SGEN Sub-processors

Last updated: 2026-06-24 · Maintained by: SGEN Legal + DevOps

This page is the authoritative list of sub-processors SGEN engages to deliver its services. It is referenced in the Data Processing Agreement (DPA) Section 6.

A sub-processor is a third party to whom SGEN transfers personal data to carry out processing on the customer's behalf. SGEN remains liable for sub-processor compliance with the obligations in the DPA.


How this list works

This is a live list. SGEN maintains it as the single source of truth for sub-processor disclosure.

When SGEN adds a new sub-processor or materially changes the role of an existing one:

  • SGEN notifies customers in writing before the change takes effect (see DPA Section 6.3 for the notice period).
  • This page is updated at the same time as the notification.
  • Customers who have signed the DPA and object to a new sub-processor may follow the process in DPA Section 6.3.

Current sub-processors

Sub-processorRolePersonal data accessedPrimary regionCertification
Amazon Web Services (AWS)Cloud infrastructure — compute, storage, databases, backupsAll customer data stored on the SGEN platformISO 27001, SOC 2 Type II, GDPR DPA available
StripePayment processingBilling data: cardholder name, card details, billing addressUnited States (with EU adequacy / SCCs in place)PCI DSS Level 1, SOC 2 Type II
Twilio SendGridTransactional email delivery (account notifications, password reset, billing receipts)Email address, name, email content metadataUnited States (SCCs in place)ISO 27001, SOC 2 Type II
Cloudfront / CDN providerContent delivery network — static asset delivery to end usersIP addresses, request metadataGlobal edge nodes — see provider's DPA for regional breakdown

Transfer mechanisms

For each sub-processor operating outside the EEA, SGEN has a transfer mechanism in place:

Transfer mechanismApplies to
Standard Contractual Clauses (SCCs) — EU Commission Implementing Decision (EU) 2021/914Sub-processors in the United States and other non-adequacy countries
EU adequacy decisionSub-processors in countries with a current adequacy decision (see European Commission's published list)

Scope note — what is not a sub-processor

The following categories of third party are not sub-processors under this list:

  • Customer integrations: Third-party services that the customer directly connects to SGEN (e.g., the customer's own CRM, analytics account, or email marketing platform). The customer acts as controller for those integrations and should review the relevant third party's own DPA.
  • Professional services vendors: Law firms, accountants, or other professional advisors acting under their own confidentiality obligations and not processing personal data on SGEN's instruction in the course of service delivery.

If you have a question about whether a specific integration constitutes a sub-processor relationship, contact privacy@sgen.com.


Notification register

Customers who wish to be notified of sub-processor changes automatically can manage their notification preferences in dashboard.sgen.com under Account → Privacy.

Alternatively, request email notification by contacting privacy@sgen.com.


Example use case

Your organisation signs up for SGEN and launches an online store. Your customer order records (name, email, shipping address) are stored on SGEN's infrastructure — processed by AWS as a sub-processor — and payment card data is handled by Stripe. Your organisation is the data controller for this data. SGEN is the processor. AWS and Stripe are sub-processors. SGEN's DPA with your organisation covers all three layers.


Related documents

DocumentPurpose
GDPR Posture StatementSGEN's overall GDPR position
Data Processing AgreementContract governing processor relationship
Data ResidencyWhere data is stored by region

This page is reviewed and updated whenever SGEN's sub-processor arrangements change. The canonical version is maintained at docs.sgen.com.