← Back to Glossary

What is a subprocessor?

Definition

Subprocessor

A subprocessor is a third-party company that handles personal data on behalf of a data processor. When you use software that stores customer information, that software company is your data processor. If they use another company to help store, analyze, or transmit that data, that company becomes a subprocessor.

Think of it as a chain: you're the data controller (you decide what data to collect and why), your software vendor is the processor (they handle the data for you), and any vendors they hire to help are subprocessors.

Why subprocessors matter for your business

Under privacy regulations like GDPR, you're responsible for knowing where your customer data goes. That responsibility doesn't stop at your direct vendors; it extends to their vendors too.

When a customer trusts you with their email address, they expect you to protect it. If your email platform uses a cloud hosting service and that service experiences a breach, your customers don't care about the technical chain of custody. They trusted you.

This is why reputable software companies maintain public subprocessor lists. Transparency about who touches your data isn't just a legal checkbox. It's how you verify that every link in the chain meets your security standards.

The data processing chain explained

Three roles define how personal data moves through modern business systems:

Data controller: Your company. You determine what personal data to collect, why you need it, and how it will be used. When someone fills out a form on your website, you're the controller.

Data processor: The software or service that handles data on your behalf. Your CRM, email marketing platform, or analytics tool acts as a processor. They follow your instructions about what to do with the data.

Subprocessor: Any third party the processor engages to help deliver their service. Cloud infrastructure providers, payment processors, and email delivery services commonly fill this role.

The processor remains accountable to you for anything the subprocessor does. If a subprocessor mishandles data, your processor is on the hook, and ultimately, you're responsible to your customers.

Common types of subprocessors

Most software companies rely on subprocessors for specialized functions:

  • Cloud infrastructure (AWS, Google Cloud): Hosts the servers where your data lives
  • Email delivery services: Handles the technical work of getting messages to inboxes
  • Payment processing: Manages billing and transaction data
  • Analytics platforms: Processes usage data to improve the product
  • Customer support tools: Stores support ticket information and conversation history

ActiveCampaign, like most SaaS platforms, uses subprocessors to deliver reliable, secure service. You can review our complete list in our subprocessor documentation.

Your obligations when using subprocessors

If you're evaluating software that will handle customer data, ask these questions:

  1. Does the vendor publish a subprocessor list?
  2. Will they notify you before adding new subprocessors?
  3. Do they have a Data Processing Agreement that covers subprocessor obligations?
  4. Where are the subprocessors located, and does that affect your compliance requirements?

For GDPR compliance specifically, your processor must get your written permission before engaging subprocessors. Most vendors handle this through their terms of service or DPA, which typically grants general authorization while requiring advance notice of changes.

How to evaluate subprocessor risk

Not all subprocessors carry equal risk. A cloud hosting provider with access to your entire database presents different concerns than a mapping service that only receives addresses.

When reviewing a vendor's subprocessor list, consider:

  • Data access level: Does the subprocessor see raw personal data, or only anonymized information?
  • Processing purpose: Are they storing data, analyzing it, or just transmitting it?
  • Geographic location: Does data cross borders that trigger additional compliance requirements?
  • Security certifications: Do they hold SOC 2, ISO 27001, or similar credentials?

Your data processing agreement should require your processor to impose equivalent data protection obligations on all subprocessors. This creates contractual accountability throughout the chain.

FAQs

Do I need to sign separate agreements with my vendor's subprocessors?

No. Your agreement is with the processor. They're responsible for ensuring their subprocessors comply with data protection requirements. Your DPA with the processor should include provisions that flow down to subprocessors.

What happens if a subprocessor has a data breach?

The processor must notify you without undue delay. Under GDPR, you then have 72 hours to notify your supervisory authority if the breach poses a risk to individuals. This is why choosing processors with strong subprocessor oversight matters.

Can I object to a specific subprocessor?

Most DPAs include an objection mechanism. If a processor adds a subprocessor you're uncomfortable with, you typically have a window to raise concerns. If the issue can't be resolved, you may have the right to terminate the agreement.

Are all my software vendors considered subprocessors?

Only if they process personal data on your behalf. Your office supply vendor isn't a subprocessor, but your email platform, CRM, and analytics tools likely are, because they handle customer information to deliver their service to you.

Looking for a platform that takes data protection seriously? Start your free ActiveCampaign trial and see how we handle security and compliance.

Ready to take ActiveCampaign for a spin?

Try it free for 14 days.

Free 14-day trial with email sign-up
Join thousands of customers. No credit card needed. Instant setup.

Connect with all your favorite tools

Salesforce
Wix
WordPress
Webflow
Facebook
Instagram
Google Ads
Google Sheets
Calendly
Slack
Square
Typeform
Zapier
Make
Shopify
WooCommerce
Stripe
Mindbody
Clay