1. Scope and control

Saont™ uses a limited number of infrastructure providers to operate, secure, and deliver the Service. Each provider is subject to contractual data protection obligations and is restricted to defined processing purposes only.

All subprocessors are selected based on security, necessity, and operational integrity. Saont™ does not permit subprocessors to use personal data for their own independent purposes where acting as processors.

2. Role classification

Each provider operates under one of the following roles:

  • Subprocessor: processes personal data strictly on behalf of Saont™
  • Independent controller: processes data under its own legal obligations
  • Mixed role: acts as both depending on function

3. Authorised subprocessors

Cloudflare, Inc.

Role: Subprocessor
Purpose: Security, CDN, DNS, traffic filtering
Data: IP address, request metadata, device data
Location: Global (incl. US)
Safeguards: UK IDTA / SCCs with UK Addendum

Render Services, Inc.

Role: Subprocessor
Purpose: Application hosting
Data: Operational data, logs, identifiers
Location: United States
Safeguards: UK IDTA / SCCs

MongoDB Atlas

Role: Subprocessor
Purpose: Database hosting
Data: Account, audit logs, operational data
Location: EEA (Ireland)
Safeguards: EEA hosting + contractual controls

Clerk, Inc.

Role: Subprocessor
Purpose: Authentication
Data: Session data, identifiers
Location: United States
Safeguards: UK IDTA / SCCs

Stripe, Inc.

Role: Mixed (Processor + Independent Controller)
Purpose: Billing and payment processing
Data: Billing identifiers, transaction data
Location: Global
Safeguards: Regulatory + contractual safeguards

Google LLC

Role: Independent Controller
Purpose: Email infrastructure
Data: Email metadata and content
Location: Global
Safeguards: UK IDTA / SCCs

Postmark

Role: Subprocessor
Purpose: Transactional email delivery
Data: Email address, message metadata
Location: United States
Safeguards: UK IDTA / SCCs

4. International transfers

Where personal data is transferred, accessed, routed, processed, stored, supported, backed up, replicated, secured, or otherwise handled outside the United Kingdom or European Economic Area, Saont™ applies safeguards required by applicable data protection law.

Such safeguards may include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the European Commission Standard Contractual Clauses, adequacy regulations, contractual protections, technical safeguards, organisational safeguards, security measures, or other legally recognised transfer mechanisms.

International transfers may occur through authorised subprocessors, infrastructure providers, hosting providers, authentication providers, email providers, security providers, payment providers, support providers, backup systems, resilience systems, or other providers used in connection with the operation, security, maintenance, support, or delivery of the Service.

Processing locations, routing paths, storage locations, support locations, backup locations, resilience arrangements, and infrastructure configurations may change over time as operational, legal, security, regulatory, technical, or business requirements evolve.

5. Change management

Saont™ may add, remove, replace, suspend, restrict, reclassify, consolidate, separate, relocate, or otherwise modify subprocessors, provider roles, processing activities, processing locations, safeguards, infrastructure arrangements, support arrangements, security arrangements, or related operational details from time to time.

Changes may occur for security, legal, regulatory, contractual, technical, operational, commercial, resilience, availability, incident-response, fraud-prevention, abuse-prevention, business-continuity, infrastructure, sanctions, acquisition, divestment, provider-retirement, provider-termination, or other legitimate business reasons.

Changes may be reflected on this page, within the Saont™ Data Processing Agreement, within the Privacy Policy, through customer communications, or through other reasonable notification mechanisms determined by Saont™.

Nothing on this page constitutes a guarantee regarding the continued availability, functionality, location, legal status, regulatory status, operational behaviour, security posture, pricing, infrastructure, certifications, processing locations, or continued use of any provider.

6. Restrictions

Where acting as subprocessors on behalf of Saont™, providers are contractually required, to the extent applicable, to:

  • process personal data only for authorised purposes connected with the Service;
  • process personal data only in accordance with applicable contractual obligations and documented instructions;
  • maintain appropriate confidentiality obligations;
  • implement appropriate technical and organisational security measures;
  • restrict access to authorised personnel with a legitimate need to know;
  • assist with applicable data protection obligations where required;
  • implement appropriate safeguards for international transfers where required; and
  • comply with applicable contractual, legal, regulatory, and security requirements relating to the services they provide.

The specific obligations applicable to any provider may vary depending on the provider's role, services, regulatory obligations, technical function, and contractual relationship with Saont™.

6A. Customer authorisation and international use

By using the Service, the Customer authorises Saont™ to use the subprocessors and provider roles listed on this page for the purposes described. This authorisation applies to processing connected with Saont Client Workspaces™, Saont Website Governance™, Saont Approval Workflows™, Saont Audit Trail™, Saont Team & Access™, Saont Operational Dashboards™, Saont Billing Infrastructure™, authentication, hosting, email delivery, support, security, and related service operations.

Customers using the Service internationally, or using the Service for Client Organisations outside the United Kingdom, acknowledge that subprocessors and independent providers may process data in multiple jurisdictions depending on routing, infrastructure, support, security, billing, email, and resilience requirements.

6B. Provider role limits

Role classifications are provided for transparency and may vary depending on the specific function used, provider terms, regulatory obligations, and technical configuration. Where a provider acts as an independent controller, Saont™ does not control that provider’s independent legal obligations, mandatory processing, fraud checks, payment compliance, abuse prevention, security monitoring, tax handling, or regulatory disclosures.

6C. Emergency replacement and protective changes

Saont™ may add, replace, suspend, restrict, or change a provider without prior notice where necessary for security, availability, incident response, legal compliance, abuse prevention, infrastructure failure, provider termination, sanctions, payment integrity, service continuity, or urgent operational reasons. Saont™ will update this page within a reasonable period where a material change is made.

6D. No guarantee of provider continuity

Saont™ does not guarantee the continued availability, continuity, suitability, functionality, security, legal status, regulatory status, commercial availability, geographic availability, pricing, infrastructure, services, terms, policies, processing locations, certifications, or operational behaviour of any subprocessor, provider, infrastructure partner, independent controller, or third-party service.

Providers may modify, suspend, discontinue, replace, retire, relocate, restrict, or otherwise change their services, infrastructure, processing locations, features, security measures, legal terms, privacy practices, or operational behaviour at any time. Saont™ may respond to such changes by implementing alternative providers, alternative safeguards, alternative infrastructure arrangements, or other operational measures.