Subprocessor Disclosure Template.
Public-facing subprocessor list and data-flow narrative — the artifact buyers actually ask for in security reviews and the artifact GDPR / UK GDPR / CPRA processors are expected to publish. Aligned in vocabulary with GDPR Article 28, ISO/IEC 27018, and SOC 2 CC9.2. Replace the seeded examples with your real vendors. Download CSV or JSON for your trust center.
Subprocessors
One row per subprocessor. The data-category field is what buyers parse first — be specific.
| Vendor | Role / purpose | Hosting region | Data categories processed | DPA on file | Sub-subprocessors disclosed | Last reviewed |
|---|
Data flow narrative
Five short paragraphs that, read top to bottom, explain how customer data enters, moves, and leaves your system. Buyers compare this against the subprocessor table.
Regional notes
Short notes for the three regional regimes most often cited by enterprise buyers. Replace with your actual posture.
What this is — and is not
What it is: a structural template aligned in vocabulary with the disclosure obligations under GDPR Article 28, ISO/IEC 27018:2019, and SOC 2 CC9.2. Public-facing subprocessor lists + a short data-flow narrative are what buyers expect to see linked from a trust center. This template gives you the shape, not the contents.
What it isn't: a Data Processing Agreement, a Standard Contractual Clauses module, a Records of Processing Activities (Article 30) document, or legal advice. Publishing a subprocessor list does not satisfy your DPA obligations to existing customers, your prior-notification commitments, or your sector-specific overlay requirements (HIPAA BAA, FERPA, etc.). Have your DPO and counsel review before publishing publicly.
Pairs with Evidence Locker (sub-section: Vendors + subprocessors) and the AI Vendor Intake Form. Frameworks referenced: GDPR Art. 28, UK GDPR, CPRA §1798.140, ISO/IEC 27018:2019, SOC 2 CC9.2.