Subprocessor examples — what counts as a subprocessor?

Understanding the difference between a processor and a subprocessor is essential for GDPR compliance. A processor is a company hired by a controller (your business customer) to process personal data on the controller's instructions. A subprocessor is a vendor engaged by the processor to handle part of that data processing work—but still under the controller's ultimate authority. This distinction determines your notification obligations and contractual requirements.

What makes a vendor a subprocessor? A vendor becomes a subprocessor when it processes personal data on behalf of the processor, acting under the processor's instructions rather than for its own business purposes. The key test is whether the vendor is handling personal data at the processor's direction, not whether it's a 'critical' vendor or a 'big name' company. Any vendor with access to personal data for the processor's operations may be a subprocessor.

Common examples of subprocessors in B2B SaaS include cloud infrastructure providers like AWS, Google Cloud, and Microsoft Azure, which host application servers and databases. Email delivery services such as SendGrid, Postmark, and Mailgun send transactional messages on your behalf. Analytics platforms like Mixpanel and Segment collect and process user behaviour. Customer support tools like Intercom and Zendesk store conversations and ticket data. Payment processors such as Stripe handle transaction data. CRM systems like Salesforce and HubSpot manage customer information. Monitoring and error-tracking services like Datadog and Sentry collect logs and performance data.

Not every vendor is a subprocessor. Independent data controllers—companies that process personal data for their own purposes—are not subprocessors, even if you use their services. For example, advertising networks that process data to build their own audience profiles, or payment networks that use transaction data for their own fraud detection, are typically independent controllers. The distinction hinges on whether the vendor is following your instructions or pursuing its own business agenda with the data.

Must you list every single subprocessor? GDPR Article 28(2) and 28(4) require processors to get prior written authorisation from controllers before engaging subprocessors, and to inform controllers of new subprocessors with a notice period allowing objection. This means you must document and notify all subprocessors that process personal data, not just the 'important' ones. The safest approach is to include any vendor with direct or regular access to personal data in your subprocessor disclosures.

Where can you find a company's subprocessor list? Most reputable SaaS vendors publish their subprocessor list in their privacy policy, their DPA terms, or on a dedicated subprocessor page. You can request the list directly if it is not publicly available. Once you have engaged a processor under a DPA, you have the contractual right to receive timely notice of subprocessor changes—and to keep your own list current for the controllers you serve.