northflank Ltd)Infrastructure hosting (API, workers, database, Redis, monitoring)All platform dataπŸ‡ͺπŸ‡Ί EU
OVHcloud (OVH Groupe SAS)Object storage (uploaded media, generated PDFs, attachments)Traveller media, documents, passport images, attachmentsπŸ‡«πŸ‡· EU (France)
Scaleway (Scaleway SAS)Encrypted off-site backupsClient-side encrypted backup ciphertext onlyπŸ‡«πŸ‡· EU (France)
Cloudflare (Cloudflare, Inc.)CDN, Pages hosting, DNS, Turnstile bot protection (transit only)Static assets, IP addresses, form metadata (no data at rest)🌍 Global
Paddle (Paddle.com Market Ltd)Subscription billing, invoicing, tax compliance (Merchant of Record)Billing data, organisation details, payment informationπŸ‡¬πŸ‡§/πŸ‡ΊπŸ‡Έ UK/US

Error monitoring is performed by a self-hosted error-tracking service running on Tourbox's own Northflank (EU) infrastructure; it is not a separate third-party sub-processor, and personal data in error reports is disabled by default.

Email Delivery

Sub-processorPurposeData ProcessedLocation
Mailgun (Sinch)Outbound email deliveryEmail addresses, email contentπŸ‡ͺπŸ‡Ί EU (api.eu.mailgun.net)

Where an organisation configures its own SMTP server (see Operator-Initiated Integrations), outbound email for that organisation is sent via that operator-controlled server instead.

AI Providers

Sub-processorPurposeData ProcessedLocation
Mistral AI (Mistral AI SAS)Text generation, document OCR, classification (default)Document content, itinerary/booking textπŸ‡ͺπŸ‡Ί EU
Jina AI / ElasticText and image (multimodal) embeddingsText and image content submitted for searchπŸ‡ͺπŸ‡Ί EU

Tourbox processes UK/EU customer personal data only through EU-based AI sub-processors (Mistral AI and Jina AI). Web-search tooling used by the AI assistant receives only generic, non-identifying queries (no customer names, emails, booking references, or other personal data) and therefore does not process personal data on the Customer's behalf.

Media Processing

Sub-processorPurposeData ProcessedLocation
Mux (Mux, Inc.)Video encoding, storage and signed playbackVideo mediaπŸ‡ΊπŸ‡Έ US
fal.ai (FAL AI, Inc.)AI image upscaling, retouch, image-to-video, image editImage and video mediaπŸ‡ΊπŸ‡Έ US
RunPod (RunPod, Inc.)GPU vision (object detection, captioning, alt-text)Image mediaπŸ‡ΊπŸ‡Έ US

These media sub-processors process uploaded media files (which may contain images of identifiable individuals). They are engaged under a Data Processing Agreement with appropriate transfer safeguards (UK IDTA / EU SCCs).

Maps & Geocoding

Sub-processorPurposeData ProcessedLocation
MapTiler (MapTiler AG)Maps, geocodingLocation queries, coordinatesπŸ‡¨πŸ‡­ EU-adequate (CH)

Operator-Initiated Integrations

These sub-processors are only engaged when an authorised operator within the Customer's organisation explicitly connects the relevant integration:

Sub-processorPurposeData ProcessedLocation
Vamoos (Vamoos Ltd)Sync itineraries / travel documents to the Vamoos traveller appTraveller itineraries and documentsπŸ‡¬πŸ‡§ UK
Xero (Xero Limited)Accounting sync (supplier invoices, payments)Supplier and financial transaction dataπŸ‡¦πŸ‡Ί AU/Global
Slack (Salesforce, Inc.)Notifications posted to the operator's workspaceNotification / event-summary contentπŸ‡ΊπŸ‡Έ US
SMTP (operator-configured)Outbound email via the operator's own mail serverEmail addresses, email contentOperator-controlled
Google Ads (Google LLC)Offline conversion uploadAdvertising click identifiers, conversionsπŸ‡ΊπŸ‡Έ US
Microsoft Ads (Microsoft Corporation)Offline conversion uploadAdvertising click identifiers, conversionsπŸ‡ΊπŸ‡Έ US
Meta Ads (Meta Platforms, Inc.)Offline conversion uploadAdvertising click identifiers, conversionsπŸ‡ΊπŸ‡Έ US
Felloh (Felloh Ltd)Payment processing (card / open banking) and reconciliationCustomer name, email, travel dates, booking reference, payment amountsπŸ‡¬πŸ‡§ UK

Connected Accounts (User-Initiated)

These sub-processors are engaged only when an individual user connects their own account via OAuth:

Sub-processorPurposeData ProcessedLocation
Google (Google LLC)Gmail synchronisationUser mailbox content, identityπŸ‡ΊπŸ‡Έ US
Microsoft (Microsoft Corporation)Outlook / Microsoft Graph mail syncUser mailbox content, identityπŸ‡ΊπŸ‡Έ US
Zoom (Zoom Video Communications, Inc.)Meeting / call dataMeeting data, participant informationπŸ‡ΊπŸ‡Έ US

The Customer (or the relevant user) may disconnect any operator-initiated integration or connected account at any time, at which point data sharing with that sub-processor ceases. No personal data is shared with these sub-processors unless and until the integration is actively enabled.

Some optional integrations do not transmit personal data: stock-image search (Unsplash, Pexels) sends only non-identifying search terms, and the WordPress plugin operates on the operator's own self-hosted site. These are therefore not personal-data sub-processors.

The Felloh Data Processing Agreement is to be confirmed and signed out of band before the payments feature goes live; the entry above is recorded here so the sub-processor list stays complete.

AI Provider Selection

All AI processing of UK/EU customer personal data is performed by EU-based sub-processors. Text generation, OCR and classification use Mistral AI (France); embeddings use Jina AI (Germany / Elastic). US-based AI providers are not used for customer personal data.

Notification of Changes

In accordance with the DPA, Tourbox will provide the Customer with at least 14 days' prior written notice of any intended changes to this Sub-processor List, including the addition or replacement of sub-processors. The Customer may object to such changes as set out in the DPA.

Contact

If you have any questions about this Sub-processor List or our use of sub-processors, please contact us at support@tourbox.com.


This Sub-processor List was last updated on the date shown in the page metadata above. See also our Data Processing Agreement.