Live Sign in Request a briefing

Legal / Sub-processor List

Version 1.1 · Effective 12 June 2026 · Manthan Intelligence

Status: v1.1 · effective 12 June 2026 · prepared in-house by Manthan Intelligence’s legal function. Review by UK-qualified external counsel is pending; the document will be re-issued on completion. Questions: [email protected].

Sub-processor List

This is the live list of sub-processors that Manthan Intelligence Ltd (“Manthan”) engages to provide its products and services. It is incorporated by reference into every Data Processing Addendum (04_Data_Processing_Addendum_v1_0) and is also published at getmanthan.com/legal/sub-processors.

Changes to this list trigger thirty (30) days’ prior written notice to customers. Customers may object on reasonable data-protection grounds per their DPA.


Current sub-processors

#Sub-processorService providedCategories of data processedLocation of processingTransfer mechanism (if outside UK)
1DigitalOcean, LLCCloud hosting / infrastructure (compute, storage, networking)All customer data at rest and in computeLondon, United Kingdom (LON1 region)n/a — UK
2Anthropic, PBCLLM inference for product features (Claude Sonnet 4.6, Opus, Haiku)Customer content passed to the LLM in inference prompts; no retention by Anthropic per Anthropic API termsUnited States (provider-managed)UK IDTA + Transfer Impact Assessment, signed
3Stripe Payments Europe LtdPayment processing for paid subscriptionsCustomer billing info (name, email, billing address, payment method token — no card numbers)Ireland (EU region)n/a — adequate (EU)
4Cloudflare, Inc.CDN, DNS, WAF, edge security for getmanthan.comWebsite traffic (IPs, request metadata)Global edge, configurable; UK/EU edge defaultUK IDTA + TIA (signed)
5Resend, Inc.Transactional email delivery (sign-in codes, request confirmations, delivery notifications)Recipient email address, subject, contentEU (Ireland sending region)UK IDTA + TIA
5aGoogle LLCOAuth sign-in (“Sign in with Google”) and GA4 website analytics (IP-anonymised)Sign-in: name, email, account identifier. Analytics: usage metadataUnited StatesUK Extension to the EU-US Data Privacy Framework
5bLinkedIn CorporationOAuth sign-in (“Sign in with LinkedIn”)Name, email, account identifier at authenticationUnited StatesUK Extension to the EU-US Data Privacy Framework
5cKit (ConvertKit, Inc.)Charaka Notes newsletter delivery (explicit opt-in only)Subscriber email addressUnited StatesUK Extension to the EU-US Data Privacy Framework
6GitHub, Inc.Source code hosting, CI/CD (internal — no customer data)Engineering data only; no customer Personal DataUnited StatesInternal-only sub-processor (not customer-facing); excluded from notice obligation
7Stripe Identity (if enabled for compliance)Identity verificationVerified identity info for billingIreland / USEU SCCs (signed)

Proposed additions (not yet onboarded)

When we engage these (or others), we will give 30 days’ notice before they begin processing customer Personal Data:

Removed / superseded

None as of 23 May 2026 (v1.0 baseline).


Change-control process

  1. Engineering proposes a new sub-processor with a written rationale (Sthapati ADR or equivalent).
  2. Brihaspati performs DPA / sub-processor due-diligence: data-protection adequacy, contractual flow-down feasibility, transfer mechanism, security posture.
  3. If approved, contract executed with the new sub-processor (including flow-down of Art 28 obligations).
  4. Brihaspati updates this list, bumps the version, and publishes on getmanthan.com/legal/sub-processors.
  5. Brihaspati drafts customer-notice email; Mayank reviews and sends to all in-term customers.
  6. The 30-day notice clock starts from email send date. Sub-processor goes live for customer data only after the clock expires, absent customer objection.

Version history