Sub-processors — PatchPilot

        Note: this sub-processor list is currently in template form pending external solicitor review (target: post-launch).
      

PatchPilot Ltd engages the following Sub-processors to deliver the service. Controllers are notified of changes at least 30 days in advance per the DPA clause 8.

Active Sub-processors

Sub-processor	Purpose	Data location	Notification window
OVH SAS	Primary hosting (control plane, tenant DB, encrypted backup storage). All Controller tenant data at rest.	United Kingdom (OVH UK region) EU/UK	30 days
Stripe Payments UK Ltd	Subscription billing for paid tiers. Holds billing contact, invoice address, and Stripe-vaulted card token (PatchPilot never sees PAN).	United Kingdom + United States (UK-US Data Bridge / IDTA) UK / US	30 days
Microsoft Ireland Operations Limited (Microsoft 365 / Graph API)	Outbound transactional email transport (account verification, password reset, billing receipts, security alerts) via authenticated Microsoft Graph `Mail.Send`. Mailbox: `noreply@patchpilot.co.uk`. Stores message envelope and body in PatchPilot's own M365 tenant for delivery, then short-term retention per Microsoft retention policy.	European Union (Microsoft EU Data Boundary) EU	30 days
Amazon Web Services EMEA SARL (AWS Bedrock)	Inference for the optional AI assistant features (e.g. summarisation, suggested remediation). Only prompts the Controller or its end-user explicitly submits are sent. No raw device telemetry, credentials, secrets, or PII fields are forwarded. Anthropic, as Bedrock model provider, processes prompts on AWS infrastructure under AWS's sub-processor controls and does not retain prompts for model training.	United Kingdom (`eu-west-2`, London) UK	30 days

Not Used

PatchPilot deliberately does not use:

Analytics / telemetry SaaS — no Google Analytics, Segment, Mixpanel, PostHog, Sentry SaaS, or equivalent. All product telemetry stays on PatchPilot infrastructure.
Email marketing SaaS — no Mailchimp, SendGrid marketing, or similar for customer comms.
Third-party CDN for app assets — app shell is served from the OVH origin.
Customer data warehouses — no BigQuery, Snowflake, or Redshift export of Controller data.

Transactional Email Options

Controllers may pick one of two paths during setup:

Customer-provided SMTP (default recommendation) — the Controller configures their own SMTP relay (Microsoft 365, Google Workspace, self-hosted Postfix). PatchPilot stores the SMTP credentials in a systemd EnvironmentFile with 0600 permissions. No third-party ESP involved.
PatchPilot-managed transport via Microsoft Graph (above) for customers without their own SMTP. Outbound mail is sent from noreply@patchpilot.co.uk in PatchPilot's M365 tenant.

Change Notifications

If we plan to add or replace a Sub-processor we will notify Controllers at least 30 days in advance via in-app notice and email to billing/security contacts on file. Controllers may object within 14 days; unresolved objections give the Controller a right to terminate the affected service per DPA clause 8.

Change History

Date	Change
2026-05-12	Resend removed; Microsoft Ireland Operations (M365 Graph) added as transactional email Sub-processor. AWS EMEA SARL (Bedrock, eu-west-2) added for optional AI assistant inference.
2026-04-26	Public list published. Resend added as transactional email Sub-processor.
2026-04-24	Initial v1.0 list drafted (internal).

Contact

To object to a Sub-processor change or for any other Sub-processor enquiry, contact legal@patchpilot.co.uk.