Legal / Sub-processor List
Sub-processor List
This is the live list of sub-processors that Manthan Intelligence Ltd (“Manthan”) engages to provide its products and services. It is incorporated by reference into every Data Processing Addendum (04_Data_Processing_Addendum_v1_0) and is also published at getmanthan.com/legal/sub-processors.
Changes to this list trigger thirty (30) days’ prior written notice to customers. Customers may object on reasonable data-protection grounds per their DPA.
Current sub-processors
| # | Sub-processor | Service provided | Categories of data processed | Location of processing | Transfer mechanism (if outside UK) |
|---|---|---|---|---|---|
| 1 | DigitalOcean, LLC | Cloud hosting / infrastructure (compute, storage, networking) | All customer data at rest and in compute | London, United Kingdom (LON1 region) | n/a — UK |
| 2 | Anthropic, PBC | LLM inference for product features (Claude Sonnet 4.6, Opus, Haiku) | Customer content passed to the LLM in inference prompts; no retention by Anthropic per Anthropic API terms | United States (provider-managed) | UK IDTA + Transfer Impact Assessment, signed |
| 3 | Stripe Payments Europe Ltd | Payment processing for paid subscriptions | Customer billing info (name, email, billing address, payment method token — no card numbers) | Ireland (EU region) | n/a — adequate (EU) |
| 4 | Cloudflare, Inc. | CDN, DNS, WAF, edge security for getmanthan.com | Website traffic (IPs, request metadata) | Global edge, configurable; UK/EU edge default | UK IDTA + TIA (signed) |
| 5 | Resend, Inc. | Transactional email delivery (sign-in codes, request confirmations, delivery notifications) | Recipient email address, subject, content | EU (Ireland sending region) | UK IDTA + TIA |
| 5a | Google LLC | OAuth sign-in (“Sign in with Google”) and GA4 website analytics (IP-anonymised) | Sign-in: name, email, account identifier. Analytics: usage metadata | United States | UK Extension to the EU-US Data Privacy Framework |
| 5b | LinkedIn Corporation | OAuth sign-in (“Sign in with LinkedIn”) | Name, email, account identifier at authentication | United States | UK Extension to the EU-US Data Privacy Framework |
| 5c | Kit (ConvertKit, Inc.) | Charaka Notes newsletter delivery (explicit opt-in only) | Subscriber email address | United States | UK Extension to the EU-US Data Privacy Framework |
| 6 | GitHub, Inc. | Source code hosting, CI/CD (internal — no customer data) | Engineering data only; no customer Personal Data | United States | Internal-only sub-processor (not customer-facing); excluded from notice obligation |
| 7 | Stripe Identity (if enabled for compliance) | Identity verification | Verified identity info for billing | Ireland / US | EU SCCs (signed) |
Proposed additions (not yet onboarded)
When we engage these (or others), we will give 30 days’ notice before they begin processing customer Personal Data:
- Enrichment APIs (specific provider TBD; ZoomInfo or equivalent) for verified-contact-detail enrichment, customer-specific opt-in only
- Datasource aggregators (e.g. Crunchbase API, sector-news aggregators) for built-in intelligence sources — these process public data only, not customer Personal Data, so technically outside DPA scope, but listed here for transparency
Removed / superseded
None as of 23 May 2026 (v1.0 baseline).
Change-control process
- Engineering proposes a new sub-processor with a written rationale (Sthapati ADR or equivalent).
- Brihaspati performs DPA / sub-processor due-diligence: data-protection adequacy, contractual flow-down feasibility, transfer mechanism, security posture.
- If approved, contract executed with the new sub-processor (including flow-down of Art 28 obligations).
- Brihaspati updates this list, bumps the version, and publishes on getmanthan.com/legal/sub-processors.
- Brihaspati drafts customer-notice email; Mayank reviews and sends to all in-term customers.
- The 30-day notice clock starts from email send date. Sub-processor goes live for customer data only after the clock expires, absent customer objection.
Version history
- v1.0 — 23 May 2026. Baseline list at the time of design-partner launch.
- v1.1 — 12 June 2026. Resend confirmed (Ireland region) as transactional email provider; Google and LinkedIn OAuth sign-in, Kit newsletter delivery and GA4 analytics added for the getmanthan.com portal launch. No in-term customers were processing under a DPA at this date, so the 30-day notice clock was not triggered.