Third Party Subprocessors
What is a Third-Party Subprocessor?
A subprocessor is a third-party vendor CIS uses to process data on behalf of our customers, who are the data controllers of that data.
Purposes for which CIS collects and Uses Personal Information
- Providing you with the CIS applications, information, and websites for which you have registered, as well as any products or services, or support requested;
- Publish listings of CIS SecureSuite members and CIS Controls Supporters on our website which, in the case of individual members, includes names and organizational affiliations;
- Publish testimonials of CIS products and service on our website provided by individuals, which would include name, title and affiliate organization;
- Gain a better understanding how our website, product or services are being used so that we can improve them and engage with users;
- Diagnosing problems;
- Sending you business messages and marketing related to payments or expiration of subscriptions;
- Sending you information about CIS products, services, opportunities, updates, advisories, special offers, and similar information;
- Conducting market research about our customers, and the effectiveness of our marketing campaigns.
Purposes for which CIS collects and Uses Non-Personal Information
- The type of browser and operating system you use when you visit this site;
- The date and time when you visit this site;
- The webpage and services you access at this site;
- The forms that you download from this website;
- Additionally, non-personal information such as a company or governmental entity name and address. IP address may be provided when registering or signing up for CIS products or services. This information is used to determine eligibility for certain products or services.
CIS’s Process for Contracting with Third-party Subprocessors
CIS requires its third-party subprocessors to satisfy equivalent obligations as those required from CIS:
- process personal data following data controller’s documented instructions;
- in connection with the subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, under applicable data protection laws;
- promptly inform CIS about any security breach; and
- cooperate with CIS to address requests from data controllers, data subjects, or data protection authorities, as applicable.
The following table describes the countries and legal entities engaged in the processing and storage of personal data by CIS acting as a data processor on behalf of its customers, the data controllers.
|
CIS Authorized Third-Party Subprocessors |
||||
|
Third Party Recipients |
Purpose |
Personal Information Collected, Purposes, and Retention |
Location |
Third Party Privacy Policy and Additional Resources |
|
Amazon Web Services, Inc. |
Cloud Service Provider |
Amazon Web Services, Inc. is a cloud service provider.
Your general personal information will be processed by Amazon Web Services, Inc. for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Microsoft, Inc |
Cloud Service Provider and associated products |
Microsoft offers a wide range of products, including cloud service products.
Your general personal information will be processed by Microsoft, Inc. for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Sitecore |
Digital Experience Platform |
Sitecore is a digital experience platform.
Your general personal information will be processed by Sitecore, Inc. for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Google, LLC |
Cloud Service Provider and associated products |
Google offers a wide range of products, including cloud service products.
Your general personal information will be processed by Google, LLC. for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
LinkedIn Sales Navigator |
Lead generation and pipeline management |
LinkedIn offers a wide range of products, including lead generation and pipeline management.
Your general personal information will be processed by LinkedIn for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Salesforce |
Customer relationship management |
Salesforce offers customer relationship management.
Your general personal information will be processed by Salesforce for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Oracle |
Cloud Service Provider and associated products |
Oracle offers a wide range of products, including cloud service products.
Your general personal information will be processed by Oracle for storage purposes for the period necessary to fulfill the purposes outlined the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Snowflake |
Data pipeline |
Snowflake offers data pipeline products.
Your general personal information will be processed by Snowflake for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Zoom |
Video communications platform |
Zoom offers a video communication platform and associated products.
Your general personal information will be processed by Zoom for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Fivetran |
Data integration tools |
Fivetran offers data integration tools.
Your general personal information will be processed by Fivetran for storage purposes for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Cyware |
Security Orchestration and Automation (SOAR) Platform |
Cyware provides services to improve security operations, automate cross-functional workflows, and accelerate threat response with Cyware’s vendor-neutral, low-code Security Orchestration, Automation, and Response (SOAR) solution.
Your information will be processed by Cyware for SOAR solutioning for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Securonix |
SIEM Platform |
Securonix provides a SIEM Platform solution.
Your information will be processed by Securonix for SIEM solutioning for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Crowdstrike |
Intrusion Detection Monitoring |
Crowdstrike provides Intrusion Detection Monitoring.
Your information will be processed by Crowdstrike for monitoring for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Qualtrics |
Survey Tool |
Qualtrics provides a Survey Tool.
Your information will be processed by Qualtrics for surveys for the period necessary to fulfill the purposes outlined in the CIS Privacy Notice and in accordance with applicable law. |
United States |
|
|
Date of Change |
Change |
Notes |
|
03/21/2024 |
Added Qualtrics |
This service enables CIS to create surveys that are sent to members. |
|
09/11/2023 |
Added Cyware, Securonix, Crowdstrike |
These are subprocessors that assist in providing services to members in select instances based on CIS offerings. |
|
04/01/2023 |
Added Snowflake, Oracle, Zoom, and Fivetran as subprocessors |
|