1. Overview
We use a small set of trusted vendors to host, deliver, and operate the Service. Each one is engaged under a written agreement that includes data-protection obligations consistent with the Data Processing Addendum.
Our default posture is “the fewer hands on customer data, the better.” We do not use advertising networks, analytics providers that profile individual users, marketing-automation platforms that ingest customer data, or third-party AI training providers. Customer Data is not used to train general-purpose models.
2. Current sub-processors
The following vendors are engaged as of the “Last updated” date at the top of this page.
Amazon Web Services (AWS)
aws.amazon.com- Purpose
- Cloud infrastructure hosting the Vectis application, per-tenant databases, and encrypted backups.
- Data categories
- All categories of Customer Data routed through the Service; account and billing data; logs and telemetry.
- Jurisdiction
- United States (us-west-1)
Cloudflare, Inc.
www.cloudflare.com- Purpose
- DNS management, edge CDN for the marketing site, and DDoS protection for the public ingress.
- Data categories
- Request metadata (IP address, user agent, request path); no application payload.
- Jurisdiction
- United States (global edge network)
Stripe, Inc.
stripe.com- Purpose
- Payment processing, subscription billing, invoicing, and tax calculation.
- Data categories
- Billing contact (name, work email, address); payment instrument tokens (Stripe holds card data; Vendor never sees it); subscription and invoice records.
- Jurisdiction
- United States (primary); Ireland and other regions per Stripe’s global infrastructure.
Twilio SendGrid
sendgrid.com- Purpose
- Transactional email delivery (signup confirmations, invoices, security alerts, incident notifications).
- Data categories
- Recipient name and email address; email subject and body content for transactional messages.
- Jurisdiction
- United States
Microsoft 365 (Microsoft Corporation)
www.microsoft.com- Purpose
- Inbound and outbound email for Vectis support, privacy, legal, security, and abuse mailboxes; calendaring; document collaboration internal to Vectis.
- Data categories
- Email correspondence routed to Vectis mailboxes (may include any Personal Data a sender chooses to include).
- Jurisdiction
- United States (primary); Microsoft global infrastructure for high-availability replication.
Functional Software, Inc. (Sentry)
sentry.io- Purpose
- Application error tracking and diagnostic telemetry for the Vectis application.
- Data categories
- Scrubbed stack traces and operational metadata. Personal Data is removed by a server-side scrubber before transmission; no application payload, no credentials.
- Jurisdiction
- United States
Apple Inc.
www.apple.com- Purpose
- Distribution of the Vectis iOS app through the App Store and delivery of push notifications via the Apple Push Notification service (APNs).
- Data categories
- Device push tokens; notification payloads (alert/ticket titles and identifiers used to deep-link the app). No customer records, no credentials.
- Jurisdiction
- United States
Google LLC (Firebase Cloud Messaging & Google Play)
firebase.google.com- Purpose
- Distribution of the Vectis Android app through Google Play and delivery of push notifications via Firebase Cloud Messaging (FCM).
- Data categories
- Device push tokens; notification payloads (alert/ticket titles and identifiers used to deep-link the app). No customer records, no credentials.
- Jurisdiction
- United States
Expo (650 Industries, Inc.)
expo.dev- Purpose
- Mobile build pipeline (EAS) and the Expo push relay that forwards notifications from Vectis to APNs (iOS) and FCM (Android).
- Data categories
- Device push tokens and notification payloads at dispatch time. No customer records, no credentials.
- Jurisdiction
- United States
GitHub, Inc.
github.com- Purpose
- Source code hosting and the GitHub Container Registry (GHCR) where Vectis production container images are published.
- Data categories
- No Customer Data. Vendor source code and CI build artefacts only.
- Jurisdiction
- United States
Northwest Registered Agent, LLC
www.northwestregisteredagent.com- Purpose
- Statutory registered-agent service for Vectis’s legal entity (service of process, state mail). Does not handle Customer Data.
- Data categories
- Vendor legal mail only. No Customer Data.
- Jurisdiction
- United States (Nevada)
3. How we announce changes
When we plan to engage a new sub-processor or materially expand the scope of an existing one, we email the billing and privacy contacts on file at least 30 days before the change takes effect. The notification explains what the sub-processor does, what categories of data it will process, and where processing will occur.
Active customers may object on reasonable data-protection grounds within the notice window. We will work in good faith to address the objection. If we cannot resolve it, the customer may terminate the affected Service component without penalty per Section 6 of the Data Processing Addendum.
4. Connected third-party systems are not sub-processors
The third-party systems Customer connects to the Service — ConnectWise, NinjaOne, Microsoft 365 tenants Customer connects for its own business, and similar — are not Vectis sub-processors. Those systems are controlled by Customer or Customer’s end-customer organisations and processed under their own agreements with the respective providers. Vectis acts on Customer’s direction when reading data from, or writing data to, those systems.
5. Contact
To subscribe to sub-processor change notifications, or to raise a concern about a listed sub-processor, email privacy@mspvectis.com.