Skip to main content

Legal

Sub-Processor Register

Last updated: 9 April 2026

This Sub-Processor Register identifies all third-party service providers ("Sub-Processors") engaged by Manaia Tech ("Manaia", "we", "us") to process personal data on behalf of our customers ("Controllers") in connection with the Manaia home cybersecurity platform.

Legal Basis: This register is maintained in accordance with GDPR Article 28(2)(d), GDPR Article 28(3)(a), and the Australian Privacy Act 1988 (APP 8).

Notification of Changes: Customers will be notified of any additions or changes to this register via email to the registered account email address.

Objection Period: Customers have 30 days from notification to object to a new Sub-Processor on reasonable data protection grounds (see Data Processing Agreement, Section 5.4).

Primary Infrastructure

Amazon Web Services, Inc. (AWS)

Location: United States (headquarters); services primarily in Australia (ap-southeast-2, Sydney region)
Processing Activities: Cloud infrastructure hosting, data storage, compute, email delivery, encryption key management
Personal Data Categories: All categories processed by the Service (see DPA Section 4.1)
Data Transfer Mechanism: AWS Standard Contractual Clauses (SCCs); AWS Data Processing Addendum
Certifications: ISO 27001, SOC 2 Type II, PCI DSS Level 1
Details:
  • Amazon RDS (PostgreSQL) — Primary database for user accounts, profiles, devices, subscriptions
  • Amazon DynamoDB — IOC (Indicator of Compromise) storage for threat intelligence
  • Amazon ElastiCache (Redis) — Bloom filters for threat detection, API caching
  • Amazon S3 — Threat intelligence archival, GDPR export files, static assets
  • AWS Lambda — Serverless compute for all backend services
  • Amazon Cognito — User authentication, password management
  • AWS KMS — Encryption key management for PII envelope encryption
  • Amazon SES — Transactional email delivery
  • Amazon CloudFront — CDN for frontend delivery
  • Amazon ECS — DNS resolver container orchestration

Stripe, Inc.

Location: United States (headquarters); global infrastructure
Processing Activities: Payment processing, subscription billing, invoicing
Personal Data Categories: Email address, payment card information (not accessible to Manaia), billing address, transaction history
Data Transfer Mechanism: Stripe Standard Contractual Clauses (SCCs); Stripe Data Processing Agreement
Certifications: PCI DSS Level 1, SOC 2 Type II
Details:
  • Stripe processes all payment transactions on behalf of Manaia
  • Manaia does not have access to credit card numbers or CVV codes (tokenized via Stripe Checkout)
  • Billing data retained by Stripe for 7 years to comply with Australian tax law

Email & Communications

Amazon SES (Simple Email Service)

Location: United States (SES endpoints); email metadata may transit US infrastructure
Processing Activities: Transactional email delivery, bounce/complaint tracking
Personal Data Categories: Email addresses, email content (verification codes, password reset links, notifications)
Data Transfer Mechanism: AWS Standard Contractual Clauses (SCCs)
Certifications: ISO 27001, SOC 2 Type II
Details:
  • Account verification and password reset emails
  • Security alerts and subscription notifications
  • GDPR data export download links
  • Daily/weekly activity reports

Twilio, Inc.

Location: United States (headquarters); global infrastructure
Processing Activities: Voice call delivery for critical security alerts (Guardian Pro plan)
Personal Data Categories: Phone numbers (verified, masked in logs), voice call metadata (timestamp, duration, status)
Data Transfer Mechanism: Twilio Data Processing Agreement; Standard Contractual Clauses (SCCs)
Certifications: SOC 2 Type II, ISO 27001
Details:
  • Voice call alerts for critical and high-severity threat events (Guardian Pro only)
  • Phone numbers stored encrypted at rest in Manaia systems; sent to Twilio only at time of call
  • Rate limited to maximum 1 call per 4 hours per household
  • Call status webhooks validated via HMAC-SHA1 signature verification

Apple Inc. (Apple Push Notification service)

Location: United States (headquarters); global infrastructure
Processing Activities: Push notification delivery to iOS devices
Personal Data Categories: Device push tokens (opaque, Apple-managed), notification content (threat type, severity)
Data Transfer Mechanism: Apple Developer Program License Agreement
Certifications: ISO 27001, SOC 2 Type II
Details:
  • Push tokens are device-specific and rotated by Apple — they cannot identify a user without access to Manaia systems
  • Notification content includes threat type and severity only — no PII, browsing history, or account data

Google LLC (Firebase Cloud Messaging)

Location: United States (headquarters); global infrastructure
Processing Activities: Push notification delivery to Android devices
Personal Data Categories: Device push tokens (opaque, Google-managed), notification content (threat type, severity)
Data Transfer Mechanism: Google Cloud Data Processing Amendment
Certifications: SOC 2 Type II, ISO 27001
Details:
  • FCM tokens are device-specific and managed by Google — they cannot identify a user without access to Manaia systems
  • Notification content includes threat type and severity only — no PII, browsing history, or account data

AI Processing

Anthropic PBC (via Amazon Bedrock)

Location: United States (Anthropic headquarters); processing via AWS Bedrock in ap-southeast-2 (Sydney) where available
Processing Activities: AI-powered safety insights, risk scoring, conversation starters for parents, threat analysis, and interactive chat assistant
Personal Data Categories: Aggregated household statistics (query counts, threat counts, blocked categories), profile metadata (age group, relationship type), threat event summaries. No raw DNS query logs, email addresses, names, or device identifiers are sent.
Data Transfer Mechanism: AWS Bedrock Data Processing Agreement; Anthropic Terms of Service (API usage — no training on customer data)
Certifications: SOC 2 Type II (Anthropic); ISO 27001, SOC 2 Type II (AWS Bedrock)
Details:
  • Daily safety insights generation — aggregated threat statistics and behavioural patterns (Guardian Pro)
  • Weekly narrative summaries — household activity overview (Guardian and above)
  • Conversation starters — AI-generated discussion prompts for parents about online safety (Guardian and above)
  • Risk scoring — deterministic 0-100 score per profile based on daily query statistics
  • Interactive chat assistant — streaming AI responses for security questions and account guidance
  • All inputs are pre-processed through PII redaction before being sent to AI models
  • Anthropic does not use API inputs to train models (per Anthropic API Terms)

Breach Monitoring

Troy Hunt (Have I Been Pwned)

Location: Australia (operator); API infrastructure global (Cloudflare)
Processing Activities: Email address breach monitoring — checks whether user-provided email addresses appear in known data breaches
Personal Data Categories: Email addresses (sent individually via authenticated API call)
Data Transfer Mechanism: HIBP API Terms of Use; data minimisation (single email per request, no bulk export)
Certifications: N/A (independent security researcher service)
Details:
  • Available on Guardian, Guardian Pro, and Grandparent Shield plans only
  • Users explicitly add email addresses to monitor — not automatic
  • HIBP returns breach metadata (breach name, date, data classes) — not the breached data itself

Error Monitoring

Functional Software Inc. (Sentry)

Location: United States (Sentry cloud); Android app uses self-hosted Sentry in AWS ap-southeast-2 (Sydney)
Processing Activities: Application error tracking and performance monitoring
Personal Data Categories: Error stack traces, function names, runtime metadata, device model, OS version. No PII (email, names, customer data) is sent to Sentry.
Data Transfer Mechanism: Sentry Data Processing Agreement
Certifications: SOC 2 Type II
Details:
  • Backend services use Sentry cloud (US) — error stack traces and Lambda metadata only
  • Android app uses self-hosted Sentry in AWS ap-southeast-2 (data stays in Australia)
  • No PII transmitted — error data contains only operational metadata
  • DSN-gated: crash reporting is disabled if Sentry DSN is not configured

Threat Intelligence Feed Providers

Important:

Threat intelligence feeds do not receive any personal data from Manaia. Data flows are unidirectional: Manaia fetches threat indicators from feed providers; no user data is sent to feed providers.

abuse.ch (URLhaus & ThreatFox)

Location: Switzerland
Processing Activities: Provision of malware distribution URL lists and domain-based threat indicators
Personal Data Categories: None (no user data transmitted)

OpenPhish LLC

Location: United States
Processing Activities: Provision of phishing URL feed
Personal Data Categories: None (no user data transmitted)

CIRCL — Computer Incident Response Center Luxembourg

Location: Luxembourg
Processing Activities: Provision of MISP OSINT threat intelligence feed
Personal Data Categories: None (no user data transmitted)

Hagezi DNS Blocklists

Location: Germany (GitHub CDN: global)
Processing Activities: Provision of threat intelligence and malicious domain blocklists
Personal Data Categories: None (no user data transmitted)

AT&T Cybersecurity (AlienVault OTX)

Location: United States
Processing Activities: Provision of community-sourced threat intelligence indicators
Personal Data Categories: None (no user data transmitted)

TLS Certificate Authority

Internet Security Research Group (ISRG) — Let's Encrypt

Location: United States
Processing Activities: TLS/SSL certificate issuance and validation
Personal Data Categories: Domain names, IP addresses (for domain validation challenges). No user personal data is sent.
Data Transfer Mechanism: Public certificate transparency logs (no personal data transfer)
Certifications: WebTrust for CAs

Content Delivery & DNS

Amazon CloudFront (AWS CDN)

Location: Global edge locations (primary: Australia, US, EU)
Processing Activities: Content delivery, caching, DDoS protection
Personal Data Categories: IP addresses (access logs), user-agent strings, HTTP headers
Data Transfer Mechanism: AWS Standard Contractual Clauses (SCCs)
Certifications: ISO 27001, SOC 2 Type II

Development Tools (No Personal Data)

GitHub, Inc. (Microsoft subsidiary)

Location: United States
Processing Activities: Source code version control, CI/CD pipelines
Personal Data Categories: None (code repository only; no production data)

Security & Compliance

All Sub-Processors listed in this register are required to:

  1. Implement appropriate technical and organisational measures to protect personal data (GDPR Article 32)
  2. Process personal data only on documented instructions from Manaia
  3. Ensure confidentiality of personnel authorised to process personal data
  4. Notify Manaia of personal data breaches without undue delay
  5. Assist Manaia in responding to Data Subject rights requests
  6. Delete or return personal data upon termination of services
  7. Submit to audits and provide evidence of compliance upon request

Changes to This Register

When Manaia intends to add or replace a Sub-Processor, we will:

  1. Update this register with the new Sub-Processor details
  2. Notify customers via email to the registered account email address
  3. Provide 30 days' notice before the new Sub-Processor begins processing personal data

If a customer objects within the 30-day period, Manaia will either not engage the Sub-Processor, or provide the customer an option to terminate the Service and receive a prorated refund for the unused portion of the subscription.

Contact

For questions about this Sub-Processor Register or to object to a new Sub-Processor:

Email: support@manaia.io

Mail: Manaia Tech Pty Ltd, Sydney, NSW, Australia

ABN: 52 696 183 703 | ACN: 696 183 703

Document Reference: HCS-LEGAL-004

Version: 2.0

Last Updated: 9 April 2026

Terms of ServicePrivacy Policy