A subprocessor is any third-party vendor that your organization is engaged with to perform certain tasks or services on your behalf, which involves processing, storing or transmitting your Customer’s Personal Data and/or Customer Data.

While not explicitly defined by the GDPR, subprocessor is a term that has become industry standard to help companies comply with the GDPR.

No, not all of your vendors are considered a subprocessor. Vendors may provide goods or services that do not involve processing of your Customer’s Personal Data and/or Customer Data.

Identifying who your subprocessors are will help you comply with GDPR and better understand and be transparent with your customers about who is processing their personal data. This is particularly important under GDPR to allow data controllers to be informed of where their data is going and being processed.

In terms of SOC 2 and any other framework, knowing your subprocessors is important as it will enable you to properly manage and assess the risks associated with the processing of personal data by your third-party service providers and implement appropriate controls to mitigate risks associated with it.

When engaging with subprocessors, the company is obligated to ensure that the subprocessor processes personal data in a manager that complies with applicable data protection laws and regulations.

These obligations include entering into a data processing agreement, conducting due diligence, monitoring the subprocessor’s compliance (SOC 2, ISO 27001, PCI, etc.), and ensuring that there is a reasonable breach notification process in place.

For subprocessor functionality in Trust Center in Drata, view our Help Center Article here.