Registora

Guide / Subprocessors

Updated 24 May 2026

What is a subprocessor?

A subprocessor is a third party that a processor engages to help process personal data on a controller's behalf - for example Stripe for payments or AWS for hosting. Under GDPR Article 28, they must be disclosed and contractually bound to the same data-protection obligations.

Key facts

  • 01A subprocessor processes personal data on behalf of a processor, who itself acts under instructions from a controller.
  • 02GDPR Article 28(2) requires processors to obtain the controller's authorisation before engaging a subprocessor - either specific or general written authorisation.
  • 03With general authorisation, the processor must maintain a current subprocessor list and give the controller prior notice of any additions or replacements so the controller can object.
  • 04Subprocessors must be bound by the same data-protection obligations as the processor, via a written contract (GDPR Art. 28(4)).
  • 05If a subprocessor fails to meet its obligations, the original processor remains fully liable to the controller.
§ I

The definition in context

Under GDPR, every organisation that handles personal data fills one of two roles: a controller (who decides why data is processed) or a processor(who acts on the controller's instructions). The processor signs a Data Processing Agreement (DPA) promising to handle the data only as instructed and to apply the required safeguards.

A subprocessorenters the picture whenever the processor delegates part of that work to another company. It is a third party engaged by the processor to process personal data on behalf of the controller. The subprocessor has no direct relationship with the controller - it acts under the processor's instructions, which themselves reflect the controller's instructions.

A concrete SaaS example: a B2B software company (the processor) uses AWS to host its servers, Stripe to handle payments, and Resend to send transactional email. Each of those vendors is a subprocessor because they touch - or could touch - personal data of the software company's customers (the controllers) in the course of delivering the service.

§ II

Why subprocessors matter under GDPR

GDPR Article 28 sets out the rules for the processor-subprocessor relationship. The key obligations are:

  • -Authorisation (Art. 28(2)):A processor must not engage a subprocessor without the controller's prior authorisation - either specific (controller approves each vendor individually) or general (controller approves a category, and the processor maintains a list and gives prior notice of additions so the controller can object before the change takes effect). Most commercial SaaS use general written authorisation.
  • -Same obligations (Art. 28(4)):The subprocessor must be bound by a written contract imposing the same data-protection obligations as the processor's DPA with the controller. Standard contractual clauses (SCCs) or equivalent binding measures are typically used when a subprocessor is outside the EEA.
  • -Processor liability (Art. 28(4)): If a subprocessor fails to meet its obligations, the original processor remains fully liable to the controller. You cannot outsource your compliance responsibility.

The practical implication for a SaaS company: you must be able to tell every customer exactly which third parties process their data on your behalf, notify them before you add or change any of those third parties, and ensure every one of those vendors is under a suitable DPA.

§ III

Common examples for a SaaS company

Most SaaS products rely on a stack of infrastructure and service providers that all qualify as subprocessors:

  • -Cloud infrastructure: AWS, Google Cloud Platform, Azure - wherever your application and databases run.
  • -Payments: Stripe, Paddle, Braintree - these processors handle customer billing data including names and email addresses.
  • -Transactional email: Resend, SendGrid, Postmark - recipient addresses (personal data) pass through these services.
  • -Analytics: Segment, Mixpanel, Amplitude, PostHog - depending on what you track, these may process user identifiers or behaviour data.
  • -Customer support: Zendesk, Intercom, Crisp - support tickets often contain personal data submitted by end users.
  • -AI / LLM APIs:OpenAI, Anthropic - if you send user-generated content or personal data in prompts, these are subprocessors. Review each provider's data processing terms before use.
§ IV

What you must do as a SaaS company

The minimum viable compliance posture for subprocessor management:

  • -Publish a current list. Maintain an up-to-date subprocessor register accessible to customers and prospects. See the major providers Registora monitors.
  • -Give notice of changes. Before adding or replacing a subprocessor, notify customers and give them a meaningful opportunity to object (typically 10-30 days, as specified in your DPA). A change to your subprocessor list with no notice is a GDPR violation.
  • -Keep DPAs in place. Ensure every subprocessor has signed a DPA covering the required Art. 28 obligations, including appropriate transfer mechanisms if they operate outside the EEA.
  • -Monitor upstream changes. Subprocessors update their own lists when they bring on new vendors. You are responsible for staying on top of these changes and cascading relevant notifications to your own customers. Audit your site to check whether your public register is current.
FAQ

Frequently asked questions

Is a subprocessor the same as a processor?
No. A processor processes personal data on behalf of a controller under a data processing agreement. A subprocessor is a third party that the processor itself engages to help carry out that processing - adding one more link in the chain. The controller instructs the processor; the processor instructs the subprocessor.
Does GDPR require listing subprocessors publicly?
GDPR Article 28 requires processors to inform their controllers of any intended sub-processors and give controllers the opportunity to object. Public disclosure is not strictly mandated by the regulation, but it is a widely adopted practice that satisfies the notification obligation in advance for general written authorisation arrangements.
What happens if I add a subprocessor without telling customers?
Adding a subprocessor without providing prior notice violates GDPR Article 28(2). The controller has not had the chance to object. If the subprocessor then suffers a breach or non-compliance event, the processor bears full liability - and the controller may terminate the data processing agreement.
How is a subprocessor different from a third-party data controller?
A subprocessor only processes data on the processor's instructions - it has no independent purpose for the data. A third-party controller determines its own purposes and means of processing. For example, an analytics provider you share user data with independently (outside of your instructions) is likely a controller, not a subprocessor.
How often should a subprocessor list be updated?
There is no fixed interval set by GDPR. The obligation is to give notice before adding or replacing a subprocessor and to keep the list current. In practice, a continuous monitoring approach - checking providers' published lists regularly and updating your register promptly - is the safest approach.

This guide is general information only and does not constitute legal advice. For advice on your specific situation, consult a qualified legal professional.

Your turn

Keep your subprocessor register current - automatically.

Registora hosts your register on your own domain, monitors every upstream provider for changes daily, and drafts the customer notification when one updates.

Start your register →Audit your site