Sub-processors
Last updated: 15 May 2026
This page is published in English, Hindi, and Marathi. English is the authoritative version; in case of any conflict between translations, the English text prevails.
Need this page in another language? It is also available in any language listed in the Eighth Schedule to the Constitution of India on request — email dpo@cloudshot.io and we will provide a professionally translated copy within 14 working days.
1. Introduction
To deliver the Cloudshot platform, we engage a small number of trusted third-party service providers — known as sub-processors — who process limited personal data on our behalf and strictly on our instructions.
This page lists every sub-processor Cloudshot currently uses, what they do for us, what data they access, and where they process it. It is referenced from our Privacy Notice and Privacy Policy and is kept up to date.
2. What Is a Sub-processor?
Under India's Digital Personal Data Protection Act, 2023, Cloudshot is the Data Fiduciary — we decide why and how your personal data is processed. When we engage another company to help us run the service (for example, to host our servers, send our emails, or process payments), that company is a sub-processor: a vendor acting on our instructions, bound by a written Data Processing Agreement, and not permitted to use your data for any other purpose.
3. Current Sub-processors
The following sub-processors are currently engaged by Cloudshot. Each operates under a written Data Processing Agreement with appropriate contractual safeguards.
| Sub-processor | Category | Purpose | Data Accessed | Processing Location |
|---|---|---|---|---|
| Microsoft Azure | Infrastructure | Primary cloud hosting for the Cloudshot application, databases, and storage. | All customer data stored within the platform (account info, cloud metadata, support records). | Azure North Europe — Dublin, Republic of Ireland (EU) |
| Stripe | Payments | Processing subscription payments and generating invoices for all customers. | Name, email, billing address, card metadata (last 4 digits, brand, expiry). | United States; Ireland (EU) for European customers |
| Google Analytics | Analytics | Measuring website and product usage to improve user experience. Only active with user consent. | IP address, browser type, pages visited, session duration, feature events. | United States |
| Azure Communication Services | Delivering transactional emails (login alerts, billing receipts, password resets). | Name, email address, email body content. | Azure North Europe — Dublin, Republic of Ireland (EU) |
Click a sub-processor name to view their privacy policy.
4. Cross-Border Processing
Primary customer data is stored and processed in the European Union — specifically the Microsoft Azure North Europe region in Dublin, Ireland. This means that, by default, all customer personal data is processed outside India.
Additional sub-processors may process limited data in the United States (Stripe for payments; Google Analytics when you consent to analytics cookies).
Transfers are made only to countries that are not restricted by the Central Government under Section 16 of the DPDP Act. Each transfer is governed by Standard Contractual Clauses or equivalent contractual safeguards.
5. Changes to This List
When we add, replace, or remove a sub-processor:
- This page is updated and the "Last updated" date at the top is revised.
- For material changes (e.g., a new sub-processor in a new jurisdiction, or a sub-processor accessing a new category of personal data), we will notify all customers by email at least 14 days before the change takes effect.
- Customers on our Enterprise plan may object to a new sub-processor by emailing dpo@cloudshot.io within 14 days of notice. If the objection cannot be resolved, the customer may terminate the affected service without penalty.
6. How We Vet Sub-processors
Before engaging any sub-processor, we evaluate:
- Their security certifications (ISO 27001, SOC 2 Type II, PCI-DSS where relevant).
- Their data handling practices and breach notification procedures.
- The jurisdiction in which they process data and whether it is restricted under the DPDP Act.
- Their published privacy policy and contractual willingness to sign a Data Processing Agreement.
Each sub-processor is bound to use your data only for the purposes Cloudshot specifies, to maintain confidentiality and security, and to notify us without undue delay of any personal data breach.
7. Questions
For questions about our sub-processors, or to request a copy of a specific Data Processing Agreement, contact our Grievance Officer: