Sub-Processor Disclosure

SUB-PROCESSOR DISCLOSURE
(Arviteni Ltd t/a “Nannoux”)
Last updated: [INSERT DATE]

Why we publish this list
When we act as a Data Processor under the UK GDPR we must identify any third-party service providers that may handle Client Data on our behalf. We keep the roster deliberately small and aim to choose UK-hosted options first whenever feasible.

Notification of changes
Routine updates – We will post additions or removals here at least 14 days before a new sub-processor starts handling Client Data.
Urgent replacements – If continuity demands an immediate change (e.g. data-centre outage) we’ll inform customers as soon as reasonably practicable.
You may object in writing within the 14-day window; we’ll work with you in good faith to find an alternative or, if needed, provide a data export and let you terminate the affected service.

Current sub-processors
Microsoft Ireland Operations Ltd.
• Function: Azure & Microsoft 365 (staff email, Teams, internal documents)
• Primary region(s): UK South & UK West
• Typical data exposed: support tickets, project docs, user emails
FreeAgent Central Ltd.
• Function: Accounting & invoicing
• Primary region(s): AWS London (UK)
• Typical data exposed: billing contact details, invoices, payment references
Twilio Ireland Ltd.
• Function: SMS / voice API for multi-factor authentication and alerts
• Primary region(s): EU cluster (Frankfurt & Dublin) with encrypted fail-over to US
• Typical data exposed: phone numbers, one-time-password metadata
Contabo GmbH
• Function: Secondary server hosting and off-site snapshots
• Primary region(s): London (UK) & Falkenstein (Germany)
• Typical data exposed: encrypted server images
Civo Ltd.
• Function: Primary Kubernetes hosting for the Clara AI production service
• Primary region(s): London (UK-LON-1)
• Typical data exposed: Clara application data, runtime logs
Stripe Payments Europe Ltd.
• Function: Online card-payment processing
• Primary region(s): Dublin (primary) with encrypted replication to US
• Typical data exposed: billing email, last-4 card digits, charge IDs
Google LLC (Google Analytics 4)
• Function: Pseudonymous website analytics
• Primary region(s): EU processing, aggregated reporting in US
• Typical data exposed: truncated IP addresses, device/browser information
Microsoft Clarity (Microsoft Ireland)
• Function: Session-replay and heat-map analytics (consent-based)
• Primary region(s): EU cluster with storage in Netherlands
• Typical data exposed: mouse movements, on-page events, truncated IP addresses
Eleven Labs Inc.
• Function: speech synthesis / voice-cloning API for conversational AI agents
• Primary region(s): US East (Virginia) by default. European data-residency is an Enterprise-only feature and is not enabled on our current (self-serve) plan
• Typical data exposed: text prompts, voice recordings or transcripts submitted for synthesis, generated audio, request metadata (IP, timestamps)

Optional / customer-enabled integrations
Nannoux automations can connect to third-party SaaS tools you choose (e.g. Salesforce, Xero, HubSpot). When you enable such connectors, those vendors act as your processors or controllers, not Nannoux sub-processors. You are responsible for reviewing their privacy terms and any cross-border data transfers.
nannoux
Resources

Eliminating Manual Work in Healthcare: How Business Process Automation Speeds Up Onboarding and Compliance

See all resources >
About
Terms of ServicePrivacy policy
Copyright © 2025 Nannoux Part of Arviteni Ltd.