How we process client data.

The client is the data controller. Manthic acts as data processor. Where Manthic engages sub-processors, those parties act as sub-processors to Manthic under back-to-back terms.

Manthic processes operational data necessary to deliver the services. System logs, identity records, configuration metadata, and incident data. We do not process special category data unless explicitly scoped in the Statement of Work.

Current sub-processors:

• Amazon Web Services. Hosting and cloud infrastructure
• Google Workspace. Email and document collaboration
• 1Password. Credential storage
• Sentry. Application error monitoring
• GitHub. Source code hosting

Sub-processor changes are notified to clients 30 days in advance via email.

Manthic maintains technical and organisational measures appropriate to the risk, including:

• Mandatory MFA on all client and internal systems
• Least-privilege access reviewed quarterly
• Encrypted credential storage and rotation
• Annual third-party security review

In the event of a personal data breach affecting client data, Manthic notifies the affected client without undue delay, and in any event within 24 hours of becoming aware of the breach.

Where personal data is transferred outside the UK or EEA, transfers are governed by Standard Contractual Clauses or an equivalent valid transfer mechanism.

Clients may audit Manthic's compliance with this DPA once per calendar year, on 30 days' written notice. Audit findings are addressed within an agreed remediation window.