Registora

Research · 2026 Q2

Updated 26 May 2026

The Subprocessor Transparency Report 2026

We loaded the public websites of 100 widely-used B2B SaaS companies in a real browser and tried to find where each one discloses its subprocessors. The encouraging part: 89 of 100 publish a public subprocessor page. The catch: there is no standard - the pages are scattered across trust subdomains, PDFs and deep legal paths, 11 companies gate or bury the list entirely, and the typical site quietly loads around eight third parties before you even reach the disclosure. Here is the data, the method, and how to check your own site.

89%

publish a public subprocessor page (89 of 100)

7.5

third parties on the median site (mean 11.5, max 44)

11

gate the list behind an NDA or bury it in a DPA (of 100 scanned)

Key findings

  • 0189 of the 100 companies publish a public subprocessor page - disclosure is the norm among established B2B SaaS, not the exception.
  • 02There is no standard for where the page lives: trust subdomains, PDFs, docs sites, a dozen different URL conventions. An automated check of the obvious paths found only about half on the first pass; the rest we had to verify by hand.
  • 0311 of the 100 have no freely-public list - 5 gate it behind an NDA or "request access", and 6 provide it only inside a DPA or on request.
  • 04The median site loads 7-8 third parties in the browser (mean 11.5, max 44) - and that is a floor, since subprocessors invoked server-side (AI APIs, payment back-ends) never appear in a browser scan.
  • 05The most common third parties are advertising and analytics networks - Google Tag Manager (65 sites), Google/DoubleClick Ads (51), LinkedIn Ads (43) and Meta (35).
  • 06We report observed facts only - the third parties each site loaded and whether a public page exists, in May 2026 - and make no compliance judgement about any company.
§ I

How many third parties does a typical SaaS site load?

Across the 100 companies, the median site loaded 7.5 third-party services and the mean was 11.5 - skewed upward by the heaviest, which loaded 44. A third of the sites are lean, but 34 of 100 load 15 or more.

  • 0-434 (34%)
  • 5-920 (20%)
  • 10-1412 (12%)
  • 15-1915 (15%)
  • 20+19 (19%)
Third parties loaded per site, n=100 (homepage + a couple of pages, post-cookie-consent).
§ II

How many disclose those third parties?

It is the norm: 89 of 100 publish a public subprocessor page. Only 11do not, and even most of those have a list, just gated behind an NDA or request-access, or provided only inside a DPA. The harder problem is consistency: the pages live on trust subdomains, in PDFs, on docs sites and at a dozen different URL conventions, with no standard. Our automated check of the obvious paths found only about half on the first pass; we verified the rest by hand. If a purpose-built scan struggles to find a disclosure, a customer security review will too. We counted only a dedicated, public list; subprocessors named only inside a long privacy policy were not counted.

§ III

Who are the third parties?

Mostly advertising, analytics and tag-management networks - the vendors that receive visitor data. The most common across the cohort:

  • -Google Tag Manager - on 65 of 100 sites (65%)
  • -Other Google APIs/SDKs - on 54 of 100 sites (54%)
  • -Google/Doubleclick Ads - on 51 of 100 sites (51%)
  • -Cloudflare - on 47 of 100 sites (47%)
  • -LinkedIn Ads - on 43 of 100 sites (43%)
  • -Facebook - on 35 of 100 sites (35%)
  • -Optanon - on 35 of 100 sites (35%)
  • -Bing Ads - on 34 of 100 sites (34%)
  • -Google Analytics - on 31 of 100 sites (31%)
  • -reddit - on 31 of 100 sites (31%)
  • -Marketo - on 28 of 100 sites (28%)
  • -Google Fonts - on 26 of 100 sites (26%)
  • -Sentry - on 24 of 100 sites (24%)
  • -G2 - on 22 of 100 sites (22%)
  • -JSDelivr CDN - on 19 of 100 sites (19%)
§ IV

Method, and what it cannot see

100 well-known B2B SaaS products. We loaded each company’s public site in a real headless browser, accepted the cookie banner, visited up to two additional pages, and recorded every third-party host the pages connected to, mapping hosts to named vendors. In parallel we probed common locations for a subprocessor or DPA page, then verified every page result by hand. Scans ran 26 May 2026 to 26 May 2026.

One limit matters: a browser scan only sees what loads in the visitor’s browser. Subprocessors a company calls from its own servers - AI model providers, payment back-ends, data warehouses, transactional email - never appear. GitHub, Slack and Linear, for instance, each loaded zero third parties in this scan, yet GitHub alone publicly lists dozens of subprocessors on its own page. So every count here is a floor. The real subprocessor list for most of these companies is longer than what their website visibly loads, which is precisely why a maintained, public list matters.

The third-party counts are reproducible: paste any company below into the free scanner at registora.com/check and you will see the same scan we recorded.

Evidence

Every company we scanned

100 companies

CompanyThird partiesPublic subprocessor pageRe-run
Algolia
algolia.com
44found ↗re-run
Miro
miro.com
42found ↗re-run
Greenhouse
greenhouse.io
40found ↗re-run
Snowflake
snowflake.com
38found ↗re-run
Fivetran
fivetran.com
38found ↗re-run
Mailchimp
mailchimp.com
34found ↗re-run
Retool
retool.com
30found ↗re-run
Zoom
zoom.us
28found ↗re-run
Asana
asana.com
27found ↗re-run
Remote
remote.com
27none foundre-run
Deel
deel.com
26found ↗re-run
Okta
okta.com
25found ↗re-run
monday.com
monday.com
24found ↗re-run
Datadog
datadoghq.com
24found ↗re-run
Outreach
outreach.io
23found ↗re-run
ClickUp
clickup.com
23found ↗re-run
Bill
bill.com
22none foundre-run
Braze
braze.com
20found ↗re-run
Navan
navan.com
20found ↗re-run
Zendesk
zendesk.com
18found ↗re-run
MongoDB
mongodb.com
18found ↗re-run
LaunchDarkly
launchdarkly.com
18found ↗re-run
Close
close.com
17none foundre-run
Kit
kit.com
17found ↗re-run
Hotjar
hotjar.com
17found ↗re-run
Databricks
databricks.com
17found ↗re-run
Airtable
airtable.com
17found ↗re-run
Salesforce
salesforce.com
16found ↗re-run
Mixpanel
mixpanel.com
16found ↗re-run
dbt Labs
getdbt.com
16none foundre-run
Heap
heap.io
15found ↗re-run
Lattice
lattice.com
15found ↗re-run
Lever
lever.co
15found ↗re-run
Chargebee
chargebee.com
15found ↗re-run
Customer.io
customer.io
14found ↗re-run
Twilio
twilio.com
14found ↗re-run
Recurly
recurly.com
14found ↗re-run
Brevo
brevo.com
13none foundre-run
Segment
segment.com
13found ↗re-run
FullStory
fullstory.com
12found ↗re-run
CircleCI
circleci.com
12found ↗re-run
New Relic
newrelic.com
12found ↗re-run
Klaviyo
klaviyo.com
11found ↗re-run
Gusto
gusto.com
11none foundre-run
ZoomInfo
zoominfo.com
10found ↗re-run
Front
front.com
10found ↗re-run
Smartsheet
smartsheet.com
9found ↗re-run
GitLab
gitlab.com
9found ↗re-run
HubSpot
hubspot.com
8found ↗re-run
Netlify
netlify.com
8found ↗re-run
Iterable
iterable.com
7found ↗re-run
Metabase
metabase.com
7found ↗re-run
Expensify
expensify.com
7found ↗re-run
Pleo
pleo.io
7found ↗re-run
Amplitude
amplitude.com
6found ↗re-run
Calendly
calendly.com
6found ↗re-run
Render
render.com
6found ↗re-run
Rippling
rippling.com
6none foundre-run
Secureframe
secureframe.com
6found ↗re-run
Salesloft
salesloft.com
5found ↗re-run
Apollo.io
apollo.io
5found ↗re-run
Help Scout
helpscout.com
5found ↗re-run
Trello
trello.com
5found ↗re-run
Railway
railway.app
5found ↗re-run
Supabase
supabase.com
5found ↗re-run
Snyk
snyk.io
5found ↗re-run
Pipedrive
pipedrive.com
4found ↗re-run
Drift
drift.com
4none foundre-run
Intercom
intercom.com
4found ↗re-run
Loom
loom.com
4found ↗re-run
Sentry
sentry.io
4found ↗re-run
Workable
workable.com
4found ↗re-run
Notion
notion.so
3found ↗re-run
Coda
coda.io
3found ↗re-run
Grammarly
grammarly.com
3found ↗re-run
PlanetScale
planetscale.com
3found ↗re-run
Postman
postman.com
3found ↗re-run
BambooHR
bamboohr.com
3found ↗re-run
HiBob
hibob.com
3found ↗re-run
1Password
1password.com
3found ↗re-run
Gong
gong.io
2found ↗re-run
Figma
figma.com
2found ↗re-run
Auth0
auth0.com
2found ↗re-run
Ramp
ramp.com
2none foundre-run
Mercury
mercury.com
2none foundre-run
Drata
drata.com
2found ↗re-run
ActiveCampaign
activecampaign.com
1found ↗re-run
PostHog
posthog.com
1found ↗re-run
Freshworks
freshworks.com
1found ↗re-run
Gorgias
gorgias.com
1found ↗re-run
Basecamp
basecamp.com
1found ↗re-run
Mural
mural.co
1found ↗re-run
Vercel
vercel.com
1found ↗re-run
Cloudflare
cloudflare.com
1found ↗re-run
Personio
personio.com
1none foundre-run
Brex
brex.com
1found ↗re-run
Vanta
vanta.com
1found ↗re-run
Linear
linear.app
0found ↗re-run
Slack
slack.com
0found ↗re-run
GitHub
github.com
0found ↗re-run
FAQ

Questions about the method

How did you measure this?
We loaded each company’s public marketing site in a real headless browser, accepted the cookie banner, visited a couple of additional pages, and recorded every third-party host the pages connected to, then mapped those hosts to named vendors. For the disclosure page we checked common locations automatically and then verified every result by hand - the pages turned out to be so scattered (trust subdomains, PDFs, deep legal paths) that an automated check of the obvious paths missed roughly four in ten. The per-company results are below, and you can re-run the third-party scan yourself at /check.
Does "no public subprocessor page" mean a company is breaking the law?
No. We report only what we observed: the third parties a site loads and whether we could find a public subprocessor page. Whether a given company is legally required to publish one, and what their customer contracts say, is a legal question we do not assess. Many companies disclose subprocessors privately or inside a longer privacy policy.
Why is the third-party count a "floor"?
A browser scan only sees what the website loads in the visitor’s browser - analytics, ads, fonts, chat widgets, error trackers. Subprocessors a company calls from its own servers (AI model providers, payment processors, data warehouses, email senders) never appear in a browser scan. So the real subprocessor list for most companies is longer than the number we measured.
How were the 100 companies chosen?
They are widely-used, recognizable B2B SaaS products spanning the major software categories (CRM, marketing, analytics, support, product, developer tools, HR, finance, security). We did not select on whether a company has a subprocessor page - the set deliberately includes companies that disclose well alongside those that do not. It is a census of a named cohort, not a list of offenders.
Can I check my own site?
Yes - paste your URL into the free scanner at registora.com/check. It lists the third parties your site loads and whether you have a public subprocessor page, the same way every company in this report was measured.

This report presents observed facts (the third parties each site loaded and whether a public subprocessor page was found, in May 2026) and makes no legal or compliance judgement about any company. It is general information, not legal advice.

Check your own

See what your site loads - and whether you disclose it.

Registora runs the same scan on your site free, then hosts your subprocessor page, monitors every provider for changes daily, and drafts the customer notice when one updates.

Scan your site →Start your register