I’ve gotten pushback from customers on this point a few times, so I wrote up my reasoning and wanted to see how others think about it.
My argument is that giving this information to customers who need it is different from publishing it openly to the whole internet. I think many companies treat public subprocessor lists as a default best practice without thinking enough about the security tradeoff.
Would be useful to hear from people who have handled enterprise security reviews, privacy reviews, or trust-center decisions.
My argument is that giving this information to customers who need it is different from publishing it openly to the whole internet. I think many companies treat public subprocessor lists as a default best practice without thinking enough about the security tradeoff.
Would be useful to hear from people who have handled enterprise security reviews, privacy reviews, or trust-center decisions.