Sub-Processor Register
The current list of sub-processors we use to deliver our services.
Last updated: 14 April 2026. See also: Privacy Policy.
Hosting Tiers
Each client is assigned a Hosting Tier in their Data Processing Agreement. The tier determines which sub-processors may process their data.
| Tier | Data storage | AI model inference | Default? |
|---|---|---|---|
| Tier 1 — Strict UK | United Kingdom only | United Kingdom only | On request |
| Tier 2 — UK + EEA | United Kingdom only | United Kingdom or European Economic Area | Default for all clients |
| Tier 3 — UK + EEA + US | United Kingdom only | UK, EEA, or named US providers under IDTA/SCCs + UK-US Data Bridge | Opt-in via signed DPA Variation |
Under all tiers, client data is stored in the United Kingdom. Tiers vary only in where AI model inference may occur.
Corporate sub-processors (Clairvynt corporate operations)
These sub-processors process Clairvynt's own corporate data (contacts, invoicing, website). They apply to all clients regardless of tier.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Microsoft Corporation | Microsoft 365, Entra ID, Azure foundational services | UK / EEA | Microsoft DPA |
| Pinnacle Solutions | Infrastructure management and application support | United Kingdom | Supplier Security Agreement |
| FreeAgent | Accounting, invoicing, payroll | United Kingdom | FreeAgent DPA |
| Cloudflare, Inc. | Website hosting and CDN | UK / EEA edge | Cloudflare DPA + UK Addendum to SCCs |
| Formspree | Website contact form submissions | United States | Formspree DPA + UK Addendum to SCCs + UK-US Data Bridge |
| GitHub, Inc. | Source code hosting and CI/CD (does not process client personal data) | United States | GitHub DPA (no client personal data involved) |
Service sub-processors (client operational data)
These sub-processors process client operational data inside our products. The specific providers used for a given client depend on the Hosting Tier selected in that client's DPA.
Storage (all tiers — United Kingdom only)
| Sub-processor | Purpose | Region | Tiers |
|---|---|---|---|
| Microsoft Azure | Azure SQL Server, AI Search, Blob Storage, Container Apps | UK South | 1, 2, 3 |
AI model inference — Tier 1 (Strict UK)
| Sub-processor | Purpose | Region |
|---|---|---|
| Microsoft Azure OpenAI Service | LLM inference (GPT family) | UK South |
AI model inference — Tier 2 (UK + EEA, default)
| Sub-processor | Purpose | Regions |
|---|---|---|
| Microsoft Azure OpenAI Service | LLM inference (GPT family, o-series, embeddings) | UK South, Sweden Central, France Central, Switzerland North |
| Amazon Web Services (AWS Bedrock) | LLM inference (Anthropic Claude, Mistral, Meta Llama, Amazon Nova) | Frankfurt, Ireland, Paris |
| Mistral AI | LLM inference (Mistral models) | France |
AI model inference — Tier 3 (UK + EEA + US, opt-in only)
All Tier 2 providers above, plus named US-hosted providers specified in the Controller's signed DPA Variation (Schedule B of the DPA). Each US provider is covered by a UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, and, where applicable, the UK Extension to the EU-US Data Privacy Framework. A Transfer Risk Assessment is maintained for each US provider and available to Controllers on request.
No AI model provider uses client data to train its models. All are bound by zero-retention or equivalent contractual terms.
Authentication and identity
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft 365 / Entra ID | User authentication and identity management for client users of our products | UK / EEA |
Where a client deploys a product into their own Azure tenant (DPA Option A), authentication uses the client's own Entra ID and Microsoft is a sub-processor of the client, not Clairvynt.
Change process
- Clairvynt will give affected Controllers at least 30 days' prior written notice of any intended change to sub-processors within their Hosting Tier.
- Controllers may object to a change on reasonable data-protection grounds within the notice period. If no resolution is reached, the Controller may terminate the Principal Agreement in respect of the affected service.
- Addition of a US sub-processor (Tier 3) always requires the Controller to sign a DPA Variation (Schedule B of the DPA). The 30-day notice provision does not apply to Tier 3 additions.
Version history
| Version | Date | Summary |
|---|---|---|
| 1.0 | 14 April 2026 | Initial publication alongside Privacy Policy v1.5 and DPA Template v1.3. Three-tier hosting model introduced. Storage locked to United Kingdom across all tiers. AI inference varies by tier. |
Maintained by Clairvoyant AI Limited, a company registered in Scotland (SC693791).
Questions: privacy@clairvynt.com