ControlShift Authorized Subprocessors
In accordance with §4.1 of of ChangeSprout Inc.’s Data Processing Addendum, ChangeSprout maintains a list of authorized subprocessors whom we have contracted to provide certain services related to the ControlShift toolset.
When ChangeSprout updates its subprocessors, the list on this page will be updated (which will serve as “reasonable prior notice”). If your organization objects to the use of a proposed subprocessor, you may send us an email detailing the reasons for your objection.
Because updates to subprocessors will only be posted on this page, we’d encourage organizations to subscribe to updates using the form at the bottom of this page.
ChangeSprout has two categories of authorized Subprocessors of personal data. Subprocessors that we use to provision the core ControlShift product to you are categorized as “Infrastructure.” Subprocessors that we use to help us answer support questions from customers are categorized as “Support.”
ControlShift Authorized Subprocessors - Infrastructure
| Entity Name | Purpose | Corporate Location |
|---|---|---|
| Amazon Web Services, Inc. | Infrastructure Provider |
410 Terry Avenue North, Seattle, WA 98109 United States of America |
| Cloudflare, Inc. | DDOS/Bot Protection and CDN |
101 Townsend Street San Francisco, CA 94107 United States of America |
| Elasticsearch, Inc. | Search Infrastructure Provider |
800 W. El Camino Real, Suite 350 Mountain View, CA 94040 United States of America |
| SendGrid, Inc. | Email Service Provider | 1801 California Street, Suite 500, Denver, CO 80202 United States of America |
| Papertrail (SolarWinds Worldwide LLC) | Log Management | 7171 Southwest Parkway, Building 400 Austin, TX 78735 United States of America |
| Rollbar Inc. | Error Monitoring and Crash Reporting |
51 Federal St Ste 401 San Francisco, CA 94107 United States of America |
ControlShift Authorized Subprocessors – Support
| Entity Name | Purpose | Corporate Location |
|---|---|---|
| Google Inc.* | G Suite* |
1600 Ampitheatre Parkway Mountain View, CA 94043 United States of America |
| Help Scout PBC | Support tickets and help center |
68 Harrison Ave #605 PMB 78505 Boston, MA 02111 United States |
| Slack Technologies Inc. | Team Communications (Zendesk/Help Scout tickets are sent to Slack) |
500 Howard 5th Street San Francisco, CA 94105 United States of America |
| Zendesk, Inc. | Support tickets and help center |
1019 Market Street San Francisco, CA 94103 United States of America |
Third-Party Integrations
We allow organizations to integrate with third-party tools that are not covered by our DPA. These third-party tools are included on, and can be managed from, the Integrations page (admin homepage > Settings > Integrations). We encourage organizations to review the third-party tools to which they’re sending data and independently evaluate the security of these tools, and sign separate Data Processing Agreements with those third parties where appropriate.
Controller-Controller Relationships
Controller-Controller relationships are those where our customers and a vendor that we work with share the controller responsibility, usually through embedded functionality from another service that is directly served to the public via a link, javascript or an iframe.
*Google: Our subprocessor DPA with Google Inc. covers our use of the G Suite tools to handle incidental personal data collected in the process of providing email support for the use of the product.
It does not, however, include use of reCAPTCHA (enabled via admin > Settings > Integrations), Google Maps or Google Fonts APIs. We use the Google Maps API to render maps and provide location lookup services. We optionally use some fonts served by the Google Fonts API. We do not send personal data to the Google Maps or Fonts APIs, but it may be possible for Google itself to collect data including IP Address directly from the public because of the inclusion of these products in the ControlShift service.
Google offers a Controller-Controller agreement for Google Maps, which may be appropriate for organizations to enter into. We recommend seeking legal guidance: https://cloud.google.com/maps-platform/terms/maps-controller-terms.
Embed.ly: The ControlShift product can use Embed.ly to convert URLs on some pages into embedded images, videos, etc. This feature can be used by customers to include rich media embeds from a large number of third party services including YouTube, Vimeo and the like. We do not send personal data to Embed.ly, but the third-party services, by virtue of the embed, may track users’ personal information including IP Address. These embeds are inserted into pages via an iframe, which might establish a Controller-Controller relationship between you and the embed provider. The integration with Embed.ly is also controlled via admin > Settings > Integrations.