ControlShift Authorized Subprocessors

In accordance with §4.1 of of ChangeSprout Inc.’s Data Processing Addendum, ChangeSprout maintains a list of authorized subprocessors whom we have contracted to provide certain services related to the ControlShift toolset. 

When ChangeSprout updates its subprocessors, the list on this page will be updated (which will serve as “reasonable prior notice”). If your organization objects to the use of a proposed subprocessor, you may send us an email detailing the reasons for your objection. 

Because updates to subprocessors will only be posted on this page, we’d encourage organizations to subscribe to updates using the form at the bottom of this page.

ChangeSprout has two categories of authorized Subprocessors of personal data. Subprocessors that we use to provision the core ControlShift product to you are categorized as “Infrastructure.” Subprocessors that we use to help us answer support questions from customers are categorized as “Support.”

ControlShift Authorized Subprocessors - Infrastructure

Entity Name Purpose Corporate Location
Amazon Web Services, Inc. Infrastructure Provider 410 Terry Avenue North,
Seattle, WA 98109
United States of America
Cloudflare, Inc. DDOS/Bot Protection and CDN 101 Townsend Street
San Francisco, CA 94107
United States of America
Elasticsearch, Inc. Search Infrastructure Provider 800 W. El Camino Real, Suite 350
Mountain View, CA 94040
United States of America
SendGrid, Inc. Email Service Provider 1801 California Street, Suite 500,
Denver, CO 80202
United States of America
Papertrail (SolarWinds Worldwide LLC) Log Management 7171 Southwest Parkway, Building 400
Austin, TX 78735
United States of America
Rollbar Inc. Error Monitoring and Crash Reporting 51 Federal St Ste 401
San Francisco, CA 94107
United States of America

ControlShift Authorized Subprocessors – Support 

Entity Name Purpose Corporate Location
Google Inc.* G Suite* 1600 Ampitheatre Parkway
Mountain View, CA 94043
United States of America
Help Scout PBC Support tickets and help center 68 Harrison Ave #605
PMB 78505
Boston, MA 02111
United States
Slack Technologies Inc. Team Communications (Zendesk/Help Scout tickets are sent to Slack) 500 Howard 5th Street
San Francisco, CA 94105
United States of America
Zendesk, Inc. Support tickets and help center 1019 Market Street
San Francisco, CA 94103
United States of America

Third-Party Integrations

We allow organizations to integrate with third-party tools that are not covered by our DPA. These third-party tools are included on, and can be managed from, the Integrations page (admin homepage > Settings > Integrations). We encourage organizations to review the third-party tools to which they’re sending data and independently evaluate the security of these tools, and sign separate Data Processing Agreements with those third parties where appropriate. 

Controller-Controller Relationships

Controller-Controller relationships are those where our customers and a vendor that we work with share the controller responsibility, usually through embedded functionality from another service that is directly served to the public via a link, javascript or an iframe.

*Google: Our subprocessor DPA with Google Inc. covers our use of the G Suite tools to handle incidental personal data collected in the process of providing email support for the use of the product.

It does not, however, include use of reCAPTCHA (enabled via admin > Settings > Integrations), Google Maps or Google Fonts APIs. We use the Google Maps API to render maps and provide location lookup services. We optionally use some fonts served by the Google Fonts API. We do not send personal data to the Google Maps or Fonts APIs, but it may be possible for Google itself to collect data including IP Address directly from the public because of the inclusion of these products in the ControlShift service.

Google offers a Controller-Controller agreement for Google Maps, which may be appropriate for organizations to enter into. We recommend seeking legal guidance: https://cloud.google.com/maps-platform/terms/maps-controller-terms

Embed.ly: The ControlShift product can use Embed.ly to convert URLs on some pages into embedded images, videos, etc. This feature can be used by customers to include rich media embeds from a large number of third party services including YouTube, Vimeo and the like. We do not send personal data to Embed.ly, but the third-party services, by virtue of the embed, may track users’ personal information including IP Address. These embeds are inserted into pages via an iframe, which might establish a Controller-Controller relationship between you and the embed provider. The integration with Embed.ly is also controlled via admin > Settings > Integrations.