Last updated: 20 April 2026
Sub-processors
PatchMon LTD engages the third parties listed below to help deliver PatchMon Cloud. We keep the list short, the roles well-defined, and the processing locations transparent. This page is the authoritative version; we update it whenever a sub-processor is added, removed, or materially changes.
Under our Data Processing Agreement (DPA), each sub-processor is bound by data protection obligations no less protective than those we commit to our customers. PatchMon LTD remains fully liable to customers for the acts and omissions of its sub-processors.
For UK-region customers, Customer Personal Data does not leave the United Kingdom for live Processing. For other regions, processing occurs in the selected region, with appropriate transfer mechanisms (UK IDTA, EU SCCs, or applicable adequacy regulations) for any onward transfers.
Authorised Sub-processors
| Sub-processor | Role | Processing location | Transfer mechanism |
|---|---|---|---|
IONOS SE (Germany) | Production Infrastructure-as-a-Service for PatchMon Cloud: compute, storage, and network across the Customer's selected region. | Customer-selected region: London (gb/lhr), Frankfurt (de/fra), Paris (fr/par), or Newark (us/ewr). | UK and EEA regions: no transfer mechanism required. US region: UK IDTA + EU SCCs. |
9 Technology Group Ltd (United Kingdom) | Disaster recovery site, encrypted offsite backup custody, development and staging environments, Data Protection Officer on contract, incident holding response. ISO/IEC 27001:2022 and ISO 9001:2015 certified (certificate 485922025). | Altham, Lancashire, United Kingdom. | UK only. |
Stripe Payments Europe Ltd | Payment processing for PatchMon Cloud subscription fees. PatchMon does not store payment card data; Stripe is PCI DSS Level 1 certified. | EU / UK / US per Stripe's Data Processing Addendum. | Stripe's own mechanisms (UK IDTA, EU SCCs, EU-US Data Privacy Framework where applicable). |
GitHub, Inc. (United States) | Source control, continuous integration, and container registry for PatchMon software artefacts. No Customer Personal Data is stored in GitHub. | United States. | Not applicable for Customer Personal Data. Contributor account data handled under GitHub's DPA. |
Hiscox Insurance Company Limited (United Kingdom) | Business insurance covering professional indemnity, cyber and data (CyberClear), and crisis containment. Also provides a 24-hour cyber response line. Customer Personal Data may be disclosed on a need-to-know basis during an incident. Underwritten by Hiscox Insurance Company Limited (authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority) and arranged by Hiscox Underwriting Ltd (22 Bishopsgate, London EC2N 4BQ; authorised and regulated by the Financial Conduct Authority). | United Kingdom. | UK only. |
- Role
- Production Infrastructure-as-a-Service for PatchMon Cloud: compute, storage, and network across the Customer's selected region.
- Processing location
- Customer-selected region: London (gb/lhr), Frankfurt (de/fra), Paris (fr/par), or Newark (us/ewr).
- Transfer mechanism
- UK and EEA regions: no transfer mechanism required. US region: UK IDTA + EU SCCs.
- Role
- Disaster recovery site, encrypted offsite backup custody, development and staging environments, Data Protection Officer on contract, incident holding response. ISO/IEC 27001:2022 and ISO 9001:2015 certified (certificate 485922025).
- Processing location
- Altham, Lancashire, United Kingdom.
- Transfer mechanism
- UK only.
- Role
- Payment processing for PatchMon Cloud subscription fees. PatchMon does not store payment card data; Stripe is PCI DSS Level 1 certified.
- Processing location
- EU / UK / US per Stripe's Data Processing Addendum.
- Transfer mechanism
- Stripe's own mechanisms (UK IDTA, EU SCCs, EU-US Data Privacy Framework where applicable).
- Role
- Source control, continuous integration, and container registry for PatchMon software artefacts. No Customer Personal Data is stored in GitHub.
- Processing location
- United States.
- Transfer mechanism
- Not applicable for Customer Personal Data. Contributor account data handled under GitHub's DPA.
- Role
- Business insurance covering professional indemnity, cyber and data (CyberClear), and crisis containment. Also provides a 24-hour cyber response line. Customer Personal Data may be disclosed on a need-to-know basis during an incident. Underwritten by Hiscox Insurance Company Limited (authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority) and arranged by Hiscox Underwriting Ltd (22 Bishopsgate, London EC2N 4BQ; authorised and regulated by the Financial Conduct Authority).
- Processing location
- United Kingdom.
- Transfer mechanism
- UK only.
How we notify you of changes
When we intend to add a new sub-processor, replace one, or materially expand an existing sub-processor's role, we give you at least 60 days' written notice. We do this by:
- Updating the list on this page with a new “Last updated” date and a dated entry in the change log below.
- Emailing customers who have subscribed to change notifications (see below).
- Notifying administrators of affected PatchMon Cloud tenants through in-product messaging where practicable.
You may object to a proposed change on reasonable data-protection grounds within 30 days of the notice. If we cannot agree a resolution, you may terminate the affected Services without penalty in accordance with our DPA.
Subscribe to change notifications
Email dataprotection@patchmon.net with the subject Subscribe to sub-processor change notifications and we will add you to the notification list.
Change log
- Initial publication20 April 2026
First publication of the PatchMon sub-processor list.
Need our DPA or full evidence pack?
Enterprise prospects receive the Data Processing Agreement, Shared Responsibility Matrix, and supporting policies under NDA.