Sub-processors — PatchPilot

        Note: this sub-processor list is currently in template form pending external solicitor review (target: post-launch).
      

PatchPilot Ltd engages the following Sub-processors to deliver the service. Controllers are notified of changes at least 30 days in advance per the DPA clause 8.

Active Sub-processors

Sub-processor	Purpose	Data location	Notification window
OVH SAS	Primary hosting (control plane, tenant DB, encrypted backup storage). All Controller tenant data at rest.	United Kingdom (OVH UK region) EU/UK	30 days
Stripe Payments UK Ltd	Subscription billing for paid tiers. Holds billing contact, invoice address, and Stripe-vaulted card token (PatchPilot never sees PAN).	United Kingdom + United States (UK-US Data Bridge / IDTA) UK / US	30 days
Resend	Transactional email transport (account verification, password reset, security alerts) when the Controller has not configured their own SMTP relay.	European Union EU	30 days

Not Used

PatchPilot deliberately does not use:

Analytics / telemetry SaaS — no Google Analytics, Segment, Mixpanel, PostHog, Sentry SaaS, or equivalent. All product telemetry stays on PatchPilot infrastructure.
Email marketing SaaS — no Mailchimp, SendGrid marketing, or similar for customer comms.
Third-party CDN for app assets — app shell is served from the OVH origin.
Customer data warehouses — no BigQuery, Snowflake, or Redshift export of Controller data.

Transactional Email Options

Controllers may pick one of two paths during setup:

Customer-provided SMTP (default recommendation) — the Controller configures their own SMTP relay (Microsoft 365, Google Workspace, self-hosted Postfix). PatchPilot stores the SMTP credentials in a systemd EnvironmentFile with 0600 permissions. No third-party ESP involved.
PatchPilot-managed transport via Resend (above) for customers without their own SMTP.

Change Notifications

If we plan to add or replace a Sub-processor we will notify Controllers at least 30 days in advance via in-app notice and email to billing/security contacts on file. Controllers may object within 14 days; unresolved objections give the Controller a right to terminate the affected service per DPA clause 8.

Change History

Date	Change
2026-04-26	Public list published. Resend added as transactional email Sub-processor.
2026-04-24	Initial v1.0 list drafted (internal).

Contact

To object to a Sub-processor change or for any other Sub-processor enquiry, contact legal@patchpilot.co.uk.