Sub-processor
Under GDPR, a third-party service that processes personal data on behalf of a Data Processor; must be disclosed to the controller and bound by equivalent data protection obligations.
What Sub-processor means
A sub-processor is any third-party entity engaged by a Data Processor to process personal data on behalf of the original Data Controller. Under GDPR Article 28, sub-processors require either prior specific or general written authorisation from the Controller, must be bound by data protection obligations equivalent to those between Controller and Processor, and the original Processor remains fully liable for the sub-processor's compliance. Common sub-processors for SaaS products include cloud hosting (AWS, Vercel, Supabase), email delivery (Resend, SendGrid), payment processing (Stripe, Paddle), analytics (Google Analytics), and AI services (OpenAI, Anthropic). Enterprise customers typically require a maintained sub-processor list as part of their vendor due-diligence and DPA package.
Related terms
GDPR
The General Data Protection Regulation — the EU's comprehensive data protection law governing how personal data is collected, processed, and stored.
Data Processor
An entity that processes personal data on behalf of a data controller, bound by a data processing agreement.
Data Controller
The entity that determines the purposes and means of processing personal data, bearing primary responsibility under GDPR.