Subprocessor List: The Procurement-Ready Format Every B2B SaaS Needs

TL;DR

• Public subprocessor list is now standard for enterprise-ready B2B SaaS. Required by most DPAs; expected by procurement.
• Minimum fields: legal name, service, country, data categories. Best-practice additions: DPA status, SOC 2/ISO 27001, added date.
• Update within 24–48 hours. Trigger customer notifications per DPA terms (typically 15–45 days advance notice).

The subprocessor list is one of the simplest compliance artifacts to produce and one of the most operationally disruptive when handled badly. A current, well-structured list shortens procurement cycles, satisfies Article 28 authorization requirements, and demonstrates maturity. A missing or outdated list produces contractual breaches, regulatory exposure, and stalled enterprise deals.

This guide covers what belongs on the list, how to structure it, notification workflows, and a template your trust center can publish today.

Why the List Matters

Three audiences read your subprocessor list.

GDPR regulators. Article 28(2) requires the processor to obtain authorization from the controller before engaging a subprocessor. A public list supports general authorization patterns and demonstrates transparency under Articles 13 and 14.

Enterprise customers. Vendor risk teams review the list as part of initial procurement and re-review it when your DPA requires notification of changes. A vague or outdated list drives procurement questions that slow deals.

Your own compliance team. The list is a control artifact that drives your vendor risk assessment cadence, subprocessor DPA tracking, and SOC 2 CC9 evidence. See our vendor risk guide for the broader TPRM context.

The Minimum Fields

At a minimum, every entry needs four fields. These are the fields GDPR Article 28 implicates and the fields enterprise procurement expects as table stakes.

Subprocessor legal name. The full legal entity name, not a brand or product name. "Amazon Web Services, Inc." not "AWS." For EU-based subprocessors include the country code (e.g., "Stripe Payments Europe, Limited (IE)").

Service provided. A one-sentence description of what the subprocessor does for you. "Cloud infrastructure hosting for production environment" rather than "Cloud services."

Country of processing. Where the data actually lives or is processed, not just where the subprocessor is incorporated. If Data lives in multiple regions, list each.

Categories of personal data. What personal data the subprocessor touches. "Customer email addresses, names, and account identifiers" rather than "Customer data."

The Expanded Fields Enterprise Buyers Want

Enterprise vendor risk teams usually ask for more than the minimum. Build these into your template and you eliminate most follow-up questions.

Date added. When did this subprocessor enter your data processing flow? Useful for customers tracking changes under notification-based DPAs.

Processing purpose. Why this subprocessor exists in your flow. "Authentication" vs "analytics" vs "payment processing." Procurement teams map your purposes against their own data flow inventories.

Security attestations. What attestations does the subprocessor hold? SOC 2 Type II date, ISO 27001 certificate expiration, PCI DSS if payments are involved. This signals your own vendor risk discipline.

DPA status. Is there a signed DPA in place? ("Signed 2024-06-15, current through service term.") Procurement teams use this to confirm Article 28 flow-down.

Transfer mechanism. If the subprocessor processes data outside the EEA, what transfer mechanism is in place? SCCs, adequacy decision, or Binding Corporate Rules.

Data retention. How long does the subprocessor retain your data after deletion requests or contract end?

Copy-Ready Template

Below is a table structure your trust center or legal page can publish. Adjust the column set based on your operational maturity.

Subprocessor	Service	Country	Data Categories	Added	DPA	Attestation
Amazon Web Services, Inc.	Cloud infrastructure (prod)	US, IE	All customer data	2022-01-15	Signed	SOC 2 II, ISO 27001
Stripe Payments Europe	Payment processing	IE	Payment method data, billing addresses	2022-01-20	Signed	SOC 2 II, PCI DSS Level 1
Okta, Inc.	Identity and authentication	US	Employee email, authentication events	2023-03-11	Signed	SOC 2 II, ISO 27001
Segment (Twilio Inc.)	Product analytics event routing	US	User IDs, behavioral events	2024-06-01	Signed	SOC 2 II
SendGrid (Twilio Inc.)	Transactional email delivery	US, IE	Email addresses, message metadata	2022-02-14	Signed	SOC 2 II, ISO 27001
Datadog, Inc.	Application performance monitoring	US, DE	IP addresses, logs with potential PII	2023-01-09	Signed	SOC 2 II, ISO 27001
Intercom, Inc.	Customer support messaging	US, IE	Customer names, email, support messages	2022-04-03	Signed	SOC 2 II
Google Workspace	Employee email and productivity	US, EU	Employee and internal communications	2022-01-15	Signed	SOC 2 II, ISO 27001, 27018

This is illustrative — your list will differ. But the columns are the standard that enterprise vendor risk teams expect to see.

Notification Workflow

Most enterprise DPAs include a subprocessor change notification clause. Common patterns:

• 15 days' advance notice with right to object
• 30 days' advance notice with right to object
• 45 days' advance notice with right to object
• Notification at the time of change (less common for enterprise; more common in mid-market)

Build a workflow that triggers notification at least 30 days before the subprocessor becomes operational. The workflow should:

1. Identify notification obligations. Maintain a list of customers whose DPAs require subprocessor notification, with each customer's notification window and preferred delivery method (email to specific addresses, via portal, etc.).

2. Trigger at the right time. When a new subprocessor is approved internally, initiate notification on day 1 even if operational rollout is 60 days away. Use the maximum required notice period as the trigger.

3. Track responses. Some DPAs allow customers to object; others require written consent. Track both acknowledgments and objections. Objection handling typically requires working with the customer to identify an acceptable alternative.

4. Delay rollout if needed. Do not activate the subprocessor in production until all notification periods have elapsed and all required consents are obtained. Missing this discipline creates contractual breaches.

5. Update the public list. Once the subprocessor is operational, update the public list within 24 hours. Customers without notification clauses rely on the list as their primary tracking mechanism.

Integration With Your Trust Center

The subprocessor list belongs on your trust center alongside your SOC 2 report, ISO 27001 certificate, DPA, and privacy documentation. For context on trust center architecture, see our trust center guide.

Trust center subprocessor page should include:

• Last updated timestamp
• Link to subscribe to subprocessor change notifications (typically a form or email list)
• Link to the full subprocessor list (if the trust center shows a summary on the main page)
• Reference to your DPA and notification obligations
• Archive of historical subprocessor changes (for customers that want to verify your discipline)

Notification Subscription Page

Enterprise customers increasingly demand the ability to subscribe to subprocessor change notifications. Build a simple subscription page:

• Email address
• Customer company name
• Reason for subscription (typically "We are a customer with DPA requiring notification")
• Subscribe button

Send notifications via the subscribed email address plus any contacts listed on the active contract. The subscription mechanism demonstrates GDPR-grade transparency and satisfies most DPA notification clauses.

Common Mistakes

Using marketing names instead of legal names. "AWS" rather than "Amazon Web Services, Inc." procurement teams will request clarification.

Omitting processing country. If you process in multiple regions, list them. "US, IE" rather than just "US." Customers with EU data residency requirements need to see where their data actually lives.

Vague data categories. "All customer data" fails. List the actual categories: "customer email, usernames, authentication events, and behavioral analytics." Specificity signals maturity.

Failing to update after vendor changes. If Twilio acquires Segment or another vendor, the legal entity name changes. Update within 48 hours.

Not including the trust center link in DPA. Customers cannot easily find your list if it is not referenced in the DPA or on your security page. Cross-link everything.

Treating the list as marketing. The list is a compliance and legal artifact. Copy should be accurate and minimal, not persuasive.

Omitting internal vendors that process employee data. If you process employee data via a vendor (Rippling, BambooHR, Carta), those vendors are subprocessors of your HR function if employee data includes customer-touching personnel. Err on the side of inclusion.

Subprocessor List and GDPR Article 30 Records

The public subprocessor list is one component of your Article 30 records of processing activities (ROPA). Your full Article 30 record includes:

• The subprocessor list (external)
• Internal processing activities catalog
• Data flow mappings
• Retention schedules
• Legal basis assessments
• Cross-border transfer documentation

The subprocessor list is the public-facing extract of your internal Article 30 records. For the broader operational view, see our GDPR operations guide.

Subprocessor List and SOC 2 CC9

Your subprocessor list also feeds SOC 2 CC9 vendor management evidence. The list plus your internal vendor risk assessments plus ongoing monitoring artifacts collectively satisfy CC9.1 and CC9.2. Well-run organizations treat the public subprocessor list as the output layer of their internal TPRM program, not a separate artifact.

Getting Started

If you do not have a public subprocessor list today, publish one within two weeks. The minimum viable version covers legal name, service, country, and data categories. Expand as your operational cadence matures.

For teams that want subprocessor governance integrated into a full compliance program — with DPA templates, notification workflows, vendor assessments, and trust center architecture — CertifyOps delivers end-to-end programs that satisfy Article 28 and accelerate enterprise procurement.