How was this dataset built?

Each of the 18 providers in the Registora monitoring catalogue (Stripe, AWS, Vercel, Cloudflare, OpenAI, Anthropic, Resend, Twilio, Segment, Mixpanel, Postmark, Mailgun, Intercom, Zendesk, Notion, Sentry, GitHub, Supabase) has its public subprocessor page scraped daily by our orchestrator. For this report we took the most recent successful snapshot of each provider as of the scan window in the dataset header, then ran a pure aggregator (lib/research/chain-aggregate.ts) over the parsed subprocessor names.

Why are some vendor names collapsed and others not?

Provider pages spell common upstream vendors many different ways - "Amazon Web Services, Inc.", "AWS", "Amazon Web Services" - so we maintain a manual alias map for high-confidence canonical buckets. Vendors not in the alias map are kept as their verbatim provider-supplied name. The full verbatim list per canonical entry is preserved in the dataset (the "aliases" array) so the collapsing is auditable.

Does "AWS appears in 17 of 18 lists" mean every SaaS uses AWS?

It means 17 of the 18 providers we monitor disclose AWS as one of their own subprocessors. A given SaaS may run on Google Cloud or Azure as its primary infrastructure and still cite AWS for a secondary service (transactional email, hosted databases, certain ML endpoints). The disclosure is what matters for GDPR Article 28(2) - it is the legally binding answer the provider publishes about who else can touch the data.

Is this every SaaS or just 18 specific ones?

Just 18 - the providers Registora actively scrapes. The selection is deliberately the infrastructure-and-communications backbone that B2B SaaS commonly depends on, not the application layer. The findings about chain convergence (AWS / GCP / Azure / OpenAI / Anthropic appearing across most lists) generalise; the exact counts would shift with a different cohort.

What is a SaaS company supposed to do with this?

Two things. First, recognise that your own subprocessor disclosure obligation extends down the chain - if you use Stripe, you also rely on whoever Stripe relies on, and your customers can ask. Second, the lists do change: each of these 18 providers updated their published list at some point in the last year, and under Art. 28(2) your customers expect prior notice before those changes flow downstream. Registora handles the monitoring + notification piece automatically.

How current is this data?

The scan window is in the dataset header. We re-run the build script periodically to refresh the frozen JSON; the page is statically generated so the numbers you see match the headline numbers in the prose. The per-provider Latest column shows when each individual provider was last successfully scraped.

Research · June 2026

● Live · updated 06 June 2026

Inside the Subprocessor Chain 2026

We monitor the public subprocessor lists of 18 widely-used SaaS providers daily and aggregate what they disclose. Amazon Web Services appears in 17 of 18 lists, Google Cloud Platform in 16. OpenAI appears in 12, Anthropic in 10. The SaaS subprocessor chain has converged on a small set of upstream vendors - and under GDPR Article 28(2), every one of them is part of your disclosure obligation when you build on their providers. This index updates daily.

Key findings

01Amazon Web Services appears in 17 of 18 monitored providers' subprocessor lists; Google Cloud Platform in 16; Microsoft Azure in 9. The three hyperscalers underpin nearly every modern B2B SaaS stack.
02OpenAI appears in 12 provider lists and Anthropic in 10. AI vendors have moved into the recurring sub-processor inventory of mainstream SaaS infrastructure, not just optional add-ons.
03The 18 monitored providers disclose 592 subprocessors between them, resolving to 417 unique vendors after collapsing common-name aliases.
04The median provider declares 26 subprocessors; the longest list is aws at 110 entries, the shortest postmark at 2.
0518 vendors appear in three or more provider lists - the "shared upstream" your customers will see most often in a chain audit, regardless of which SaaS you pick.
06Subprocessors invoked only server-side (AI APIs, payment back-ends, data warehouses) are visible here because each provider publishes them, but invisible to browser-based scans of your own marketing site. The chain is wider than a Network tab shows.

Providers monitored

592

Subprocessors disclosed

417

Unique vendors

Vendors in 3+ lists

§ I

Why this matters

GDPR Article 28(2) requires every processor of personal data to disclose its sub-processors to its customers and provide prior notice before adding or replacing one. The mechanic looks simple: keep a list, update it, send a notification. In practice your list is only as current as your upstreamproviders' lists, because when AWS or Stripe brings on a new sub-processor, that change cascades down the chain to you.

We have been monitoring the published sub-processor pages of 18 widely-used SaaS providers daily since the start of the Registora catalogue. The data below is everything they currently disclose, aggregated. It is observational - we are reporting what these providers themselves publish - and the dataset is frozen so the numbers in this prose match the tables you see.

§ II

The chain has converged on a handful of vendors

The single most striking finding is how concentrated the upstream is. Amazon Web Services appears in 17 of 18 provider lists, Google Cloud Platform in 16, and Microsoft Azure in 9. Three companies underpin nearly every B2B SaaS your customers might use.

The AI vendor story is almost as concentrated and considerably newer. OpenAI appears in 12 provider lists and Anthropic in 10. AI model vendors have moved from optional integrations to a recurring line item on the subprocessor pages of mainstream SaaS infrastructure - often invisibly, because the calls happen server-side and never appear in a browser scan of the SaaS's own marketing site.

§ III

Top vendors by citation count

This is the leaderboard of vendors that appear across the most provider lists, after collapsing common-name aliases. Read it as “if you build on N of these 18providers, you almost certainly rely on the top entries here too”. Citation share is the percentage of monitored providers whose published list cites that vendor.

Vendor

Citation share

Cites

Amazon Web Services

94%

Google Cloud Platform

89%

OpenAI

67%

Twilio

61%

Anthropic

56%

Cloudflare

56%

Microsoft Azure

50%

Snowflake

39%

Datadog

28%

Salesforce

28%

Zendesk

28%

Intercom

22%

Slack

22%

Fivetran

17%

GoodData Corporation

17%

Honeycomb

17%

Plain

17%

Stripe

17%

Adaptive Mobile

11%

Amazon Bedrock

11%

§ IV

Per-provider summary

Each of the 18 monitored providers in the catalogue, with the number of subprocessors currently disclosed in their latest snapshot. The median is 26; the longest list is aws at 110 entries; the shortest is postmark at 2.

18 of 18

Provider

Subs

Top 3 disclosed

Methodology + caveats

-Source:public subprocessor pages published by each provider on their own domain, scraped daily by the Registora orchestrator. The full source URL per provider is on each /providers/<slug> page.
-Cohort: the 18 providers Registora monitors (slack and linear scrapers are deferred and excluded). This is the infrastructure-and-communications backbone of typical B2B SaaS - it is intentionally upstream-heavy.
-Alias collapse:a manual map normalises common variants (“Amazon Web Services, Inc.”, “AWS”, “Amazon Web Services” → all one entry). The verbatim names per canonical vendor are kept in the dataset and can be audited.
-Floor, not ceiling: some providers gate their subprocessor pages behind a Trust Center login or a DPA - if we cannot scrape it, it is not counted. The real chain is at least as wide as what we report; possibly wider.
-No compliance claims: we report what each provider publishes about its own subprocessors. Whether any given downstream SaaS is meeting Art. 28(2) for its own customers is a separate question, depending on its DPA, contract terms, and notification process.

This report presents observed facts about what each monitored provider publishes on its own subprocessor page, aggregated by Registora and refreshed daily. It makes no compliance judgement about any provider or any downstream SaaS. It is general information, not legal advice.

FAQ

Questions about the method

How was this dataset built?: Each of the 18 providers in the Registora monitoring catalogue (Stripe, AWS, Vercel, Cloudflare, OpenAI, Anthropic, Resend, Twilio, Segment, Mixpanel, Postmark, Mailgun, Intercom, Zendesk, Notion, Sentry, GitHub, Supabase) has its public subprocessor page scraped daily by our orchestrator. For this report we took the most recent successful snapshot of each provider as of the scan window in the dataset header, then ran a pure aggregator (lib/research/chain-aggregate.ts) over the parsed subprocessor names.
Why are some vendor names collapsed and others not?: Provider pages spell common upstream vendors many different ways - "Amazon Web Services, Inc.", "AWS", "Amazon Web Services" - so we maintain a manual alias map for high-confidence canonical buckets. Vendors not in the alias map are kept as their verbatim provider-supplied name. The full verbatim list per canonical entry is preserved in the dataset (the "aliases" array) so the collapsing is auditable.
Does "AWS appears in 17 of 18 lists" mean every SaaS uses AWS?: It means 17 of the 18 providers we monitor disclose AWS as one of their own subprocessors. A given SaaS may run on Google Cloud or Azure as its primary infrastructure and still cite AWS for a secondary service (transactional email, hosted databases, certain ML endpoints). The disclosure is what matters for GDPR Article 28(2) - it is the legally binding answer the provider publishes about who else can touch the data.
Is this every SaaS or just 18 specific ones?: Just 18 - the providers Registora actively scrapes. The selection is deliberately the infrastructure-and-communications backbone that B2B SaaS commonly depends on, not the application layer. The findings about chain convergence (AWS / GCP / Azure / OpenAI / Anthropic appearing across most lists) generalise; the exact counts would shift with a different cohort.
What is a SaaS company supposed to do with this?: Two things. First, recognise that your own subprocessor disclosure obligation extends down the chain - if you use Stripe, you also rely on whoever Stripe relies on, and your customers can ask. Second, the lists do change: each of these 18 providers updated their published list at some point in the last year, and under Art. 28(2) your customers expect prior notice before those changes flow downstream. Registora handles the monitoring + notification piece automatically.
How current is this data?: The scan window is in the dataset header. We re-run the build script periodically to refresh the frozen JSON; the page is statically generated so the numbers you see match the headline numbers in the prose. The per-provider Latest column shows when each individual provider was last successfully scraped.

Check your own

See what your site loads - and whether you disclose it.

Registora runs the same scan on your site free, then hosts your subprocessor page, monitors every provider for changes daily, and drafts the customer notice when one updates.

Scan your site →Start your register