What Is a Subprocessor?
A subprocessor is any third-party vendor or service provider that your organization is engaged with to perform certain tasks or services on your behalf, which involves processing, storing or transmitting your Customer’s Personal Data and/or Customer Data.
Subprocessors typically perform specific functions – such as cloud storage, payment processing, or email delivery – that require access to personal or sensitive information.
While the term "subprocessor" isn't specifically defined in the General Data Protection Regulation (GDPR), it's widely used to describe third parties that process data on behalf of a data processor. This concept also applies to other privacy and security frameworks like CCPA, SOC 2, and ISO 27001, which also require careful monitoring of third-party data handling.
Are All My Vendors Subprocessors?
No, not all of your vendors are considered subprocessors. A vendor is only classified as a subprocessor if they process personal data on behalf of your organization.
Examples:
Subprocessor: Amazon Web Services (AWS) – A cloud service provider that stores and processes Customer Data.
Not a Subprocessor: Office supply vendors or facility management services – These vendors provide services that do not involve the processing of Customer Data. e.g. Zoom.
Why Do I Need to Know My Subprocessors?
Understanding who your subprocessors are – and what data they process – is critical for several reasons:
Regulatory Compliance:
Under GDPR (Article 28), you are required to inform your customers (data subjects) about any subprocessors that handle their personal data. This ensures transparency and proper data protection.
Similarly, CCPA (1798.130) and SOC 2 (CC3.1, CC3.2, CC3.3) mandate clear documentation of data flows and how third parties manage sensitive information.
Data Security & Risk Management:
Knowing who your subprocessors are helps you evaluate their security measures, reducing the risk of data breaches or compliance issues.
It also enables you to perform proactive risk assessments and ensure their practices align with your security policies and standards.
Data Flow Transparency:
It's important to know where your data is processed, stored, and transmitted. This understanding helps you assess cross-border data transfers, particularly when data moves to countries with different data protection laws.
Your Organization’s Obligations When Engaging Subprocessors
When engaging with subprocessors, your organization is responsible for ensuring they process personal data in compliance with GDPR, CCPA, SOC 2, ISO 27001, and other relevant frameworks. This includes:
Data Processing Agreements (DPA):
A legally binding agreement/contract that outlines the subprocessors’ obligations regarding data handling, breach notifications, and compliance with applicable regulations.
Under GDPR Article 28(3) and CCPA 1798.140(v), a DPA is required.
Due Diligence:
Evaluating the subprocessor's security practices, certifications (like ISO 27001 or SOC 2), and incident response procedures.
Framework requirement(s) examples: ISO 27001 (Clause A.15.1.1) and SOC 2 (CC9.2)
Ongoing Monitoring:
Regularly auditing and reviewing subprocessors to confirm they are upholding security controls and data protection measures.
Framework requirement(s) examples ISO 27001 (Clause A.15.2.1) and SOC 2 (CC9.4)
Breach Notification Requirements:
Making sure subprocessors have effective processes to quickly report any unauthorized access or data breaches.
Framework requirement(s) examples: GDPR (Article 33) and CCPA 1798.150
Examples of Common Subprocessors
Sub Processor Examples | Service Provided |
Amazon Web Services (AWS), Google Cloud Services | Cloud Service Provider |
Netsuite | Finance Management |
SocketLabs | Email delivery solution |
Stripe | Payment Processing |
Cloudflare | Content Delivery Network (CDN) & Web Application Firewall (WAF) |
Okta | Identity Management & Single Sign-On (SSO) |
Salesforce | Customer Relationship Management (CRM) |
How Do I Mark Our Subprocessors within Drata?
When adding a Vendor in your Vendor Directory, within the Internal details, you will be able to mark your vendor(s) as a subprocessor by checking the “This vendor is our subprocessor” box:
For more information on subprocessors and Trust Center functionality in Drata, view our Help Center Article here.