Guides

How to publish a subprocessor list for SaaS

GDPR does not say you must publish a public webpage called 'subprocessor list', but Article 28 does require controller authorisation for subprocessors and notice of changes under general authorisation. A current public list is a practical way to support that transparency.

Best fit

Operations and customer-facing teams maintaining processor transparency

Last updated: 2026-03-14

What Article 28 actually requires

Article 28 says a processor cannot appoint another processor without the controller's prior specific or general written authorisation. Where the authorisation is general, the processor has to inform the controller about intended additions or replacements and give the controller the chance to object.

EDPB Opinion 22/2024 also says controllers should have readily available information about the identity of processors and subprocessors, and processors should proactively provide and update that information.

What to put on the page

A useful public list is concise, factual, and easy to update. It should help a buyer identify the vendor, why it is used, and where cross-border transfer analysis may be needed.

  • Vendor name
  • Service or processing purpose
  • Hosting or processing location summary
  • Transfer mechanism summary where relevant
  • Effective date or last-updated date

What a good update workflow looks like

Treat the subprocessor list as a maintained operational record, not a one-time web page. Update it when vendors are added, replaced, or repurposed, and keep the public list aligned with your contract annexes and internal vendor register.

A public list helps with procurement, but it does not replace the need for a valid controller-processor contract or accurate subprocessor clauses in your DPA.

Product context

Review the redacted sample pack to see how a publishable subprocessor output can look. See a sample subprocessor export.

Related guide

Continue with Customer DPA for SaaS: what to include.

Sources

Official GDPR text on EUR-Lex

Official GDPR text, especially Article 28 on processors and subprocessors.

Open source

EDPB Opinion 22/2024

Official EDPB opinion on obligations linked to processors and subprocessors.

Open source

Next step

Use the guide as the baseline, then generate your own pack when you are ready to replace examples with your actual company, product, and vendor details.

Start Free