Last updated: April 2026
Sanctum uses the following third-party sub-processors to provide the Service. Each sub-processor is bound by a Data Processing Agreement (or equivalent) and appropriate international transfer safeguards where applicable.
Under our Data Processing Agreement, we will give you at least 30 days' notice by email before adding or replacing any sub-processor. If you have any concerns about a sub-processor, contact privacy@sanctum.support.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Database hosting and storage | EU | EU Standard Contractual Clauses (incorporated into UK law) |
| Amazon Web Services, Inc. | Encryption key management (AWS KMS) | UK / EU | Data processed in UK/EU region — no international transfer |
| Anthropic, PBC | AI language model processing (Claude) — anonymised message content only | United States | UK International Data Transfer Agreement (IDTA) |
| Twilio Inc. | SMS delivery for appointment reminders and surveys | United States | UK International Data Transfer Agreement (IDTA) |
| Stripe, Inc. | Subscription payment processing (practitioner billing only — no patient data) | United States | UK IDTA / Standard Contractual Clauses |
| Resend, Inc. | Transactional email (notifications, approval alerts) | United States | UK Extension to EU-US Data Privacy Framework (UK-US Data Bridge) + UK Addendum to EU SCCs |
| Whereby AS | Video consultation room hosting | EU / EEA | UK adequacy decision for EEA — no international transfer agreement required |
| Speechmatics (Cantab Research Ltd) | Post-consultation audio transcription — only where explicit recording consent is given | UK | UK-based processing — no international transfer |
Anthropic (Claude AI). Patient message content is anonymised before transmission — patient names and contact details are stripped by our processing layer before any data is sent to Anthropic's API. Anthropic has contractually confirmed that customer data is not used to train AI models. The IDTA ensures Anthropic processes any data it receives to UK GDPR standards.
Stripe. Stripe processes payment information for practitioner subscriptions only. No patient personal data is shared with Stripe.
AWS KMS. Amazon Web Services manages per-practitioner encryption keys in the UK/EU region (eu-west-2 London). No patient data is transferred to the United States for key management purposes.
Whereby. Video consultation rooms are hosted by Whereby AS (Norway), with data stored in Ireland (EU/EEA). The UK's adequacy decision for EEA countries applies — no IDTA is required.
Speechmatics. Audio transcription is performed by Speechmatics (Cambridge, UK) and only occurs where a practitioner has obtained explicit recording consent from the patient. All processing remains in the UK.
We record all changes to our sub-processor list below, in compliance with our obligation to give 30 days' advance notice of additions or replacements.