Subprocessors
List the third-party services that process customer data on your behalf. This transparency helps customers understand your supply chain and meets regulatory requirements like GDPR.
What Counts as a Subprocessor
A subprocessor is any third-party that processes personal data for you:
- Cloud infrastructure (AWS, GCP, Azure)
- Payment processors (Stripe, PayPal)
- Email services (SendGrid, Mailchimp)
- Customer support platforms (Zendesk, Intercom)
- Analytics services
- Authentication providers
Why Disclose Them
- Regulatory compliance: GDPR and other regulations require disclosure
- Customer trust: Transparency about your supply chain builds confidence
- Customer compliance: Helps customers with their own vendor assessments
Adding Subprocessors
You can add subprocessors from your existing vendor list or create new ones. For each subprocessor, include:
- Name and description of what they do
- Countries where data is processed
- Category to help visitors understand their role
Categories
Categorize subprocessors so visitors can quickly understand what each vendor does:
- Infrastructure: Cloud providers, hosting services
- Analytics: Analytics and monitoring tools
- Communications: Email, messaging, notification services
- Payments: Payment processing services
- Security: Security tools and services
- Support: Customer support platforms
- Storage: Data storage and backup services
Keeping the List Current
Update your subprocessor list when you add or remove vendors that process customer data. Consider building this into your vendor onboarding process.
You can export the list to CSV for external use.
Best Practices
- Include all vendors that process customer data, even indirectly
- Provide clear descriptions of what each vendor does
- Accurately list the countries where data is processed
- Review the list periodically for accuracy