The moment you start using any third-party tool that handles your customers' personal data — a payment processor, an email platform, a CRM, an analytics service — you enter into a data processing relationship. Understanding the terminology here matters because GDPR imposes specific obligations on each party in the chain, and disclosing those relationships to your customers is a legal requirement.
What is a sub-processor?
Under GDPR's framework, there are three main roles: the data controller (you — you determine why and how data is processed), the data processor (a third party you engage to process data on your behalf), and the data subject (the individual whose data is being processed).
A sub-processor is any third party that your data processor engages to help fulfil its obligations to you. For example: if you use Kajabi as your membership platform, Kajabi is your data processor. If Kajabi uses Amazon Web Services to host its infrastructure, AWS is a sub-processor. If Kajabi uses Sendgrid to deliver emails, Sendgrid is another sub-processor. You may never directly engage with these companies, but they are processing your members' data.
In practice, most small businesses use the terms "data processors" and "sub-processors" interchangeably when referring to the third-party tools in their tech stack. What matters for compliance purposes is that you understand who has access to your customers' data and that you disclose this appropriately.
Do you need to list them in your privacy policy?
GDPR requires you to inform data subjects about "the recipients or categories of recipients" of their personal data. This means you must disclose your third-party data processors in your privacy policy. The requirement is for categories of recipients at minimum, but regulators and privacy advocates generally recommend naming the specific companies involved.
A well-structured sub-processor list shows: the company name, their role in processing your customers' data, the country where they process data, and a link to their own privacy policy. For businesses transferring data to the US — which covers almost every SaaS product used by online businesses — you should also note the transfer mechanism (typically Standard Contractual Clauses).
How to keep your sub-processor list accurate
The sub-processor list is one of the most commonly outdated elements of a privacy policy, because tech stacks change frequently. Every time you add a new tool — a new email sequence, a support platform, a webinar tool, a CRM — you should update your privacy policy before the tool starts processing real user data.
A practical approach is to maintain an internal data register (sometimes called a Record of Processing Activities or ROPA) that tracks every tool you use and what data it accesses. Your privacy policy sub-processor section then reflects this register. If you have a Trust Center, the sub-processors list is typically published there as a dedicated, always-current document rather than buried in a lengthy privacy policy.