Privacy Matters at Contrast Security
Sub-Processors List
List of Sub-Processors as of 28 June 2022
Contrast Security, Inc. (“Contrast”) uses Sub-processors to help in the delivery of products and to provide related support services to our customers. A sub-processor is a 3rd party organisation used by Contrast where we are acting as a processor that may process or have access to personal data.
To ensure that we remain transparent to our customers and to comply with regulatory requirements such as the General Data Protection Regulation (“GDPR”), we maintain an up-to-date list of the entities, functions, and locations of these sub-processors as referenced below. For any questions, please email rfp@contrastsecurity.com.
Contrast performs rigorous assessments on the information security and data protection practices of its sub-processors and requires each to commit to written obligations regarding their security measures and to demonstrate compliance with applicable personal data protection laws and regulations and other policies.
To be notified whenever our Sub-processor listing is updated, please follow the link below:
Tier 1 / Sub-processors for Infrastructure, Security and Business Operations (Potential Access to Confidential Data)
Sub-Processor |
Contact Details of Sub-Processor and Data Privacy Officer |
Processing Location of Data |
Processing Operations of Sub-Processor |
Amazon Web Services (“AWS”) |
410 Terry Avenue N Seattle, WA 98109 USA |
us-east-1 (Virginia USA) us-west-2 (Oregon, USA) eu-west-2 (London, UK) eu-central-1 (Frankfurt, Germany) ap-northeast-1 (Tokyo, Japan) |
Cloud Hosting Provider Confidential Data captured in Vulnerabilities or Attack Trace Data, Admin User Information |
Atlassian, Inc. |
350 Bush Street |
United States Privileged users could potentially process from any of these locations - Bulgaria, Canada, Germany, Isle of Man, Israel, Japan, Mexico, New Zealand, UK |
Bug Tracking, Project Management, Documentation, Internal Wiki |
Datadog |
620 8th Ave DPO: gdpr@datadoghq.com |
United States |
Log Aggregation, Alerting and Security Anomaly Detection Confidential Data captured in Vulnerabilities or Attack Trace Data, Admin User Information |
GitHub (“Microsoft”) |
88 Colin P. Kelly Jr. St DPO: privacy@github.com |
United States |
Code Hosting Platform Source Code Control Source Code |
Lacework |
6201 America DPO: privacy@lacework.net Attn: Chief Compliance Officer |
United States |
Infrastructure Monitoring, Vulnerability Management, Threat Intelligence, Compliance Reporting Vulnerability Data Related to the SaaS Environment |
Salesforce, Inc. |
415 Mission St. |
United States |
Customer Relationship Management (“CRM”), Collaboration and Communication (see also Slack) Customer and Prospect Data |
Slack Technologies, Inc. |
500 Howard Street DPO: dpo@slack.com |
United States |
Communication and Collaboration (see also Salesforce) |
Splunk On-Call (Formerly VictorOps) |
270 Brannan St. DPO: dpo@splunk.com |
United States |
On-call Paging Vulnerability Data Related to the SaaS Environment Incident Data Support Ticket Data |
Sumo Logic, Inc. |
305 Main Street or Sumo Logic Inc. |
United States |
Confidential Data captured in Vulnerabilities or Attack Trace Data, Admin User Information |
Tenable, Inc. |
6100 Merriweather DPO: privacy@tenable.com |
United States |
Vulnerability Scanning Vulnerability Data Related to the SaaS Environment |
Zendesk, Inc. |
999 Market Street DPO: privacy@zendesk.com Attn: Privacy Team and DPO |
United States Customer Success employees with privileged access could potentially access from any of these locations - Canada, Isle of Man, Japan, UK |
Customer Support Portal/Customer Relationship Management (“CRM”) Customer Support Ticket Data |
Tier 2 / Sub-Processors for CRM and Business Operations (Business Contact Information Processed)
Name of Sub-Processor |
Contact Details of Sub-Processor/ Data Privacy Officer Contact Information |
Processing Location of Data |
Processing Operations of Sub-Processor |
Gainsight, Inc. |
350 Bay Street Attn: Legal (Data Protection Officer) |
United States |
Customer Relationship Management (“CRM”) |
Google Workspace |
1600 Amphitheatre Pkwy DPO: https://support.google.com/policies/ |
United States |
Email |
Highspot, Inc. |
2211 Elliott Ave DPO: privacy@highspot.com |
United States |
Marketing Sales Enablement |
Hubspot, Inc. |
25 First Street DPO: security@hubspot.com |
United States |
Customer Relationship Management “(CRM”) |
iWAconsolti |
Prolongation of Oriente 6 DPO: Gerardo Arellano <garellano@iwa.com.mx> |
Mexico |
Engineering/ R&D Support |
JFrog (Artifactory) |
270 E Caribbean Dr." DPO: privacy@jfrog.com |
United States |
Enterprise Universal Repository Manager (Management of application binaries and artifacts) |
Mechdyne |
11 East Church
+44 116 318 4083 |
United States |
IT Support Services |
MentorMate |
(HQ) DPO: legal@mentormate.com |
Bulgaria |
Engineering/ R&D Support |
Microsoft |
One Microsoft Way DPO: Provides a public facing contact form |
United States |
Email, Office Suite |
Netsuite/ Oracle Corporation |
Willis Tower 233 DPO: Public facing contact form. |
United States |
Finance and Invoicing Software |
Pendo.io |
301 Hillsborough Street DPO: gdpr@pendo.io Attn: Data Protection Officer |
United States |
Platform Usage Analytics |
Propelo (Formerly LevelOps) |
700 S Bernardo Ave. Suite 103 DPO: nishant@propelo.ai |
United States |
Data Analytics |
Salesloft |
1180 West Peachtree St. NW |
United States |
Customer Relationship Management (“CRM”), Sales Engagement |
SonarCloud |
Route De PreBois DPO: info@sonarsource.com |
United States |
Analytics Tool |
Zoom |
55 Almaden Blvd DPO: privacy@zoom.us Attn: Data Protection Officer |
United States |
Conference Calling Communication |
ZoomInfo |
805 Broadway St DPO: legal@zoominfo.com |
United States |
Marketing, CRM Insights Tool, Advertising |
3rd Party Policy and Security Due Diligence Review:
Tier 1 / Sub-Processors for Infrastructure, Security and Business Operations (Potentials Access to Confidential Data)
Sub-Processor |
Audit Conducted |
Audit Method |
Evidence Reviewed by Contrast Security, Inc |
Amazon Web Services (“AWS”) |
Yes |
AWS engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (6 -month cadence to September 2021) ● ISO 27001:2013 certificate (issued January 2022) ● ISO 27017:2015 certificate (issued March 2022) ● ISO 27018:2019 certificate (issued March 2022) ● ISO 27701:2019 certificate (issued March 2022) ● AWS Privacy Notice ● AWS Security overview |
Atlassian, Inc. |
Yes |
Atlassian engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued January 2022) ● SOC 2 Type II Report (September 2021) ● Bridge Letter SOC 2, Type II (January 2022) ● Security at Atlassian ● Privacy Policy |
Datadog |
Yes |
Datadog engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (December 2021) ● ISO 27001:2013 certificate (issued December 2021) ● Pen Test Security Assessment (April 2022) ● SIG Core (2022) ● Privacy Policy |
GitHub (“Microsoft”) |
Yes |
GitHub engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● Pen Test Security Assessment (February 2021) ● SOC 2 Type II Report (September 2021) ● Privacy Statement |
Lacework |
Yes |
Lacework engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (August 2021) ● Bridge Letter SOC 2 Type II (October 2021) ● Privacy Policy |
Salesforce, Inc. |
Yes |
Salesforce engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (October 2021) ● ISO 27001:2013 (issued April 2022) ● ISO 27017:2015 (issued April 2022) ● ISO 27018:2019 (issued April 2022) ● CSA CAIQ (2022) ● Pen Test Security Assessment (February 2022) |
Slack Technologies, Inc. |
Yes |
Slack engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (November 2021) ● ISO 27001:2013 certificate (issued November 2021) ● ISO 27018:2019 certificate (issued November 2021) ● ISO 27017:2015 certificate (issued November 2021) ● CSA CAIQ (2021) ● Pen Test Security Assessment (November 2021) ● Privacy Policy |
Splunk On-Call (Formerly VictorOps) |
Yes |
Splunk engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (November 2021) ● Information Security Policy ● Corporate Security Policy ● Cloud Security Addendum ● Privacy Policy |
Sumo Logic, Inc. |
Yes |
Sumo Logic engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● Vendor Security Assessment (VSA) ● SOC 2 Type II Report (March 2021) ● Security Statement ● Pen Test Security Assessment (October 2021) ● ISO 27001:2013 certificate (issued February 2022) ● Privacy Policy |
Tenable, Inc. |
Yes |
Tenable engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued December 2020) ● Pen Test Security Assessment (July 2021) ● SIG Core (2022) ● Privacy Policy |
Zendesk, Inc. |
Yes |
Zendesk engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued April 2021) ● ISO 27018:2014 certificate (issued April 2021) ● SOC 2 Type II Report (September 2021) ● Pen Test Security Assessment (May 2021) ● CSA CAIQ ● Security Documentation ● Privacy Policy |
Tier 2 / Sub-Processors for CRM and Business Operations (Business Contact Information Processed)
Sub-Processor |
Audit Conducted |
Audit Method |
Evidence Reviewed by Contrast Security, Inc |
Gainsight, Inc. |
Yes |
Gainsight engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (December 2021) ● CSA CAIQ - 2022 ● SIG Lite - 2022 ● Privacy Policy ● Pen Test Security Assessment (October 2021)
|
Workspace |
Yes |
Google Workspace engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (April 2021) ● Privacy Policy ● ISO 27001:2013 (Issued May 2021) ● IS0 27018:2019 (issued May 2021) ● ISO 27017:2015 (issued May 2021) |
Highspot, Inc. |
Yes |
Highspot engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (August 2021) ● Privacy Policy |
Hubspot, Inc. |
Yes |
Hubspot engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate ● SOC 2 Type II Report (April 2021) ● SOC 2 Type II Bridge Letter (November 2021) ● Pen Test Security Assessment (November 2021) ● Security Overview ● Privacy Policy |
JFrog Artifactory |
Yes |
JFrog engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued January 2022) ● ISO 27017:2015 certificate (issued January 2022) ● SOC 2 Type II Report (December 2021) ● Privacy Policy |
Mechdyne |
|
Mechdyne engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
Privacy Policy |
MentorMate |
Yes |
MentorMate engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type I report (February 2022) ● Contrast Vendor Assessment ● Vendor Code Policy ● Privacy Policy |
Microsoft |
Yes |
Microsoft engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (September 2021) ● Privacy Policy ● Bridge Letter SOC 2 Type II (January 2022) |
Netsuite/ Oracle Corporation |
Yes |
Netsuite engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (September 2021) ● Privacy Policy |
Pendo.io |
Yes |
Pendo engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (December 2021) ● Privacy Policy |
Propelo (Formerly LevelOps) |
Yes |
Propelo engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● Security Datasheet • Privacy Datasheet ● SOC2 Type I Report (March 2021) ● Contrast Vendor Assessment ● Privacy Policy |
Salesloft |
Yes |
Salesloft engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (June 2021) ● ISO 27001:2013 certificate ● Privacy Policy |
SonarCloud |
Yes |
SonarCloud engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 Attestation ● Privacy Policy ● Pen Test Security Assessment Report (June 2021) |
Zoom |
Yes |
Zoom engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (October 2021) ● CSA CAIQ ● SIG Full ● ISO 27001:2013 (issued December 2021) ● Privacy Policy |
ZoomInfo |
Yes |
ZoomInfo engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (February 2021) ● ISO 27001:2013 certificate ● Security Overview ● Privacy Policy |