Overview

When your vendors engage third-party subprocessors to deliver their services, those subprocessors become part of your extended supply chain risk. LowerPlane’s subprocessor tracking gives you visibility into the downstream parties that handle your data, which is essential for GDPR compliance, vendor due diligence, and comprehensive risk management.
Under GDPR, data controllers must know about and approve all subprocessors in the processing chain. LowerPlane’s subprocessor tracking helps you maintain this oversight and supports your Records of Processing Activities (ROPA).

Where Subprocessors Are Managed

Subprocessors are tracked in two places within the platform:
  1. Vendor Risk Assessment Detail > Subprocessors tab — subprocessors declared as part of a formal risk assessment
  2. Vendor Share Page — vendors can self-declare their subprocessors through the shared assessment link
Both entry points feed into the same subprocessor registry for the vendor, giving you a unified view regardless of how the data was collected.

Adding Subprocessors

1

Open the Subprocessors Tab

Navigate to a vendor risk assessment detail page and select the Subprocessors tab.
2

Click Add Subprocessor

Click the Add Subprocessor button to open the creation form.
3

Fill in Details

Provide the following information:
  • Subprocessor Name — the name of the third-party company
  • Service Description — what service the subprocessor provides
  • Data Categories — types of data the subprocessor handles (personal data, financial data, health data, etc.)
  • Hosting Location — where the subprocessor stores or processes data (country/region)
  • Risk Level — the assessed risk level (critical, high, medium, low)
4

Save

Save the subprocessor record. It is now linked to the vendor and visible in the assessment detail.

Subprocessor Fields

FieldDescription
NameLegal or trade name of the subprocessor
ServiceDescription of the service provided
Data CategoriesTypes of data handled (e.g., personal data, payment data, health data)
Hosting LocationCountry or region where data is stored or processed
Risk LevelAssessed risk level: Critical, High, Medium, or Low

Vendor-Managed Subprocessors

One of the most powerful features of subprocessor tracking is the ability for vendors to manage their own subprocessor declarations through the shared assessment link. When you share a risk assessment with a vendor, the vendor can:
  • Add new subprocessors they use to deliver services to your organization
  • Update existing subprocessors with current information
  • Remove subprocessors that are no longer in use
This self-service approach ensures your subprocessor records stay current without requiring constant back-and-forth communication.
When sharing a risk assessment, remind vendors to review and update their subprocessor list. Subprocessor changes are one of the most common oversights in vendor management.

Data Categories

Tracking which types of data each subprocessor handles is critical for regulatory compliance:
CategoryRegulatory Relevance
Personal Data (PII)GDPR, SOC 2, ISO 27001
Health Data (PHI)HIPAA, GDPR
Payment Data (PCI)PCI-DSS
Financial DataSOC 2, regulatory reporting
Confidential DataISO 27001, contractual obligations
Intellectual PropertyTrade secret protection

Hosting Locations

Recording where subprocessors store and process data supports:
  • GDPR data transfer assessments — identifying transfers outside the EEA
  • Data residency requirements — ensuring data stays within required jurisdictions
  • Regulatory compliance — meeting industry-specific data localization mandates
If a subprocessor hosts data outside your organization’s approved regions, this may require additional legal safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions under GDPR.

Risk Assessment Integration

Subprocessors declared during a vendor risk assessment contribute to the overall risk picture:
  • Vendors with many high-risk subprocessors may receive a higher overall risk classification
  • Subprocessor data categories feed into the assessment’s privacy domain scoring
  • Hosting locations in high-risk jurisdictions may flag additional review requirements

Subprocessor Audit Trail

All changes to subprocessor records are tracked:
  • When a subprocessor was added, modified, or removed
  • Whether the change was made by an internal user or by the vendor through the share link
  • Historical subprocessor declarations from previous assessment versions

GDPR Compliance

For organizations subject to GDPR, subprocessor tracking supports several key requirements:
Processors must not engage subprocessors without prior authorization from the controller. LowerPlane’s tracking system provides the documentation trail needed to demonstrate this authorization.
ROPA entries must include information about subprocessors. Subprocessor records in LowerPlane can be referenced directly in your ROPA documentation.
When subprocessors are located outside the EEA, you must have appropriate safeguards in place. Hosting location tracking helps you identify these transfers and document the applicable legal basis.

Best Practices

  • Require subprocessor declarations as part of every vendor risk assessment
  • Review subprocessor lists annually during vendor reassessments
  • Pay special attention to hosting locations that may trigger cross-border data transfer requirements
  • Track changes over time — vendors frequently add or change subprocessors, and each change may affect your risk posture
  • Include subprocessor requirements in contracts — ensure your vendor agreements require notification of subprocessor changes