SGEN Sub-Processors
Last updated: 2026-05-27
SGEN uses a defined set of third-party service providers — sub-processors — to deliver the SGEN platform.
Each sub-processor processes a specific category of data on SGEN's behalf, under a written contract that imposes data-protection obligations no less protective than our Data Processing Addendum.
This page is the authoritative public list.
SGEN updates it when a sub-processor is added, removed, or replaced.
Current sub-processors
| Provider | Purpose of engagement | Categories of data processed | Processing location | Transfer mechanism |
|---|---|---|---|---|
| Google Cloud Platform | Core infrastructure — hosting, storage, networking, and platform identity services for all SGEN-hosted workloads | All service data hosted by SGEN, including account data, customer content, form submissions, ecommerce records, logs, and backups | United States (with regional storage configurable on request) | Standard Contractual Clauses per EU Commission Implementing Decision 2021/914 |
| Stripe | Payment processing, subscription billing, invoicing, and chargeback handling | Billing contact details, subscription status, payment metadata, and tax data. Stripe processes full card details directly under its own PCI-DSS compliance; SGEN does not store or receive full card numbers. | United States | Standard Contractual Clauses per EU Commission Implementing Decision 2021/914 |
| ClickUp | Support operations — ticket storage, routing, and agent workflow for SGEN customer support | Support ticket contents and attachments, contact email address, and subject metadata you submit when you contact SGEN support | United States | Standard Contractual Clauses per EU Commission Implementing Decision 2021/914 |
| Google (Analytics and Business Profile) | Optional dashboard integrations that you authorise from within your SGEN account | Analytics data and Business Profile data — only for the accounts you explicitly connect. SGEN does not receive third-party Google data unless you authorise the connection. | United States | Standard Contractual Clauses per EU Commission Implementing Decision 2021/914 |
How we vet sub-processors
Before engaging any sub-processor, SGEN reviews:
- Contract terms, including data-processing obligations, security commitments, and breach-notice timing.
- The categories of data the sub-processor will process and whether the scope is appropriately limited.
- Transfer mechanisms for data crossing borders — Standard Contractual Clauses per EU Commission Implementing Decision 2021/914 apply as the default.
- Security posture — certifications, audit reports, and public security documentation.
Notification of changes
SGEN provides at least 30 days written notice of material sub-processor changes to account administrators, by:
- Updating this page with the new or modified entry.
- Sending notice to customers who have subscribed to the sub-processor-change mailing list.
Objection mechanism.
Customers under our Data Processing Addendum may object in writing to the appointment of a new sub-processor on reasonable data-protection grounds.
Submit objections to legal@sgen.com within 15 days of our notice.
If SGEN cannot resolve the objection through commercially reasonable alternatives, you may terminate the affected portion of the Services without penalty.
Change-notice subscription
To receive written notice before each sub-processor change, write to legal@sgen.com with the subject line "Sub-processor change notice subscription" and include the account email address you want notices sent to.
International data transfers
All SGEN sub-processors that process data outside the European Economic Area, United Kingdom, or Switzerland operate under Standard Contractual Clauses per EU Commission Implementing Decision 2021/914.
This is the default transfer mechanism across all sub-processor relationships.
A copy of the applicable SCCs is available on request at legal@sgen.com.
Data residency
SGEN currently hosts all workloads on Google Cloud Platform infrastructure in the United States.
Regional storage options may be available for specific tiers.
Customers with regional data-residency requirements should contact legal@sgen.com before subscribing to confirm current availability.
When SGEN adds regional hosting options that affect where Customer Personal Data is stored, the sub-processor table above is updated to reflect the change, and change-notice procedures in the Notification of changes section apply.
Processor-level obligations
Each sub-processor listed on this page operates under a written data-processing agreement with SGEN that requires:
- Processing only on SGEN's documented instructions.
- Implementation of technical and organisational measures appropriate to the risk.
- Notification of any personal-data breach without undue delay.
- Deletion or return of personal data on termination of the sub-processing relationship.
- Compliance with the transfer mechanisms stated in this list.
- No engagement of further sub-processors without SGEN's prior written consent.
Relationship to the DPA
This sub-processor list is referenced in Section 5 of the SGEN Data Processing Addendum.
Customers who have executed the DPA are bound by the objection and termination rights described in DPA Section 6.
Customers who have not executed the DPA retain the right to contact legal@sgen.com with questions about data handling.
Contact
Questions about sub-processors: legal@sgen.com.
Questions about the DPA or international transfers: legal@sgen.com.
Security questions: security@sgen.com.