Skip to main content
Sub-processor policy

How Common Paper approves and handles sub-processors

Ben Garvey avatar
Written by Ben Garvey
Updated over a week ago

Common Paper uses sub-processors which are third parties that help provide features and improve the experience of Common Paper. We evaluate and approve potential sub-processors via our Vendor Management Policy which gets reviewed every year. Below are relevant sections from our Vendor Management Policy that pertain to sub-processors.

What is a sub-processor?

Common Paper collects and stores data from you as a normal part of using the service. We are considered a data controller and processor of that data. A sub-processor is a third party that "may process individuals’ personal data on behalf of the processor. A sub-processor can be a legal person, for example a business, an SME, a public authority, an agency or other body." (source: EDPB)

Purpose of the policy

To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations and to maintain an agreed level of information security and service delivery in line with supplier agreements.

Policy

Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented. For all service providers who may access Common Paper, Inc. Confidential data, systems, or networks, proper due diligence shall be performed prior to provisioning access or engaging in processing activities. Information shall be maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by Common Paper, Inc. as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR or other frameworks, compliance standards, or regulations.

Common Paper maintains a policy and procedure for evaluating sub-processors that includes documentation of their information security, authorization, data retention, handling of personal information, and more. In addition to a yearly security review, we perform a yearly risk assessment with how this sub-processor is used.

To view more about Common Paper's security practices, view our security page.

Did this answer your question?