ClearLaunch
Feature CheckerRegulations & PoliciesEnforcementRadarVendorsChangelogGuides
FAQ
← All Controls

Subprocessor due diligence + contract management

subprocessor-managementDomain: data-privacyType: process

Description

Subprocessor management is the operational extension of the controller / processor distinction in modern privacy law: when a processor (the platform) hands personal data to a further processor (a vendor, an infrastructure provider, an analytics tool), the original controller's rights and the data subject's rights have to flow through the chain. GDPR Article 28 is the canonical version; CCPA's service-provider rules, LGPD, and most second-generation privacy laws follow similar shapes. The operational pieces are the subprocessor inventory (every third party that touches personal data, with the data category and processing purpose recorded), the data-processing addendum (DPA) executed with each subprocessor that pushes the required clauses downstream (purpose limitation, security, breach notification, sub-sub-processor controls, end-of-engagement disposition), the subprocessor-list publication that the controller and data subjects can read on demand, and the change-notification path that gives controllers a right to object before a new subprocessor goes live. The recurring difficulty is inventory completeness; engineering teams add SaaS tools faster than the privacy team learns about them, and the gap shows up as a missing DPA the first time a regulator asks.

Required by (3 regulations)

  • GDPR

    Article 28 — controller-processor contract requirements; written DPA mandatory.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • CCPA/CPRA

    Service Provider contracts; CCPA §1798.140(ag).

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • LGPD

    Article 39 — operator contractual obligations.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

Fulfilled by (3)

  • onetrust · full · medium effort · $$
  • transcend · full · medium effort · $$
  • In-house build · medium effort

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

  • subprocessor list
  • DPAs on file
  • change-notification log

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

ClearLaunch

Regulatory intelligence for people who ship products.

Tools
Feature CheckerRegulations & PoliciesVendorsGuidesFor LegalFor EngineeringFor ExecutivesFor Investors
About
AboutMethodologyChangelogFAQRegulatory UpdatesClearLaunch on LinkedIn
Legal
Terms of ServicePrivacy PolicyHow we handle your dataCoverage scope & limitations

Built by Neel Patel, in-house game counsel. Games touch more compliance domains at once than anything else in tech. That's what ClearLaunch was designed around.

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. ClearLaunch provides legal information; consult a licensed attorney in your jurisdiction. Data reviewed through March 2026. Methodology

© 2026 ClearLaunch · Terms · Privacy