Subprocessors and Vendor Risk

You use Stripe to process payments. You have a DPA with Stripe. You did your due diligence.

But Stripe uses data centers. They use payment networks. They use analytics tools. They have their own vendors.

You have a DPA with Stripe. Stripe has DPAs with its subprocessors. But do you know who they are? Do you know if those subprocessors are secure? Do you know if they're in countries with different privacy laws?

That's vendor risk management.

What this solves (in real business terms)

You are legally responsible for your customers' data, even when it's in the hands of your vendors. If a subprocessor gets breached, your customers' data is exposed—and regulators will look at your due diligence process, not just the breach itself.

Understanding your subprocessor chain means:

• Knowing where your data actually goes
• Identifying concentration risks (all data in one cloud provider?)
• Verifying your vendors are making good choices about who they work with

What can go wrong

The SolarWinds cascade. When SolarWinds was breached in 2020, it exposed 18,000 of their customers—including government agencies and major corporations. Many of those customers thought they were managing their own security. They weren't. They were trusting a vendor who trusted another vendor who was compromised.

The GDPR subprocessor fine. Meta was fined $1.2 billion for transferring European user data to US servers without adequate legal safeguards. The issue wasn't Meta's direct practices—it was the subprocessors in the data transfer chain.

The single-vendor trap. A Florida company's entire customer database was stored with one cloud provider. That provider had an outage. The company couldn't access their own data for 3 days. They couldn't service customers, couldn't process orders, couldn't do anything. Single points of failure are subprocessor risk.

The security questionnaire mismatch. A company asked their vendor for security certifications. The vendor provided them. What the company didn't know: the vendor's AI analytics tool (a subprocessor) had weaker security controls. That subprocessor was breached. The vendor's certifications didn't cover the subprocessor. The vendor's contract didn't require the subprocessor to meet the same standards.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | Vendor risk questionnaires (DIY) | $0 | | Security rating platforms (SecurityScorecard, BitSight) | $3,000–$15,000/year | | Third-party risk assessment | $5,000–$20,000 | | Vendor security questionnaire platform (UpGuard, BitSight) | $2,000–$10,000/year | | Continuous monitoring service | $5,000–$30,000/year |

For most SMBs: start with the free tier of questionnaires and work up from there.

Minimum viable implementation

1. List your top 10 vendors by data sensitivity. Who touches customer PII, payment data, health information, or your core business data?

2. Request their subprocessor lists. Most major vendors publish this. Stripe has it public. Google has it public. Smaller vendors: email them and ask.

3. Identify red flags in subprocessor chains:

   • Subprocessors in China, Russia, or countries without adequate data protection laws
   • Subprocessors with known security incidents in the past 24 months
   • Subprocessors doing cross-border data transfers without documented legal mechanisms

4. Ask your vendors the right questions:

   • "Who are your subprocessors?"
   • "How do you vet your subprocessors' security practices?"
   • "What happens if a subprocessor has a breach?"
   • "Can we opt out of specific subprocessor categories?"

5. Track vendor certifications. If a vendor claims SOC 2, ask for the actual report, not just the badge. Verify the scope covers the subprocessor relationships.

6. Build vendor tiers:

   • Tier 1: Critical (direct access to sensitive data) — full questionnaire + annual review
   • Tier 2: Moderate (operational access, no direct customer data) — light questionnaire + periodic review
   • Tier 3: Low (no customer data, limited operational impact) — accept standard terms

Vendor questions (copy/paste)

For your vendors about their subprocessors:

1. "Can you provide a current list of all subprocessors who access or process our data? How often is this list updated?"

2. "How do you assess the security practices of your subprocessors? Do you require them to meet specific standards?"

3. "Do you allow customers to object to specific subprocessor categories? What's your process?"

4. "How do you handle data transfers outside the US/EU? What legal mechanisms do you use?"

5. "What happened in your last subprocessor incident? What did you learn?"

6. "Do you conduct audits of your subprocessors? Can we see audit results?"

When to hire help

Hire help if:

• You're in a regulated industry (healthcare, finance, government contracting)
• You use more than 25 SaaS tools with customer data
• You've had a vendor breach and need to assess your exposure
• You're pursuing SOC 2 certification or similar (requires formal vendor management)
• You're sharing data internationally and need GDPR Standard Contractual Clauses with subprocessors