Take control of your subprocessor changes
Adding a subprocessor shouldn't become a cross-functional emergency. Track DPA variations, automatically scope notifications per-customer, and keep audit-ready evidence of every change.
Subprocessor obligations outgrow a spreadsheet fast
If you process personal data for enterprise customers, GDPR Article 28 means more than keeping a list. You have to notify the right controllers before changes take effect, honour each contract's notice period, manage objections, and prove it all happened.
It takes a village
A single change has to land in two places at once — the customer notification and the public list — and the teams that own them (sales, marketing, legal) often sit in different timezones. Getting the timing right is the hard part.
Variations go untracked
Different customers object to different subprocessors and agree to different terms. Spreadsheets become a mess.
There's no evidence
When a customer claims they weren't notified, the answer is not within arms reach. Let's hope the regulator doesn't audit.
Everything you need to keep your customer's privacy team happy
The obligations of GDPR Article 28, turned into a tool your team can own and run.
Variation tracking
Map which subprocessors apply to which customers, by contracted scope. No more guessing who agreed to what.
Automated notifications
The right customers are notified through the right notice period, at the right contacts, every time the list changes.
Audit trail
Timestamped, exportable evidence of every notification sent, delivered, and acknowledged.
Objection management
Log objections, track deadlines, and manage resolution against each proposed change.
Subprocessor list
A live, always-current subprocessor list for every customer — scoped to what they contracted for.
DPA analyserComing soon
Upload a vendor DPA and get a structured scorecard before you onboard a new subprocessor.
Notify the right controllers, automatically
When your list changes, the correct customers are notified through the notice period in their contract, at their current contacts — and every send is recorded.
- Routes to each customer's current notification contacts
- Respects the objection window in every contract
- Records every send as timestamped evidence
Prove what you did, and when
Replace the shared inbox where evidence used to disappear. Every change and notification is captured with a timestamp and exportable on demand.
- Complete, dated history of every change
- Audit-ready exports for customers and auditors
- Nothing lost, everything searchable
Know exactly who agreed to what
Enterprise contracts rarely agree to the same terms of subprocessor list. Track per-customer scope and notice and objection periods, so notifications and subprocessor lists always reflect the real agreement.
- Per-customer scope on the subprocessor list
- Custom notice periods per DPA
- Customer-specific restrictions and carve-outs
From spreadsheet to audit-ready in an afternoon
Set it up once. Every future change takes care of itself.
Import your subprocessor list
Add subprocessors and customers in minutes, or bulk-import from a spreadsheet. Logos and details are filled in for you.
Map variations & contacts
Set per-customer scope, notice periods, and notification contacts so every change reaches exactly the right people.
Change the list — we handle the rest
Add, edit, or remove a subprocessor and your notifications and subprocessor list update automatically.
Give every customer a unique subprocessor page that's never out of date
Your customers ask for your subprocessor list during procurement and watch it after. Publish a subprocessor list that updates itself — and let customers subscribe to be notified before anything changes.
- Live and accurate the moment your changes are published
- Scoped to each customer's contracted subprocessors
- No more custom subprocessor lists stored deep in terms and DPAs
Stripe
Subprocessors · Updated today
Amazon Web ServicesBuilt for the obligations you're accountable for
GDPR Article 28
Built around the processor obligations that actually apply to B2B SaaS.
Audit-ready records
Timestamped evidence of every change and notification sent.
Secure by design
Least-privilege access and encrypted data, isolated per tenant.
Data residency aware
Track processing regions and transfers across your subprocessor list.
Frequently asked questions
What is a subprocessor?+
A subprocessor is a third party a processor engages to help process personal data on behalf of a controller — for example, a cloud host, email provider, or analytics vendor. Under GDPR Article 28, controllers must be informed of subprocessors and given the chance to object to changes.
Who is subprocessor.io for?+
Heads of Privacy, DPOs, General Counsel, and legal teams at B2B SaaS companies that process personal data on behalf of enterprise customers — typically organisations with 50–500 employees.
How does it replace our spreadsheet and shared inbox?+
It keeps a single source of truth for your subprocessor list, tracks which customers each subprocessor applies to, and sends the correct notifications automatically — with a timestamped record of who was notified and who objected.
Can our customers see their own subprocessor list?+
Yes. Each customer gets a unique subprocessor list showing the subprocessors relevant to their contracted scope, always kept current as your list changes.
How does this help with GDPR Article 28 compliance?+
Article 28 requires processors to inform controllers of subprocessor changes, allow time to object, and keep records. Subprocessor.io operationalises all three — notice periods, objection handling, and an audit trail — in one place.
What are some examples of subprocessors?+
Common subprocessors for B2B SaaS companies include cloud infrastructure providers (AWS, GCP, Azure), email delivery services (SendGrid, Postmark), analytics platforms (Mixpanel, Segment), customer support tools (Intercom, Zendesk), and monitoring services (Datadog, Sentry). Any vendor that processes personal data on behalf of your customers — on your instructions — is likely a subprocessor.
Stop managing subprocessors in a spreadsheet
See how subprocessor.io maps your variations, runs your notifications, and keeps your subprocessor lists current — book a walkthrough with our team.