Upstream subprocessor lists change more often than most teams expect - large providers revise theirs several times a year, and they almost never announce it. That cadence is exactly why a subprocessor page goes stale silently, and why automated monitoring beats a calendar reminder. Here is what the real frequency looks like and what it means for keeping your own register current.
Key facts
01Major providers revise their subprocessor lists periodically through the year - additions, removals, new regions, and renamed entities - not on a fixed schedule.
02Providers rarely push an announcement when their list changes; the change just appears on their page, so downstream companies find out late or never.
03Your staleness risk compounds with every provider you disclose: depend on a dozen, and a quiet change at any one of them dates your page.
04A calendar reminder to "check the lists quarterly" reliably decays - it works for a quarter or two, then slips.
05Daily automated monitoring catches changes when they happen, which is the only way the prior-notice obligation stays satisfiable in practice.
§ I
The real cadence
Teams tend to assume subprocessor lists are static - something you write once and revisit if you remember. In practice the upstream lists you depend on are in steady motion. Providers add vendors, drop them, open new processing regions, and rename or restructure the legal entities behind their services. None of this happens on a tidy schedule; it happens whenever the provider's own operations change.
There is no single number that captures it, because it varies by provider and by year. Some lists change once or twice; others move several times. What is consistent is that, across a realistic stack of a dozen providers, something changes often enough that an annual check is not safe. Registora's public changelog records these changes as they are detected, and the providers index shows when each was last verified.
§ II
Why you do not hear about it
The reason staleness is so common is structural: providers rarely tell you when their list changes. A provider's notice obligation runs to its own customers through its own contract, and for many of them updating the published page is the notice. There is usually no email, no webhook, no feed. The new entry just appears.
That means the burden of detection sits entirely with you, the downstream company. Unless someone is actively watching each upstream page, the first signal that your list is wrong is often external - a customer's security team or an auditor noticing a provider you use but have not disclosed, or a disclosure that no longer matches reality.
§ III
The problem compounds
Staleness scales with your vendor count. Your subprocessor page is accurate only while every upstream list it depends on is unchanged since you last checked. With one provider that is easy. With a dozen - which is ordinary for a modern SaaS product - the window in which your page is genuinely current keeps shrinking, because any single change at any single provider dates the whole page.
And the cost of being wrong is not cosmetic. Under general written authorisation you owe your customers prior notice of changes; a change you never noticed is a change you never notified, which is the obligation missed rather than merely delayed.
§ IV
Monitoring beats a reminder
The common fix - a recurring calendar reminder to “review the subprocessor lists quarterly” - fails in two ways. First, even when followed perfectly, a quarterly check leaves a change undetected for weeks on average, during which your page is wrong and your notice is overdue. Second, and more reliably, the reminder decays: the first review is thorough, the next is a skim, and the third quietly does not happen.
Automated daily monitoring removes the human-discipline dependency. It watches each upstream list, detects a real change to the set of vendors (not cosmetic page churn), records it, and lets you act on it - including notifying the customers who are owed notice. That last step is the one a reminder can never do for you.
FAQ
Frequently asked questions
How often do major providers actually change their lists?
There is no fixed cadence - it varies by provider and by year. Some revise their subprocessor list only once or twice a year; others change several times as they add regional infrastructure, switch downstream vendors, or restructure entities. Across a basket of common providers, changes land often enough that "we will check once a year" is not safe. Registora’s public changelog tracks these changes as they happen across the providers it monitors, which is the closest thing to a real frequency picture.
Why don’t I just get notified by the provider?
Because most do not notify you. A provider’s obligation under general written authorisation runs to its own customers through its own contract; updating the published list is often the entirety of the "notice." There is rarely an email, a webhook, or an RSS feed. The change simply appears on the page. Unless you are actively watching that page, the first you hear of it may be when a customer or auditor points out that your list is wrong.
How does staleness compound across providers?
Linearly with your vendor count, and unpredictably in timing. If you disclose a dozen subprocessors, your page is current only while all twelve upstream lists are unchanged since you last checked. Any one of them changing dates your page. The more providers you rely on - and modern SaaS stacks are deep - the shorter the window in which your list is actually accurate, and the more often a manual review would need to run to keep up.
Isn’t a quarterly reminder good enough?
It is better than nothing and worse than it sounds. A quarterly check means that, on average, a change sits undetected for six weeks - and during that window your page misrepresents who handles the data and you have not given customers the prior notice they are owed. Worse, calendar reminders decay: the first quarter someone does the review thoroughly, the next they skim it, and by the third it is "we’ll get to it." Monitoring removes the human-discipline dependency.
What should I monitor, exactly?
The published subprocessor list of every upstream provider you disclose, watching for additions, removals, and material changes such as a new processing location or a renamed legal entity. The signal you care about is a change to the parsed list of vendors, not cosmetic page edits. Registora does this daily for the providers it tracks, records each detected change, and surfaces it so you can notify customers - which is the part a reminder cannot do for you.
This guide is general information only and does not constitute legal advice. For advice on your specific situation, consult a qualified legal professional.
Your turn
Keep your subprocessor register current - automatically.
Registora hosts your register on your own domain, monitors every upstream provider for changes daily, and drafts the customer notification when one updates.