CMD+RVL sub-processors
This page lists the third-party providers CMD+RVL may use to operate the website and deliver scoped services. It is written for security, privacy, and procurement review.
Provider use depends on the specific website function, deployment pattern, and customer workflow. For a security package or engagement-specific review, contact drew@cmdrvl.com or use the contact page.
The public website is currently first-party only for runtime scripts and does not load Google Analytics or Google Tag Manager.
Current sub-processors
- Cloud service providers
Amazon Web Services (AWS), Microsoft Azure
RoleCloud infrastructure, storage, and deployment services.
Data categoryApplication data, operational metadata, and service logs when required for a scoped deployment.
- Identity management providers
Auth0 by Okta
RoleAuthentication, authorization, and identity management.
Data categoryAccount identifiers, authentication events, and access-control metadata.
Review notes
- Sub-processor relevance is scoped during security review.
- Customer deployment patterns can change which providers apply.
- Website analytics are separate from scoped customer outcome work.
- Questions and DDQ requests should include the workflow being reviewed.
Sub-processor questions
What is a sub-processor?
A sub-processor is a third-party provider that may process data on behalf of CMD+RVL while helping operate the website or a scoped service.
Which CMD+RVL sub-processors are currently listed?
CMD+RVL currently lists Amazon Web Services, Microsoft Azure, and Auth0 by Okta as sub-processors for cloud hosting and identity management. The public website does not currently load a third-party analytics provider.
Does every engagement use every listed provider?
No. Provider use depends on the website function, deployment pattern, and scoped customer workflow. Security review can confirm which providers apply to a specific engagement.
Who should I contact with sub-processor questions?
Sub-processor questions can be sent to drew@cmdrvl.com. Security package requests can also be routed through the contact page.
Need provider details for a diligence package or procurement review? Send the workflow, deployment pattern, and review deadline.
Contact security