IndexableSubprocessorsLast reviewed 2026-05-21

Subprocessor change review checklist

Use this checklist when a vendor adds, removes, or changes a subprocessor, or when your team starts using a new vendor feature that changes the subprocessor story.

Download Markdown Download CSV Generate this automatically

Who it is for

Privacy, legal, security, and customer success teams that need to review vendor subprocessor changes before updating customers.

Template

Subprocessor review checklist with 5 starter rows.

Download formats

Markdown for docs, CSV for spreadsheet review.

When to use it

After a vendor subprocessor page changes.
Before publishing a customer-facing subprocessor list update.
When a new product feature sends data to a vendor or integration.

How to fill it out

Start from the official subprocessor source, not a sales note.
Map the change to the customer data categories your product actually sends.
Keep customer-notice decisions separate from internal evidence refreshes.

Subprocessor review checklist

Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.

4 columns

Question: Which vendor and product changed?
Current answer: Name the specific product, workspace, and customer data path.
Review action: Compare the vendor source to your own vendor exhibit.
Evidence: Vendor subprocessor page and internal vendor record.

Question: Is customer personal data in scope?
Current answer: List the data categories and whether sensitive data is involved.
Review action: Confirm whether the new subprocessor can access those categories.
Evidence: Data-flow note and DPA exhibit.

Question: Does the customer contract require notice?
Current answer: Check notice, objection, and update commitments.
Review action: Route contract-specific language to legal or privacy review.
Evidence: Customer DPA or standard terms.

Question: Does the Trust Center need an update?
Current answer: Compare public vendor list, source date, and subprocessor wording.
Review action: Update only after source and contract review are complete.
Evidence: Trust Center entry and source link.

Question: What is the final action?
Current answer: No action, update internal evidence, update customer page, notify customers, or pause use.
Review action: Assign owner and due date for any external update.
Evidence: Decision log entry.

Question	Current answer	Review action	Evidence
Which vendor and product changed?	Name the specific product, workspace, and customer data path.	Compare the vendor source to your own vendor exhibit.	Vendor subprocessor page and internal vendor record.
Is customer personal data in scope?	List the data categories and whether sensitive data is involved.	Confirm whether the new subprocessor can access those categories.	Data-flow note and DPA exhibit.
Does the customer contract require notice?	Check notice, objection, and update commitments.	Route contract-specific language to legal or privacy review.	Customer DPA or standard terms.
Does the Trust Center need an update?	Compare public vendor list, source date, and subprocessor wording.	Update only after source and contract review are complete.	Trust Center entry and source link.
What is the final action?	No action, update internal evidence, update customer page, notify customers, or pause use.	Assign owner and due date for any external update.	Decision log entry.

Common mistakes

Updating a public list without checking customer notice requirements.
Assuming a parent vendor change applies to every product line.
Missing subprocessors introduced through logs, support exports, or analytics tools.

Example subprocessor review

Google Workspace subprocessors reviewed for Workspace Gemini use; customer content and admin metadata in scope; no customer-specific objection period triggered under standard terms; Trust Center source date updated.

AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.

Related vendor pages

Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.

Google Workspace / GeminiReview Google Workspace / Gemini privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.IntercomReview Intercom privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.ZendeskReview Zendesk privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.StripeReview Stripe privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.

Related templates

These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.

Customer notification decision log templateUse this log to record the decision, not just the change. It keeps customer notice decisions grounded in source evidence, contract review, and owner approval.Vendor DPA review worksheetUse this worksheet to connect a vendor DPA to your customer-facing promises. It helps separate contract evidence from product behavior, which often needs a separate source.

Turn this template into a review packet.

Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.

Generate a subprocessor review View all templates