Why do security questionnaires ask about subprocessors at all?

Because your buyer inherits your supply chain. When an enterprise entrusts you with its data, every subprocessor you use becomes part of its risk surface and, under GDPR, part of its own Article 28 accountability chain. The reviewer is checking that you have not quietly extended their data exposure to vendors they have never assessed. The subprocessor section is, in effect, the buyer asking "who else will be able to touch our data, and have you bound them properly?"

Which frameworks will I actually see?

The common ones are the SIG (Standardized Information Gathering) questionnaire from Shared Assessments, the CAIQ (Consensus Assessments Initiative Questionnaire) from the Cloud Security Alliance, and a SOC 2 report from your auditor that buyers ask to review. On top of those, most enterprises also send a custom spreadsheet of their own. They overlap heavily, and all of them include questions about how you select, disclose, contract with, and monitor third parties that process customer data.

What is the single best thing I can prepare in advance?

A current, public subprocessor list at a stable URL. It pre-answers the disclosure questions before they are asked, it gives the reviewer something concrete to cite, and - because it is dated and maintained - it signals that your compliance is a live process rather than a one-time document. Pair it with your signed vendor DPAs and a written description of how you notify customers of changes, and you have covered the bulk of the subprocessor section before the questionnaire arrives.

How do I answer "how do you notify customers when subprocessors change"?

Describe a concrete mechanism, not an intention. A strong answer names the channel (a maintained public list plus direct notice to affected customers), the timing (the notice period in your DPA, before the change takes effect), and the customer’s right to object during that window. "We email customers when needed" reads as ad hoc; "we maintain a public register, and notify affected customers with the contractual notice period before any addition or replacement takes effect, with a window to object" reads as a process. See our guide on notifying customers of a subprocessor change.

Why does a stale subprocessor list lose deals?

Because it converts a checkbox into an investigation. When a reviewer finds a list dated eighteen months ago, or one that omits a provider they know you use, they stop trusting the rest of your answers and start chasing. That back-and-forth is where deals stall and timelines slip. A list that is visibly current - and demonstrably monitored - removes the doubt and keeps the review moving.

Guide / Security reviews

Updated 25 May 2026

Subprocessors in security questionnaires

Enterprise buyers run security questionnaires before they sign, and the subprocessor section is a common place deals stall. The questions are really checking whether you know your data supply chain, disclose it, bind your vendors contractually, and notify customers when it changes. A current, public subprocessor list answers most of them with a single link.

Key facts

01Most enterprise security reviews use a standard framework - SIG, the CSA CAIQ, or a SOC 2 report - plus a custom spreadsheet, and each asks about subprocessors.
02The subprocessor questions test four things: do you know your vendors, do you disclose them, are they contractually bound, and do you notify customers of changes.
03A current public subprocessor list is the single highest-leverage artifact - it pre-answers the disclosure questions and signals maturity.
04The fastest deals are won by reducing the reviewer’s work: a stable URL, a clear list, signed DPAs on hand, and a defined change-notification process.
05Stale or missing subprocessor information is a classic deal-staller because it forces the reviewer to chase you instead of checking a box.

§ I

Why the subprocessor section exists

Before an enterprise signs with a vendor, it runs a security review - and somewhere in that review is a set of questions about your subprocessors. They are there because your buyer inherits your supply chain. The moment they entrust you with their data, every third party you use to process it becomes part of their risk surface, and under GDPR Article 28 part of their own accountability chain.

So the subprocessor questions are really one question asked several ways: who else will be able to touch our data, and have you bound them properly? A confident, current answer moves the review along. A vague or stale one makes the reviewer start digging - and a digging reviewer is a stalled deal.

§ II

The frameworks you will see

Security reviews tend to arrive in one of a few standard shapes, often more than one at once:

-SIG - the Standardized Information Gathering questionnaire from Shared Assessments, a broad control questionnaire with a dedicated third-party / supply-chain section.
-CAIQ - the Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance, often submitted via the CSA STAR registry.
-SOC 2 - not a questionnaire but a report your auditor produces; buyers ask to review it, and it documents how you manage vendors and subservice organisations.
-Custom spreadsheets - almost every enterprise also sends its own, which overlaps heavily with the standard frameworks.

They differ in wording, but the subprocessor questions across all of them probe the same four things.

§ III

The four things they are checking

-Do you know your vendors? Can you produce a complete, accurate inventory of the third parties that process customer data - or do you have to go and find out?
-Do you disclose them? Is the list published and accessible, so a customer can see it without filing a request?
-Are they contractually bound? Do you have DPAs in place that flow equivalent data-protection obligations down to each subprocessor?
-Do you notify customers of changes? Is there a defined process - with timing and a right to object - for when you add or replace a subprocessor?

Answer all four with evidence rather than intention, and the subprocessor section stops being a blocker. The phrasing that wins is concrete: name the artifact, the mechanism, and the timing.

§ IV

Turn the section into a single link

The highest-leverage thing you can prepare is a current, public subprocessor list at a stable URL. It pre-answers the disclosure questions, gives the reviewer something concrete to cite, and - because it carries a date and is visibly maintained - signals that your compliance is a live process, not a document someone wrote once. Keep your signed vendor DPAs to hand for the contractual question, and have a one-paragraph description of your change-notification process ready for the notification question.

The whole game in a security review is reducing the reviewer's work. Every answer you can replace with “it is published here, current as of this date” is a round-trip you have removed from the deal.

FAQ

Frequently asked questions

Why do security questionnaires ask about subprocessors at all?: Because your buyer inherits your supply chain. When an enterprise entrusts you with its data, every subprocessor you use becomes part of its risk surface and, under GDPR, part of its own Article 28 accountability chain. The reviewer is checking that you have not quietly extended their data exposure to vendors they have never assessed. The subprocessor section is, in effect, the buyer asking "who else will be able to touch our data, and have you bound them properly?"
Which frameworks will I actually see?: The common ones are the SIG (Standardized Information Gathering) questionnaire from Shared Assessments, the CAIQ (Consensus Assessments Initiative Questionnaire) from the Cloud Security Alliance, and a SOC 2 report from your auditor that buyers ask to review. On top of those, most enterprises also send a custom spreadsheet of their own. They overlap heavily, and all of them include questions about how you select, disclose, contract with, and monitor third parties that process customer data.
What is the single best thing I can prepare in advance?: A current, public subprocessor list at a stable URL. It pre-answers the disclosure questions before they are asked, it gives the reviewer something concrete to cite, and - because it is dated and maintained - it signals that your compliance is a live process rather than a one-time document. Pair it with your signed vendor DPAs and a written description of how you notify customers of changes, and you have covered the bulk of the subprocessor section before the questionnaire arrives.
How do I answer "how do you notify customers when subprocessors change"?: Describe a concrete mechanism, not an intention. A strong answer names the channel (a maintained public list plus direct notice to affected customers), the timing (the notice period in your DPA, before the change takes effect), and the customer’s right to object during that window. "We email customers when needed" reads as ad hoc; "we maintain a public register, and notify affected customers with the contractual notice period before any addition or replacement takes effect, with a window to object" reads as a process. See our guide on notifying customers of a subprocessor change.
Why does a stale subprocessor list lose deals?: Because it converts a checkbox into an investigation. When a reviewer finds a list dated eighteen months ago, or one that omits a provider they know you use, they stop trusting the rest of your answers and start chasing. That back-and-forth is where deals stall and timelines slip. A list that is visibly current - and demonstrably monitored - removes the doubt and keeps the review moving.

This guide is general information only and does not constitute legal advice. For advice on your specific situation, consult a qualified legal professional.

Your turn

Keep your subprocessor register current - automatically.

Registora hosts your register on your own domain, monitors every upstream provider for changes daily, and drafts the customer notification when one updates.

Start your register →Audit your site