Approved Subprocessors is a variable that appears in the Data Processing Agreement Cover Page, in the Key Terms section.

In most situations where you are a vendor handling personal data from your customer, you are acting as a data processor. When a data processor in turn uses its own vendor who also processes the personal data, that secondary processor will be considered a subprocessor. DPAs typically include an authorization for subprocessors that the data processor wants to work. You can think about subprocessors the way you might think about a subcontractor who is hired by a contractor to perform some of the services the contractor is required to perform under a contract.

Examples of common subprocessors include: hosting and infrastructure services such as AWS, Cloudflare, and Snowflake; communication and customer services such as Twilio, Intercom, and Zendesk; and financial and billing services such as Netsuite, Stripe, and Square.

If you maintain a list of subprocessors online, choose that option and enter the URL to the page.

Otherwise, you can incorporate a list of subprocessors directly into your DPA. Enter the name, country of location, and basic description of the subprocessing activity that subprocessor provides.

Descriptions can be short phrases like “content delivery network provider,” “communications technology provider for product notifications,” or “data analytics.”

Pro tip: Under Section 2.6(a) of the DPA Standard Terms, your Customer must receive at least 10 business days prior notice of any changes to the subprocessor list, including a list that is hosted online.

​