Sub-processor List
Effective date: 2026-06-01 Β· Last updated: 2026-06-17
Schedule to the Data Processing Agreement
This Sub-processor List forms a schedule to the Data Processing Agreement ("DPA") between Tourbox Systems Limited (company number 15613075), registered at 125 Freshfield Road, Brighton, England, BN2 0BR ("Tourbox", "we", "us") and the Customer ("you", "Controller").
Capitalised terms not defined here have the meanings given in the DPA.
Current Sub-processors
The following sub-processors are authorised to process personal data on behalf of Tourbox in connection with the provision of the platform:
Core Platform Infrastructure
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Hanko (Hanko GmbH) | Passwordless authentication | Email addresses, user identity, WebAuthn credentials | πͺπΊ EU |
| Northflank (Northflank Ltd) | Infrastructure hosting (API, workers, database, Redis, monitoring) | All platform data | πͺπΊ EU |
| OVHcloud (OVH Groupe SAS) | Object storage (uploaded media, generated PDFs, attachments) | Traveller media, documents, passport images, attachments | π«π· EU (France) |
| Scaleway (Scaleway SAS) | Encrypted off-site backups | Client-side encrypted backup ciphertext only | π«π· EU (France) |
| Cloudflare (Cloudflare, Inc.) | CDN, Pages hosting, DNS, Turnstile bot protection (transit only) | Static assets, IP addresses, form metadata (no data at rest) | π Global |
| Paddle (Paddle.com Market Ltd) | Subscription billing, invoicing, tax compliance (Merchant of Record) | Billing data, organisation details, payment information | π¬π§/πΊπΈ UK/US |
Error monitoring is performed by a self-hosted error-tracking service running on Tourbox's own Northflank (EU) infrastructure; it is not a separate third-party sub-processor, and personal data in error reports is disabled by default.
Email Delivery
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Mailgun (Sinch) | Outbound email delivery | Email addresses, email content | πͺπΊ EU (api.eu.mailgun.net) |
Where an organisation configures its own SMTP server (see Operator-Initiated Integrations), outbound email for that organisation is sent via that operator-controlled server instead.
AI Providers
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Mistral AI (Mistral AI SAS) | Text generation, document OCR, classification (default) | Document content, itinerary/booking text | πͺπΊ EU |
| Jina AI / Elastic | Text and image (multimodal) embeddings | Text and image content submitted for search | πͺπΊ EU |
Tourbox processes UK/EU customer personal data only through EU-based AI sub-processors (Mistral AI and Jina AI). Web-search tooling used by the AI assistant receives only generic, non-identifying queries (no customer names, emails, booking references, or other personal data) and therefore does not process personal data on the Customer's behalf.
Media Processing
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Mux (Mux, Inc.) | Video encoding, storage and signed playback | Video media | πΊπΈ US |
| fal.ai (FAL AI, Inc.) | AI image upscaling, retouch, image-to-video, image edit | Image and video media | πΊπΈ US |
| RunPod (RunPod, Inc.) | GPU vision (object detection, captioning, alt-text) | Image media | πΊπΈ US |
These media sub-processors process uploaded media files (which may contain images of identifiable individuals). They are engaged under a Data Processing Agreement with appropriate transfer safeguards (UK IDTA / EU SCCs).
Maps & Geocoding
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| MapTiler (MapTiler AG) | Maps, geocoding | Location queries, coordinates | π¨π EU-adequate (CH) |
Operator-Initiated Integrations
These sub-processors are only engaged when an authorised operator within the Customer's organisation explicitly connects the relevant integration:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Vamoos (Vamoos Ltd) | Sync itineraries / travel documents to the Vamoos traveller app | Traveller itineraries and documents | π¬π§ UK |
| Xero (Xero Limited) | Accounting sync (supplier invoices, payments) | Supplier and financial transaction data | π¦πΊ AU/Global |
| Slack (Salesforce, Inc.) | Notifications posted to the operator's workspace | Notification / event-summary content | πΊπΈ US |
| SMTP (operator-configured) | Outbound email via the operator's own mail server | Email addresses, email content | Operator-controlled |
| Google Ads (Google LLC) | Offline conversion upload | Advertising click identifiers, conversions | πΊπΈ US |
| Microsoft Ads (Microsoft Corporation) | Offline conversion upload | Advertising click identifiers, conversions | πΊπΈ US |
| Meta Ads (Meta Platforms, Inc.) | Offline conversion upload | Advertising click identifiers, conversions | πΊπΈ US |
| Felloh (Felloh Ltd) | Payment processing (card / open banking) and reconciliation | Customer name, email, travel dates, booking reference, payment amounts | π¬π§ UK |
Connected Accounts (User-Initiated)
These sub-processors are engaged only when an individual user connects their own account via OAuth:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google (Google LLC) | Gmail synchronisation | User mailbox content, identity | πΊπΈ US |
| Microsoft (Microsoft Corporation) | Outlook / Microsoft Graph mail sync | User mailbox content, identity | πΊπΈ US |
| Zoom (Zoom Video Communications, Inc.) | Meeting / call data | Meeting data, participant information | πΊπΈ US |
The Customer (or the relevant user) may disconnect any operator-initiated integration or connected account at any time, at which point data sharing with that sub-processor ceases. No personal data is shared with these sub-processors unless and until the integration is actively enabled.
Some optional integrations do not transmit personal data: stock-image search (Unsplash, Pexels) sends only non-identifying search terms, and the WordPress plugin operates on the operator's own self-hosted site. These are therefore not personal-data sub-processors.
The Felloh Data Processing Agreement is to be confirmed and signed out of band before the payments feature goes live; the entry above is recorded here so the sub-processor list stays complete.
AI Provider Selection
All AI processing of UK/EU customer personal data is performed by EU-based sub-processors. Text generation, OCR and classification use Mistral AI (France); embeddings use Jina AI (Germany / Elastic). US-based AI providers are not used for customer personal data.
Notification of Changes
In accordance with the DPA, Tourbox will provide the Customer with at least 14 days' prior written notice of any intended changes to this Sub-processor List, including the addition or replacement of sub-processors. The Customer may object to such changes as set out in the DPA.
Contact
If you have any questions about this Sub-processor List or our use of sub-processors, please contact us at support@tourbox.com.
This Sub-processor List was last updated on the date shown in the page metadata above. See also our Data Processing Agreement.