Research
Original data on the subprocessor chain
We scan real B2B SaaS sites to see which third parties they load and whether they disclose them. Reproducible, fact-only, no compliance verdicts. Re-run any scan yourself at /check.
- Research · May 2026Updated 28 May 2026
Inside the Subprocessor Chain 2026
We monitor the public subprocessor lists of 18 widely-used SaaS providers daily and aggregate what they disclose. The headline: AWS appears in 17 of 18 lists, Google Cloud in 16, OpenAI in 12, Anthropic in 10. The SaaS subprocessor chain has converged on a handful of vendors - and under GDPR Article 28(2), every one of them is part of your disclosure obligation when you build on their providers.
Read the report → - Research · 2026 Q2Updated 26 May 2026
The Subprocessor Transparency Report 2026
We loaded the public websites of 100 widely-used B2B SaaS companies in a real browser and tried to find where each one discloses its subprocessors. The encouraging part: 89 of 100 publish a public subprocessor page. The catch: there is no standard - the pages are scattered across trust subdomains, PDFs and deep legal paths, 11 companies gate or bury the list entirely, and the typical site quietly loads around eight third parties before you even reach the disclosure. Here is the data, the method, and how to check your own site.
Read the report →