Sub-Processor Register
The current list of sub-processors we use to deliver our services.
Last updated: 4 May 2026. See also: Privacy Policy.
Hosting Tiers
Each client is assigned a Hosting Tier in their Data Processing Agreement. The tier determines which sub-processors may process their data.
| Tier | Data storage | AI model inference | Default? |
|---|---|---|---|
| Tier 1 — Strict UK | United Kingdom only | United Kingdom only | On request |
| Tier 2 — UK + EEA | United Kingdom only | United Kingdom or European Economic Area | Default for all clients |
| Tier 3 — UK + EEA + US | United Kingdom only | UK, EEA, or named US providers under IDTA/SCCs + UK-US Data Bridge | Opt-in via signed DPA Variation |
Under all tiers, client data is stored in the United Kingdom. Tiers vary only in where AI model inference may occur.
Corporate sub-processors (Clairvynt corporate operations)
These sub-processors process Clairvynt's own corporate data (contacts, invoicing, website). They apply to all clients regardless of tier.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Microsoft Corporation | Microsoft 365, Entra ID, Azure foundational services | UK / EEA | Microsoft DPA |
| Pinnacle Solutions | Infrastructure management and application support | United Kingdom | Supplier Security Agreement |
| FreeAgent | Accounting, invoicing, payroll | United Kingdom | FreeAgent DPA |
| Cloudflare, Inc. | Website hosting and CDN | UK / EEA edge | Cloudflare DPA + UK Addendum to SCCs |
| Formspree | Website contact form submissions | United States | Formspree DPA + UK Addendum to SCCs + UK-US Data Bridge |
| GitHub, Inc. | Source code hosting and CI/CD (does not process client personal data) | United States | GitHub DPA (no client personal data involved) |
Service sub-processors (client operational data)
These sub-processors process client operational data inside our products. The specific providers used for a given client depend on the Hosting Tier selected in that client's DPA.
Storage (all tiers — United Kingdom only)
| Sub-processor | Purpose | Region | Tiers |
|---|---|---|---|
| Microsoft Azure | Azure SQL Server, AI Search, Blob Storage, Container Apps | UK South | 1, 2, 3 |
AI model inference — Tier 1 (Strict UK)
| Sub-processor | Purpose | Region |
|---|---|---|
| Microsoft Azure OpenAI Service | LLM inference (GPT family) | UK South |
AI model inference — Tier 2 (UK + EEA, default)
| Sub-processor | Purpose | Regions |
|---|---|---|
| Microsoft Azure OpenAI Service | LLM inference (GPT family, o-series, embeddings) | UK South, Sweden Central, France Central, Switzerland North |
| Amazon Web Services (AWS Bedrock) | LLM inference (Anthropic Claude, Mistral, Meta Llama, Amazon Nova) | London, Frankfurt, Ireland, Paris |
| Mistral AI | LLM inference (Mistral models) | France |
AI model inference — Tier 3 (UK + EEA + US, opt-in only)
All Tier 2 providers above, plus the following named US-hosted provider. Tier 3 routing is only enabled for clients with a signed DPA Variation (Schedule B of the DPA).
| Sub-processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Microsoft Azure OpenAI Service | LLM inference (GPT-5 series, GPT-4o, o-series) | United States | Microsoft Products and Services DPA (April 2025), incorporating 2021 EU SCCs in Attachment 1, plus UK Extension to the EU-US Data Privacy Framework (Microsoft self-certified) |
A Transfer Risk Assessment is maintained for the Tier 3 provider and available to Controllers on request. Clairvynt monitors the status of the UK Extension to the EU-US Data Privacy Framework on a quarterly basis and will pause Tier 3 routing within 7 days of any invalidation, suspension, or loss of certification.
No AI model provider uses client data to train its models. AI providers retain data only as needed to deliver the service, subject to provider-defined safety or abuse-monitoring windows (typically up to 30 days at the provider, accessible only to provider personnel under flagged-content review).
Authentication and identity
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft 365 / Entra ID | User authentication and identity management for client users of our products | UK / EEA |
Where a client deploys a product into their own Azure tenant (DPA Option A), authentication uses the client's own Entra ID and Microsoft is a sub-processor of the client, not Clairvynt.
Change process
- Clairvynt will give affected Controllers at least 30 days' prior written notice of any intended change to sub-processors within their Hosting Tier.
- Controllers may object to a change on reasonable data-protection grounds within the notice period. If no resolution is reached, the Controller may terminate the Principal Agreement in respect of the affected service.
- Addition of a US sub-processor (Tier 3) always requires the Controller to sign a DPA Variation (Schedule B of the DPA). The 30-day notice provision does not apply to Tier 3 additions.
Version history
| Version | Date | Summary |
|---|---|---|
| 1.0 | 14 April 2026 | Initial publication alongside Privacy Policy v1.5 and DPA Template v1.3. Three-tier hosting model introduced. Storage locked to United Kingdom across all tiers. AI inference varies by tier. |
| 1.1 | 14 April 2026 | Added AWS Bedrock London (eu-west-2) to Tier 2 AI inference regions. |
| 1.2 | 4 May 2026 | Tier 3 named with one US sub-processor: Microsoft Azure OpenAI Service (under SCCs + UK Extension to EU-US DPF). Tier 3 remains opt-in via signed DPA Schedule B. Quarterly DPF monitoring commitment added. |
Maintained by Clairvoyant AI Limited, a company registered in Scotland (SC693791).
Questions: privacy@clairvynt.com