# Subprocessor change review checklist

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Privacy, legal, security, and customer success teams that need to review vendor subprocessor changes before updating customers.

## What this template is for

Use this checklist when a vendor adds, removes, or changes a subprocessor, or when your team starts using a new vendor feature that changes the subprocessor story.

## When to use it

- After a vendor subprocessor page changes.
- Before publishing a customer-facing subprocessor list update.
- When a new product feature sends data to a vendor or integration.

## Subprocessor review checklist

| Question | Current answer | Review action | Evidence |
| --- | --- | --- | --- |
| Which vendor and product changed? | Name the specific product, workspace, and customer data path. | Compare the vendor source to your own vendor exhibit. | Vendor subprocessor page and internal vendor record. |
| Is customer personal data in scope? | List the data categories and whether sensitive data is involved. | Confirm whether the new subprocessor can access those categories. | Data-flow note and DPA exhibit. |
| Does the customer contract require notice? | Check notice, objection, and update commitments. | Route contract-specific language to legal or privacy review. | Customer DPA or standard terms. |
| Does the Trust Center need an update? | Compare public vendor list, source date, and subprocessor wording. | Update only after source and contract review are complete. | Trust Center entry and source link. |
| What is the final action? | No action, update internal evidence, update customer page, notify customers, or pause use. | Assign owner and due date for any external update. | Decision log entry. |

## How to fill it out

- Start from the official subprocessor source, not a sales note.
- Map the change to the customer data categories your product actually sends.
- Keep customer-notice decisions separate from internal evidence refreshes.

## Common mistakes

- Updating a public list without checking customer notice requirements.
- Assuming a parent vendor change applies to every product line.
- Missing subprocessors introduced through logs, support exports, or analytics tools.

## Example subprocessor review

Google Workspace subprocessors reviewed for Workspace Gemini use; customer content and admin metadata in scope; no customer-specific objection period triggered under standard terms; Trust Center source date updated.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.