In accordance with §4.1 of of ChangeSprout Inc.'s Data Processing Addendum, ChangeSprout maintains a list of authorized subprocessors whom we have contracted to provide certain services related to the ControlShift toolset.
If ChangeSprout decides to update its subprocessors, the list on this page will be updated (which will serve as "reasonable prior notice"). If your organization objects to the use of a proposed subprocessor, you may send us an email detailing the reasons for your objection.
Because updates to subprocessors will only be posted on this page, we'd encourage organizations to Follow this article to receive updates.
ChangeSprout has two categories of authorized Subprocessors of personal data. Subprocessors that we use to provision the core ControlShift product to you are categorized as "Infrastructure". Subprocessors that we use to help us answer support questions from customers are categorized as "Support".
ControlShift Authorized Subprocessors - Infrastructure | ||
Entity Name |
Purpose |
Corporate Location |
Infrastructure Provider |
410 Terry Avenue North, |
|
DDOS/Bot Protection and CDN |
101 Townsend Street
San Francisco, CA 94107 United States of America |
|
Search Infrastructure Provider |
800 W. El Camino Real, Suite 350 United States of America |
|
Email Service Provider |
1801 California Street, Suite 500, |
|
Log Management |
7171 Southwest Parkway, Building 400 |
|
Rollbar Inc |
Error Monitoring and Crash Reporting |
51 Federal St Ste 401 |
Authy Two-Factor Authentification |
399 W El Camino Real |
ControlShift Authorized Subprocessors – Support | ||
Entity Name |
Purpose |
Corporate Location |
G Suite* |
1600 Ampitheatre Parkway |
|
Slack Technologies Inc. |
Team Communications (Zendesk tickets are sent to Slack) |
500 Howard 5th Street |
Support tickets and help center |
1019 Market Street |
Third Party Integrations
We allow organizations to integrate with third-party tools that are not covered by our DPA. These third-party tools are included on, and can be managed from, the Integrations page (admin homepage > Settings > Integrations). We encourage organizations to review the third-party tools to which they're sending data and independently evaluate the security of these tools, and sign separate Data Processing Agreements with those third parties where appropriate.
Controller-Controller Relationships
Controller-Controller relationships are those where our customers and a vendor that we work with share the controller responsibility, usually through embedded functionality from another service that is directly served to the public via a link, javascript or an iframe.
Google: Our subprocessor DPA with Google Inc. covers our use of the G Suite tools to handle incidental personal data collected in the process of providing email support for the use of the product.
It does not, however, include use of reCAPTCHA, Google Maps or Google Fonts APIs. We use the Google Maps API to render maps and provide location lookup services. We use some fonts served by the Google Fonts API. We do not send personal data to the Google Maps or Fonts APIs, but it may be possible for Google itself to collect data including IP Address directly from the public because of the inclusion of these products in the ControlShift service.
Google offers a Controller-Controller agreement for Google Maps, which may be appropriate for organizations to enter into. We recommend seeking legal guidance: https://cloud.google.com/maps-platform/terms/maps-controller-terms.
Embed.ly: The ControlShift product uses Embed.ly to convert URLs on some pages into embedded images, videos, etc. This feature can be used by customers to include rich media embeds from a large number of third party services including YouTube, Vimeo and the like. We do not send personal data to Embed.ly, but the third party services, by virtue of the embed, may track users' personal information including IP Address. These embeds are inserted into pages via an iframe, which might establish a Controller-Controller relationship between you and the embed provider.
Comments
4 comments
Update 2 May 2018: Segment will not be included among our list of authorized subprocessors. After reviewing their DPA, certain clauses (prohibiting 'special categories of data') conflict with the way our platform is used. We'll provide more information about how organizations can use analytics services soon.
Update 23 May 2018: Updated to include Papertrail, Twilio, G Suite, and Slack. Also updated to include notes about Google Maps, Embed.ly, and third-party tools.
Update 10 December 2021: We'll be updating our subprocessor list to add Elastic.co (search infrastructure) and Cloudflare (bot & DDOS protection and content acceleration).
Please sign in to leave a comment.