Sub-Processor Management
GDPR requires you to maintain a current list of sub-processors and notify customers of changes. TruePrivacy automates sub-processor discovery, documentation, and customer notification.
Why teams choose Sub-Processor Management
Auto-Discovery
Automatically discover sub-processors from vendor questionnaires and data flows.
Customer Notifications
Automatically notify customers of sub-processor changes per your DPA terms.
Objection Handling
Built-in workflows to handle customer objections to new sub-processors.
Public Registry
Maintain a publicly accessible sub-processor list that auto-updates.
Detailed Capabilities
A closer look at what Sub-Processor Management does inside TruePrivacy.
Automated Sub-Processor Discovery
TruePrivacy discovers sub-processors through vendor questionnaire responses, data flow analysis, and third-party intelligence feeds, building a complete sub-processor list without manual research.
Public Sub-Processor Registry
Publish an automatically maintained public sub-processor list on your website at a stable URL. The list updates in real time when sub-processors are added or removed, meeting your DPA contractual obligations.
Customer Notification Automation
When a sub-processor change occurs, TruePrivacy automatically notifies affected customers per the notice period defined in your DPAs — typically 30 days. Notifications are logged with timestamps as evidence of compliance.
Objection Handling Workflow
Customers who object to a new sub-processor are tracked in a structured workflow. Your team reviews the objection, assesses whether it can be accommodated, and responds within the required period. Outcome documentation is maintained in the customer record.
Change History & Audit Trail
A complete history of every sub-processor change — addition, removal, modification — with timestamps, rationale, and notification records. This provides a full audit trail for DPA investigations.
DPA Compliance Documentation
Generate documentation demonstrating that your sub-processor management practices meet GDPR Article 28 requirements — sub-processor authorization terms, notification procedures, objection handling, and change history.
How It Works
From setup to ongoing compliance in a few straightforward steps.
Build Your Sub-Processor List
Import your existing sub-processor list or let TruePrivacy discover sub-processors from vendor data flows and questionnaire responses. Review and confirm the list before it goes live.
Publish & Notify
Publish your sub-processor list to the public registry URL. Configure notification templates and delivery rules for customer communications about future changes.
Manage Changes
When adding or removing a sub-processor, initiate the change in TruePrivacy. The platform triggers the notification workflow automatically and tracks the notice period countdown.
Handle Objections
Customer objections are captured in a structured workflow with automatic acknowledgment, review assignment, and response deadline tracking. All outcomes are documented in the audit trail.
What's included
- Sub-processor discovery and tracking
- Automated customer notification
- Objection management workflows
- Public sub-processor page
- Change history and audit trail
- DPA compliance documentation
Sub-Processor Management
Track your vendor's vendors and maintain your sub-processor list for GDPR compliance.
Try it freeFrequently Asked Questions
Common questions about Sub-Processor Management in TruePrivacy.
GDPR Article 28(2) requires processors to obtain prior written authorization from the controller before engaging sub-processors. Article 28(4) requires that sub-processors are subject to the same data protection obligations as the main processor. Many DPAs implement this as a general authorization with a notification-and-objection mechanism, which is the model TruePrivacy supports.
The notice period depends on what your DPA terms say — there is no fixed statutory period in GDPR. Common notice periods in SaaS DPAs range from 14 to 30 days. TruePrivacy's notification workflow enforces whatever notice period is defined in your DPA template and tracks the deadline automatically.
Engaging a sub-processor before the notice period expires and without handling outstanding objections is a GDPR violation. TruePrivacy prevents this by tracking the notice period expiry date and blocking sub-processor activation until the period has passed and all objections are resolved. This is a deliberate compliance safeguard.
Yes. The public sub-processor list is a live, automatically generated page hosted on your configured URL. When you confirm a sub-processor change in TruePrivacy after the notice period, the public list updates immediately. You never need to manually update a webpage or spreadsheet.
Yes. You can add a sub-processor to TruePrivacy in a 'pending' state with the planned change date, which triggers the notification workflow immediately. This allows you to start the notice period well ahead of the planned onboarding, providing customers with more lead time than the minimum required.
Ready to automate Sub-Processor Management?
Join hundreds of teams using TruePrivacy to manage privacy operations at scale.