A subprocessor is a third-party vendor that processes personal data on DuoCircle’s behalf in order to deliver our services. The list below is the current set in scope for the Data Protection Addendum. We give the technical contact on each customer account thirty days notice before adding any new subprocessor that handles personal data, by email and by updating this page.
For automated notification, subscribe to the RSS feed or browse the dated record of past changes at /legal/subprocessors/changelog/. If you would like additional addresses on the email distribution list, email privacy@duocircle.com.
Mandatory subprocessors
These subprocessors apply to every customer of any DuoCircle Cloud Service.
| Subprocessor | Role | Headquarters |
|---|---|---|
| Amazon Web Services | Compute, storage, network, managed databases | Seattle, WA, United States |
| DigitalOcean | Compute and managed services for selected workloads | New York, NY, United States |
| Cloudflare | CDN, DNS, WAF, and DDoS mitigation | San Francisco, CA, United States |
| Cyren | Threat intelligence and spam classification | McLean, VA, United States |
| Webroot (OpenText) | Threat intelligence and spam classification | Broomfield, CO, United States |
| Vade | Anti-phishing and threat detection | Hem, France |
Optional subprocessors
These subprocessors apply only when a customer uses the corresponding feature.
| Subprocessor | Role | Headquarters |
|---|---|---|
| Freshworks | Customer support helpdesk, knowledge base, ticketing, and live chat | San Mateo, CA, United States |
| Zoho Corporation | CRM, marketing automation, and website analytics for sales-led customers | Chennai, India |
| Twilio | SMS notifications for severity-1 incident alerts and account 2FA | Dublin, Ireland |
| Google LLC | Translation services and sentiment analysis on selected customer-facing tools | Mountain View, CA, United States |
Affiliates
Several entities within the DuoCircle portfolio operate the underlying services for specific products and act as DuoCircle’s processors when handling personal data. These entities follow the same security and privacy controls and are governed by intra-group agreements that mirror the obligations of the DPA.
How we choose a subprocessor
Every new subprocessor with access to personal data goes through a security and privacy review before approval. The review covers SOC 2 or equivalent attestation, data residency, encryption posture, breach notification commitments, subprocessor chain, and exit terms. We do not approve a vendor that cannot meet our minimum bar even if it offers a feature we want.
How we end a subprocessor relationship
When we replace or remove a subprocessor, we follow a documented offboarding procedure: revoke access tokens, delete customer data per the contract, request written confirmation of deletion, update this page, and email the change to the technical contact on each affected account.
How to object
If a customer has a reasonable, documented objection to a new subprocessor, we will work in good faith to find a solution. Where no solution is possible, the customer may terminate the affected service for cause and receive a pro-rata refund of any prepaid fees for the unused portion of the term.
Contact privacy@duocircle.com with any objection, question, or correction.
Questions about this document?
DuoCircle LLC, 5965 Village Way, Suite 105-234, San Diego, CA 92130. Email legal@duocircle.com for legal inquiries, or support@duocircle.com for everything else.