What are subprocessors?
In data protection and privacy law, a subprocessor is any third-party vendor that a SaaS company (the data processor) engages to help deliver its service and process personal data on behalf of its customers (the data controllers).
Common examples in the email space include cloud hosting providers, payment processors, analytics tools, and email delivery infrastructure.
Legal Requirements
Major privacy regulations such as GDPR (Article 28), CCPA/CPRA, UK GDPR, and similar laws require companies to:
- Maintain an up-to-date public list of their subprocessors
- Obtain customer authorization (general or specific) before adding new subprocessors
- Notify customers in advance of any changes, giving them time to object
- Ensure each subprocessor signs a contract with equivalent data protection obligations
Why Subprocessor Disclosure Matters
Subprocessors have access to personal data such as email addresses, names, message content, and sometimes billing information. Transparent disclosure allows customers — especially those in regulated industries — to:
- Perform their own vendor risk assessments
- Ensure compliance with their internal policies
- Sign appropriate Data Processing Agreements (DPAs)
Clear subprocessor lists are an important signal of a company’s commitment to data privacy and security.