Sub-processors
Last updated: April 2026 · Maintained under UK GDPR Article 28 and our written sub-processor change-notice commitment
This page lists the categories of sub-processor that may process personal data on behalf of Mando Network Limited, together with the role they perform, the jurisdiction in which personal data is processed, and the legal safeguard we rely on for any transfer outside the United Kingdom. Category-level disclosure is supplemented with the named-vendor register available to regulators and, on request, to customers under a non-disclosure agreement.
Current sub-processors
| Role | Jurisdiction | Safeguard |
|---|---|---|
| Cloud hosting (primary) | United Kingdom | UK processing; DPA in place |
| Cloud hosting (backup) | European Economic Area | UK adequacy decision for EEA |
| Identity verification | United Kingdom / EEA | FCA-recognised IDV; DPA in place |
| Payment processing & card issuance — PaymentProvider Payments UK Ltd | United Kingdom | UK processing; FCA FRN 900461 |
| Payment processing — PaymentProvider Payments Europe Ltd | Republic of Ireland | UK adequacy decision for EEA |
| PaymentProvider, Inc. (affiliate hosting) | United States | UK IDTA to EU SCCs + UK Extension to EU-US Data Privacy Framework |
| Transactional email delivery | United Kingdom / EEA | UK/EEA processing; DPA in place |
| SMS / voice messaging | United Kingdom / EEA | UK/EEA processing; DPA in place |
| Error tracking & application performance monitoring | EEA | UK adequacy decision for EEA; PII scrubbing enabled |
| Sanctions data — HM Treasury OFSI | United Kingdom | UK Government open data (OGL v3.0); no personal data sent outbound |
| Push notifications — Apple APNs | United States | UK IDTA to EU SCCs; Apple-managed UK Extension to EU-US DPF; opaque device token only, no PII |
| Push notifications — Google FCM | United States | UK IDTA to EU SCCs; Google-managed UK Extension to EU-US DPF; opaque device token only, no PII |
Change-notice commitment
Where we intend to engage a new sub-processor or change the scope of an existing engagement in a way that materially affects the processing of your personal data, we will update this page before the change takes effect. Business-Account customers can subscribe to written change-notifications by writing to dpo@mando.network.
Article 28 warranties
Every sub-processor is engaged under a written contract that imposes the same data-protection obligations set out in our Privacy Policy, including confidentiality, security, on-site access controls, sub-processor restrictions, assistance with data-subject requests, personal-data-breach notification within 24 hours, and secure deletion on termination. We audit high-risk sub-processors at least once a year.
Exercising your rights
Any question about this register, or a formal request under UK GDPR Articles 13 to 22 directed at any of our sub-processors, can be sent to our Data Protection Officer at dpo@mando.network.
Payment services provided by PaymentProvider Payments UK Ltd, authorised by the Financial Conduct Authority as an Electronic Money Institution (FRN 900461). Card issuance by PaymentProvider Issuing.