Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Subprocessor due diligence + contract management

subprocessor-managementDomain: data-privacyType: process

Description

A working subprocessor-management program treats the controller-processor chain as a contract chain plus an inventory, and keeps both current. When a processor (the platform) hands personal data to a further processor (a vendor, an infrastructure provider, an analytics tool), the original controller's rights and the data subject's rights have to flow through the chain or the chain breaks at audit. The components are a subprocessor inventory that lists every third party that touches personal data with the data category and processing purpose recorded, a data-processing addendum executed with each subprocessor that pushes the required clauses downstream (purpose limitation, security, breach notification, sub-sub-processor controls, end-of-engagement disposition), a subprocessor-list publication that the controller and data subjects can read on demand, and a change-notification path that gives controllers a right to object before a new subprocessor goes live. The regulatory shape converges across regimes. GDPR Article 28 sets out the eight mandatory DPA clauses and the prior-authorization or general-authorization-with-notice models for sub-sub-processors. CCPA §1798.140(ag) treats service-provider contracts as the parallel mechanism with similar clause requirements and the contract serving to keep the recipient out of the sale-or-share definition. LGPD Article 39 operates similarly on the operator side. The clauses look different in their drafting; the operational obligations they generate look almost identical, which is why most operators run a single master DPA template with regime-specific addenda rather than a separate contract per regime. The recurring difficulty is inventory completeness. Engineering teams add SaaS tools faster than the privacy team learns about them, and the gap shows up as a missing DPA the first time a regulator asks. The pattern that holds up under examination ties the procurement workflow to the DPA workflow at the contract-execution point: no SaaS contract gets countersigned without the DPA either attached or expressly waived (and the waiver itself is logged and reviewed). Evidence formats that hold up include the current subprocessor list keyed to the data inventory, the DPAs on file for every entry on the list, the change-notification log showing controllers were notified before new subprocessors took data, and the periodic completeness audit comparing the inventory against the live vendor-management or expense systems.

Required by (3 regulations)

  • GDPR

    Article 28 — controller-processor contract requirements; written DPA mandatory.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • CCPA/CPRA

    Service Provider contracts; CCPA §1798.140(ag).

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • LGPD

    Article 39 — operator contractual obligations.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

Fulfilled by (3)

  • onetrust · full · medium effort · $$
  • transcend · full · medium effort · $$
  • In-house build · medium effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • subprocessor list
  • DPAs on file
  • change-notification log

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn