Subprocessor
A subprocessor is a third party that processes personal data on behalf of a data processor. Security reviews require vendors to disclose all subprocessors.
Definition
A subprocessor is a third-party entity engaged by a data processor to assist in processing personal data on behalf of a data controller. Under regulations like GDPR, data processors must disclose their subprocessors and ensure they maintain equivalent data protection standards.
Context
Subprocessor disclosure is a standard requirement in security questionnaires and vendor risk assessments. Buyers want to know which third parties have access to their data, what data each subprocessor handles, where subprocessors are located geographically, and how subprocessor changes are communicated. Maintaining a public subprocessor list and change notification process demonstrates transparency and is commonly required for enterprise vendor approvals.
Why it matters
A subprocessor is any third-party entity that processes personal data on behalf of a data processor. Under GDPR Article 28, processors must obtain prior authorization from the data controller before engaging subprocessors and maintain a current, publicly accessible list. Common subprocessors include cloud infrastructure providers, email delivery services, analytics platforms, and customer support tools. Each subprocessor in the chain creates additional risk surface that the primary processor remains accountable for managing.
The most frequent compliance gap is failing to keep subprocessor lists current or neglecting to notify customers of changes. GDPR requires either specific prior authorization for each new subprocessor or general authorization with a notification mechanism and objection right. Organizations that add a new analytics or monitoring tool without updating their subprocessor list and notifying customers create a contractual breach. Mature programs integrate subprocessor tracking into procurement workflows so that any new vendor handling personal data triggers a list update and customer notification.
Security questionnaires ask about subprocessors because they represent transitive risk — a vulnerability in any subprocessor can compromise the data controller's information. Buyers want to see a maintained subprocessor list with entity names, processing purposes, and data locations. They also look for evidence that subprocessors undergo security assessments, are bound by data processing agreements with equivalent protections, and that the organization has a notification process for subprocessor changes. Proactively publishing a subprocessor page with an update notification mechanism reduces repetitive questionnaire exchanges.