© 2025 TraceFlows. All rights reserved.

Privacy PolicyTerms of ServiceCookie PolicyDPA
TraceFlows LogoTraceFlows
FeaturesPricingAboutContact
Sign InGet Started

On this page

  • 1. Introduction
  • 2. Current Subprocessors
  • 3. Categories of Processing
  • 4. Data Protection Safeguards
  • 5. Changes to Subprocessors
  • 6. Right to Object
  • 7. Contact Us

Subprocessor List

Last Updated: September 26, 2025

Note: This list is updated regularly. We will notify customers of changes as required by our Data Processing Addendum. You can subscribe to updates at subprocessor-updates@traceflows.com.

1. Introduction

As outlined in our Data Processing Addendum (DPA), TraceFlows engages third-party subprocessors to support the delivery of our Service. This document provides transparency about these relationships and the safeguards in place to protect your data.

All subprocessors are bound by data protection agreements that impose the same obligations as those set out in our DPA with you, ensuring your data receives consistent protection throughout our processing chain.

2. Current Subprocessors

SubprocessorPurposeLocationData CategoriesSafeguards
Amazon Web Services (AWS)
Amazon.com, Inc.		Cloud infrastructure, data storage, computing servicesUnited States, EUAll customer data, session recordings, metadataAWS DPA, SOC 2, ISO 27001, SCCs
Google Cloud Platform
Google LLC		Analytics processing, machine learning, backup servicesUnited States, EUAggregated analytics data, processed session dataGoogle Cloud DPA, ISO 27001, SCCs
Stripe
Stripe, Inc.		Payment processing, subscription managementUnited States, EUCustomer billing data, payment informationPCI DSS Level 1, SOC 2, SCCs
Intercom
Intercom, Inc.		Customer support, live chat, help documentationUnited States, EUCustomer contact information, support conversationsSOC 2, GDPR compliance, SCCs
SendGrid
Twilio Inc.		Transactional email deliveryUnited StatesCustomer email addresses, email contentSOC 2, ISO 27001, SCCs
DataDog
Datadog, Inc.		Application monitoring, performance analyticsUnited States, EUSystem logs, performance metrics, error dataSOC 2, ISO 27001, GDPR compliance
Sentry
Functional Software, Inc.		Error tracking, application debuggingUnited StatesError logs, stack traces, debugging informationSOC 2, GDPR compliance, SCCs
Slack
Slack Technologies, Inc.		Internal team communication, incident responseUnited StatesSystem alerts, internal communicationsSOC 2, ISO 27001, SCCs

Legend:

  • SCCs: EU Standard Contractual Clauses for international data transfers
  • SOC 2: Service Organization Control 2 certification
  • ISO 27001: Information security management certification
  • PCI DSS: Payment Card Industry Data Security Standard

3. Categories of Processing

3.1. Core Service Delivery

  • Infrastructure Providers: AWS, Google Cloud - Host our applications and store customer data
  • Content Delivery: CloudFlare (CDN services) - Deliver our tracking scripts efficiently
  • Database Services: AWS RDS, MongoDB Atlas - Store and process session recordings and metadata

3.2. Business Operations

  • Payment Processing: Stripe - Handle subscription payments and billing
  • Customer Support: Intercom - Provide customer service and technical support
  • Communications: SendGrid - Send transactional emails and service notifications

3.3. Service Monitoring

  • Application Monitoring: DataDog, New Relic - Monitor service performance and availability
  • Error Tracking: Sentry - Track and resolve application errors
  • Security Monitoring: Various security tools - Detect and prevent security threats

4. Data Protection Safeguards

4.1. Legal Protections

All subprocessors are required to sign data processing agreements that include:

  • Obligations equivalent to those in our DPA with you
  • Restrictions on data use, processing, and disclosure
  • Requirements for data security and breach notification
  • Audit rights and compliance monitoring
  • Data deletion requirements upon service termination

4.2. Technical Safeguards

Technical measures implemented across all subprocessor relationships:

  • Encryption: All data encrypted in transit and at rest
  • Access Controls: Strict access controls and authentication requirements
  • Network Security: Firewalls, VPNs, and network segmentation
  • Monitoring: Continuous monitoring of data access and processing activities
  • Data Minimization: Only necessary data shared with subprocessors

4.3. Compliance Certifications

We require subprocessors to maintain relevant certifications:

  • SOC 2 Type II for security and availability controls
  • ISO 27001 for information security management
  • Industry-specific certifications (e.g., PCI DSS for payment processors)
  • GDPR compliance attestations for EU data processing

5. Changes to Subprocessors

5.1. New Subprocessors

When we engage new subprocessors, we will:

  • Conduct due diligence on their data protection practices
  • Ensure they meet our security and compliance requirements
  • Execute appropriate data processing agreements
  • Notify customers at least 30 days before the new subprocessor begins processing
  • Update this list with the new subprocessor information

5.2. Subprocessor Changes

For changes to existing subprocessors (such as new processing purposes or locations):

  • We will provide advance notice of material changes
  • Updated processing agreements will be executed as needed
  • This list will be updated to reflect the changes
  • Additional safeguards will be implemented if required

5.3. Notification Methods

Customers will be notified of subprocessor changes through:

  • Email notifications to primary account contacts
  • Updates posted in the customer dashboard
  • Updates to this webpage with revision dates
  • Optional subscription to dedicated update notifications

6. Right to Object

As provided in our DPA, you have the right to object to our use of specific subprocessors. If you wish to object:

  • Timing: Submit objections within 30 days of receiving notice of a new subprocessor
  • Grounds: Objections must be based on reasonable data protection concerns
  • Process: Email your objection to legal@traceflows.com with detailed reasoning
  • Resolution: We will work with you to address concerns or provide alternatives
  • Termination: If we cannot resolve your objection, you may terminate your agreement

Objection Process

  1. Submit written objection within 30 days
  2. Include specific data protection concerns
  3. TraceFlows reviews and responds within 15 days
  4. If agreement reached, alternative arrangements made
  5. If no agreement, customer may terminate with 30 days notice

7. Contact Us

For questions about our subprocessors or data processing arrangements:

  • Data Protection Officer: privacy@traceflows.com
  • Legal Department: legal@traceflows.com
  • Subprocessor Updates: subprocessor-updates@traceflows.com