Subprocessors
These third parties process data on behalf of Proveground. GDPR Article 28 + Article 33.
ProveGround Sub-Processor Registry
Version: 1.0 Last Updated: April 12, 2026 Last Reviewed: April 12, 2026 Document Owner: Privacy & Security Team Contact: privacy@proveground.com
1. Purpose
This registry documents all third-party sub-processors that process personal data on behalf of ProveGround (Street2Ivy, Inc.) in connection with the ProveGround platform. This registry is maintained in compliance with our Data Processing Agreements (DPAs) with institutional clients and applicable data protection regulations including FERPA, CCPA/CPRA, and GDPR.
2. Sub-Processor Registry
| # | Vendor | Legal Entity | Purpose | Data Categories Processed | Data Region | DPA Status | Security Certifications | Date Added |
|---|---|---|---|---|---|---|---|---|
| 1 | Heroku | Salesforce, Inc. | Application hosting, compute, routing, managed PostgreSQL, managed Redis | All application data (student PII, academic records, application data, AI conversations, audit logs) | US-East-1 (Virginia) | Salesforce DPA (standard) | SOC 1/2/3, ISO 27001, FedRAMP Moderate, PCI DSS | Feb 2024 |
| 2 | AWS | Amazon Web Services, Inc. | Infrastructure (via Heroku), RDS database encryption, S3 storage, CloudFront CDN | All stored data (encrypted at rest via AES-256) | US-East-1 (Virginia) | AWS DPA (standard) | SOC 1/2/3, ISO 27001, FedRAMP High, PCI DSS, HIPAA | Feb 2024 |
| 3 | Anthropic | Anthropic PBC | AI processing — career coaching, resume review, match insights, portfolio intelligence, listing optimization | Student profiles, skills, project descriptions, conversation content, academic context | United States | Custom DPA executed | SOC 2 Type II | Mar 2024 |
| 4 | Mailgun | Sinch AB (via Mailgun Technologies, Inc.) | Transactional email delivery — notifications, password resets, FERPA notices | Email addresses, recipient names, email subject/body content | US (AWS infrastructure) | Sinch DPA (standard) | SOC 2 Type II, ISO 27001 | Feb 2024 |
| 5 | Cloudinary | Cloudinary Ltd. | Media storage and transformation — profile photos, portfolio images, uploaded documents | Uploaded images, documents, videos, file metadata | US-East-1 (AWS) | Cloudinary DPA (standard) | SOC 2 Type II, ISO 27001 | Feb 2024 |
| 6 | Sentry | Functional Software, Inc. | Application error monitoring and performance tracking | Error stack traces, request metadata, browser/OS info (PII scrubbed by policy) | US (GCP us-central1) | Sentry DPA (standard) | SOC 2 Type II | Feb 2024 |
| 7 | Redis Labs | Redis Ltd. | In-memory caching — session management, rate limiting, account lockout tracking | Session tokens, rate limit counters, lockout state (no direct PII) | US-East-1 (AWS) | Redis Enterprise Cloud DPA | SOC 2 Type II, ISO 27001 | Feb 2024 |
| 8 | GitHub | GitHub, Inc. (Microsoft Corporation) | Source code repository, CI/CD pipeline | Application source code only — no customer data stored in GitHub | United States | GitHub DPA (standard) | SOC 1/2, ISO 27001, FedRAMP | Feb 2024 |
3. Privacy Policy Links
4. Data Flow Summary
Student/User → ProveGround (Heroku/AWS US-East-1)
├── PostgreSQL (Heroku Postgres / AWS RDS) — all persistent data
├── Redis (Heroku Data for Redis) — sessions, rate limits
├── Anthropic Claude API — AI features (inference only, no data retention)
├── Mailgun — outbound email delivery
├── Cloudinary — media file storage
├── Sentry — error tracking (PII-scrubbed)
└── GitHub — CI/CD (no customer data)5. Change Notification Process
Adding a New Sub-Processor
- ProveGround evaluates the sub-processor's security posture (certifications, DPA terms, data handling practices)
- A DPA is executed with the new sub-processor before any data processing begins
- This registry is updated with the new sub-processor details
- All institutional clients with active DPAs are notified via email at least 14 calendar days before the new sub-processor begins processing data
- The notification includes: sub-processor name, purpose, data categories, region, and effective date
Removing a Sub-Processor
- Data processing with the sub-processor is terminated
- Confirmation of data deletion/return is obtained from the sub-processor
- This registry is updated
- Clients are notified of the removal within 30 days
6. Objection Procedure
Institutional clients may object to a new sub-processor within 14 calendar days of receiving the change notification:
- Submit objection in writing to privacy@proveground.com
- ProveGround will work with the client to address concerns, which may include:
- Providing additional information about the sub-processor's security controls
- Implementing additional contractual safeguards
- Offering an alternative processing arrangement
- If the objection cannot be resolved within 30 days, either party may terminate the affected services with 60 days' written notice
- No new sub-processor will process data for an objecting client until the objection is resolved
7. Annual Review Process
- Frequency: This registry is reviewed quarterly and updated as needed
- Scope: Review includes verification of DPA status, certification currency, and data handling practices
- Responsible party: Privacy & Security Team
- Audit rights: Institutional clients may request evidence of sub-processor compliance as part of their audit rights under the DPA
8. Version History
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.0 | April 12, 2026 | Initial registry publication | Privacy & Security Team |
For questions about this registry or our sub-processor management practices, contact privacy@proveground.com.
Last updated: April 21, 2026
Changes: we notify registered users at least 30 days before adding a new subprocessor at privacy@proveground.com.
Last updated: February 23, 2026