IndexableSubprocessorsLast reviewed 2026-05-21

How to review vendor subprocessors for SOC 2 evidence

A useful subprocessor review answers three questions: which official source changed, whether customer data is in scope, and whether any customer-facing list, DPA exhibit, or Trust Center statement needs an update.

Build subprocessor evidence View all guides

Workflow steps

4 practical steps

Records to keep

3 examples

Source links

4 official sources

Step-by-step process

Step 1

Start from the vendor source

Use the vendor's subprocessor or service-provider page where available. If the page is missing or unclear, mark the source as a coverage gap and do not publish detailed subprocessor claims.

Step 2

Map the change to your data flow

A vendor subprocessor may not matter for every workflow. Record the product, data categories, account path, and whether the changed subprocessor can touch customer data.

Step 3

Check customer notice commitments

Review standard DPA language and any customer-specific terms before deciding whether notice, objection handling, or a Trust Center update is required.

Step 4

Keep the decision as evidence

A no-action decision still needs a record. Keep source URL, review date, reviewer, customer impact, and any owner for follow-up.

Records to keep

A subprocessor checklist row for Google Workspace Gemini tied to Workspace sources.
A customer notification decision log for Zendesk or Intercom support data.
A SOC 2 evidence note showing source link, review date, and reviewer.

Where mistakes happen

Updating a public vendor list without checking customer notice terms.
Assuming every product from a large vendor has the same subprocessor list.
Missing subprocessors introduced through exports, observability, or support integrations.

Lightweight version

For a startup, keep a current subprocessor review packet for vendors named in customer DPAs and add one decision log row per material change.

More mature version

For a GRC team, connect subprocessor source changes to vendor records, customer-specific notice obligations, and Trust Center publication workflow.

Source links

These are starting sources for the examples in this guide. Review the vendor page for scope and limitations before changing customer commitments.

Google Workspace Subprocessorshttps://workspace.google.com/terms/subprocessors/Official source Intercom Subprocessors Listhttps://www.intercom.com/legal/subprocessors-listOfficial source Zendesk Sub-processor Policyhttps://support.zendesk.com/hc/en-us/articles/4408883061530-Sub-processor-PolicyOfficial source Stripe Service Providers, Sub-Processors, and Affiliateshttps://stripe.com/legal/service-providersOfficial source

Related templates

Subprocessor change review checklistUse this checklist when a vendor adds, removes, or changes a subprocessor, or when your team starts using a new vendor feature that changes the subprocessor story.Customer notification decision log templateUse this log to record the decision, not just the change. It keeps customer notice decisions grounded in source evidence, contract review, and owner approval.SOC 2 vendor review evidence templateUse this template to turn a vendor source review into an audit-ready record. It is intentionally narrow: vendor, source, commitment, finding, reviewer, and follow-up. It does not decide whether the vendor is acceptable.

Related vendor pages

Google Workspace / GeminiReview Google Workspace / Gemini privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.IntercomReview Intercom privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.ZendeskReview Zendesk privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.StripeReview Stripe privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.

Generate a review packet from this workflow.

Select your vendors, data categories, and customer commitments. AI Vendor Packet turns the workflow into evidence your team can review.

Build subprocessor evidence Browse templates