Last updated: 2026-05-09. We notify customers at least 15 days before adding a new sub-processor that processes personal data. Customers on a signed DPA may object in writing within 14 days; if we cannot offer an alternative, the customer may terminate the affected service.
Active sub-processors
| Sub-processor | Purpose | Customer data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Render Services, Inc. | Application + Postgres hosting for app.saneops.in | All customer data on the hosted service: account, alerts, incidents, audit logs, encrypted secrets | Singapore (ap-southeast-1) | EU SCCs (Module 2) flow-down via Render's DPA; UK IDTA where applicable |
| Vercel Inc. | Static marketing site (saneops.in) and edge delivery | IP address + user-agent of website visitors (no account / customer data) | Global edge; primary US | EU SCCs flow-down via Vercel's DPA |
| Stripe, Inc. | Payment processing — applicable from Q3 2026 when paid plans launch | Billing contact, billing address, tax ID, transaction metadata. Card numbers go directly to Stripe and are not seen or stored by Saneops. | US (with regional processing in EU, India, etc., where Stripe supports it) | EU SCCs + UK IDTA via Stripe's DPA; Stripe is a PCI-DSS Level 1 service provider |
| Resend (Resend, Inc.) | Outbound transactional email (signup confirmation, password reset, account notifications) | Recipient email address, email subject + body | US | EU SCCs flow-down via Resend's DPA |
| ImprovMX | Inbound email forwarding for support@saneops.in and similar inboxes | Sender + recipient email address, subject, body of inbound mail | France (EU) | Same-region transfer for EU customers; EU SCCs for non-EU senders |
| GitHub, Inc. | Source code hosting and issue tracking. No customer data is stored in GitHub. | None (Saneops staff identifiers only) | US | N/A — no customer personal data processed |
| Hostinger International, Ltd. | DNS for saneops.in | None (DNS metadata only) | Lithuania (EU) | N/A — no customer personal data processed |
Customer-directed sub-processors (BYOK)
When you configure a third-party LLM provider with your own API key, alert and incident data necessary to generate root-cause analyses is transmitted to that provider at your direction. The relationship is between you and the provider. We list the supported providers for transparency:
| Provider | Role | Location |
|---|---|---|
| Anthropic, PBC | LLM — RCA generation, AI workflow assistant | US |
| OpenAI, L.L.C. | LLM — RCA generation, AI workflow assistant | US |
| Google LLC (Gemini) | LLM — RCA generation | US |
| xAI Corp. (Grok) | LLM — RCA generation | US |
| DeepSeek | LLM — RCA generation | China / per provider |
| Ollama (self-hosted) or any OpenAI-compatible endpoint | LLM — RCA generation | per your deployment |
You should review each provider's terms, DPA, and data-retention posture before configuring it. If you process EU/UK personal data and select a provider with no EU presence, you are responsible for your own transfer mechanism with that provider. Saneops does not interpose its own LLM contract between you and the provider.
Notice and objection
To subscribe to sub-processor change notices, email privacy@saneops.in with the subject "subprocessor notifications". Customers under a signed DPA receive notice automatically.