A subprocessor is a third party a processor engages to help process personal data on behalf of a controller — for example, a cloud host, email provider, or analytics vendor. Under GDPR Article 28, controllers must be informed of subprocessors and given the chance to object to changes.

Heads of Privacy, DPOs, General Counsel, and legal teams at B2B SaaS companies that process personal data on behalf of enterprise customers — typically organisations with 50–500 employees.

It keeps a single source of truth for your subprocessor list, tracks which customers each subprocessor applies to, and sends the correct notifications automatically — with a timestamped record of who was notified and who objected.

Yes. Each customer gets a unique subprocessor list showing the subprocessors relevant to their contracted scope, always kept current as your list changes.

Article 28 requires processors to inform controllers of subprocessor changes, allow time to object, and keep records. Subprocessor.io operationalises all three — notice periods, objection handling, and an audit trail — in one place.

Common subprocessors for B2B SaaS companies include cloud infrastructure providers (AWS, GCP, Azure), email delivery services (SendGrid, Postmark), analytics platforms (Mixpanel, Segment), customer support tools (Intercom, Zendesk), and monitoring services (Datadog, Sentry). Any vendor that processes personal data on behalf of your customers — on your instructions — is likely a subprocessor.

A subprocessor list is the register of third-party vendors your company uses to process personal data on behalf of your customers. Under GDPR Article 28, controllers have the right to be informed of the subprocessors in use and to object to any changes. Most processors publish a subprocessor list on their website and notify customers when it changes.

Article 28(1) requires that processors only engage subprocessors that provide sufficient guarantees to implement appropriate technical and organisational measures — ensuring processing meets GDPR requirements and protects data subjects' rights.

Article 28(2) governs authorisation. Processors must obtain specific or general written authorisation from the controller before engaging a subprocessor. Under general written authorisation, the processor must still inform the controller of any intended changes — additions or replacements — and give the controller the opportunity to object before the change takes effect.

Article 28(3) sets out the eight mandatory terms the DPA between controller and processor must include: (a) process data only on documented controller instructions; (b) ensure confidentiality of personnel with access; (c) implement Art. 32 security measures; (d) respect conditions for engaging sub-processors; (e) assist the controller with data subject rights; (f) assist with Art. 32–36 obligations; (g) delete or return data at end of service; (h) provide information and allow audits to demonstrate compliance.

Article 28(4) is the flow-down obligation. Where a processor engages a subprocessor, it must impose the same data protection obligations on the subprocessor by contract — using Article 28(3) as the template. If the subprocessor fails to meet those obligations, the processor remains fully liable to the controller.

General written authorisation means the controller has agreed in the DPA that the processor may use subprocessors generally — rather than approving each one individually. The processor must still maintain a subprocessor list and give prior notice of any changes, allowing the controller to object.

The processor must not engage the new subprocessor until the objection has been resolved. Resolution can mean the controller withdrawing the objection, agreeing to modified terms, or — in unresolved cases — either party exercising termination rights under the contract. Objections must be taken seriously and responded to in writing.

GDPR does not specify a minimum notice period — it is set by the individual DPA between processor and controller. Common periods are 10, 14, or 30 days. If you have multiple customers, you may have different notice periods per contract, and must respect each one separately.

You should keep records of your current subprocessor list, the history of changes with dates, evidence that controllers were notified (timestamps and delivery records), the notice period applied for each customer, any objections received and how they were resolved, and the DPAs with each subprocessor.

A processor processes personal data on behalf of a controller. A subprocessor is engaged by the processor to help carry out that processing. Under Article 28(4), the processor must impose the same obligations on the subprocessor by contract, and remains fully liable to the controller for the subprocessor's compliance.

Every time you add, remove, or materially change a subprocessor. There is no fixed review cadence in GDPR — the obligation to notify arises from the change, not a calendar event. Notify affected controllers as soon as the change is decided, not at a scheduled interval.