![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
What Is a Subprocessor?
An overview of how to identify your subprocessors
The term subprocessor is not specifically defined in GDPR, it is widely used to describe a third party company that processes personal data on behalf of another company as part of delivering a product or service.
For example, if your organisation uses a cloud hosting provider, customer support platform, or email delivery service that stores or accesses customer information, those providers may be considered subprocessors.
Are All My Vendors Subprocessors?No, not all vendors are considered subprocessors. A vendor is only classified as a subprocessor if they process personal data on behalf of your organisation as part of delivering your services.
Examples
Subprocessor
- Amazon Web Services (AWS) - A cloud hosting provider that stores and processes customer data.
- HubSpot - A CRM platform that may store customer contact information and communications.
- Zendesk - A support platform that may process customer support requests and related personal data.
Not Typically a Subprocessor
- Office supply vendors
- Facilities management providers
- Catering services
- Hardware suppliers that do not access or process customer data
Whether a vendor is considered a subprocessor depends on the nature of the service being provided and whether customer or personal data is processed on your organisation’s behalf.
Why Are Subprocessors Important?
Organisations are responsible for understanding which third parties may process customer or personal data on their behalf.
Maintaining visibility of subprocessors helps organisations:
- Understand where data is stored and processed
- Assess third-party security and privacy risks
- Support customer and regulatory transparency requirements
- Meet contractual obligations
- Demonstrate compliance during audits and assessments
Many customers, auditors, and procurement teams will request details of subprocessors as part of security reviews, vendor due diligence, or certification activities.
What Information Should Be Shared About Subprocessors?Many organisations maintain a subprocessor register or publish a subprocessor list to support transparency and compliance requirements.
Typical information shared may include:
- Company name
- Service provided
- Purpose of processing
- Geographic location of processing
- Whether personal data is transferred internationally
Before engaging a subprocessor, organisations should perform appropriate due diligence and risk assessments.
This may include reviewing:
- Security certifications and audit reports
- Privacy and data protection controls
- Contractual obligations and DPAs
- Incident management processes
- Business continuity arrangements
- Access controls and encryption practices
Frameworks such as ISO 27001 and SOC 2 typically require organisations to maintain supplier oversight and assess third-party risks appropriately.
International Data TransfersIf a subprocessor stores or processes data outside the UK or EEA, organisations should ensure that appropriate safeguards are in place to support compliance with applicable data protection laws.
Examples may include:
- Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreements (IDTAs)
- Adequacy decisions
- Additional contractual or technical safeguards
- Maintain an up-to-date subprocessor inventory
- Review subprocessors periodically
- Document risk assessments and approvals
- Notify customers where contractually required
- Remove unused or unnecessary subprocessors
- Ensure appropriate agreements are in place
Keeping an accurate and transparent subprocessor register can help support customer trust, audit readiness, and ongoing compliance obligations.