Framework — GDPR
Know your sub-processors
GDPR makes controllers responsible for their entire processing chain. Every processor, every sub-processor, every international transfer — documented, monitored, and contract-covered.
Key articles
What GDPR requires for processors
Articles 28–49 establish the rules for using processors, engaging sub-processors, and transferring data internationally. These are the articles that drive vendor due diligence.
Article 28
Processor obligations
Controllers must use only processors providing sufficient guarantees. Processors must not engage sub-processors without prior written authorisation. Sudory tracks the full chain — processor, sub-processor, sub-sub-processor.
Article 30
Records of processing activities
Every processor must maintain a record of processing activities carried out on behalf of the controller. Sudory's vendor profiles contain the data you need for your ROPA.
Article 44–49
International transfers
Personal data transfers outside the EU/EEA require adequate safeguards — adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. Sudory tracks data processing regions and DPF participation.
Article 32
Security of processing
Controllers and processors must implement appropriate technical measures. Sudory scans your processors' public security posture — TLS, DNSSEC, email authentication, security headers — as continuous evidence.
The chain
Controller → processor → sub-processor
GDPR creates a chain of obligations. As the controller, you're responsible for knowing who's in your chain — and ensuring every link meets data protection requirements.
01
Controller
Your organisation
You determine why and how personal data is processed. You're responsible for choosing processors that provide sufficient guarantees — and for knowing who they share data with.
02
Processor
Your SaaS vendor
Your vendor processes data on your behalf under a DPA. They must inform you before adding or replacing sub-processors — and give you the right to object.
03
Sub-processor
Their infrastructure & services
AWS, GCP, Stripe, Twilio, Datadog — the services your vendor uses. Each is a sub-processor. Each must meet the same data protection obligations imposed on your processor.
Terminology
GDPR's data processing vocabulary
These terms define the relationships and obligations in your vendor chain. Every DPA audit, every supervisory authority inquiry, and every DPIA references them.
Data controller
The entity that determines the purposes and means of processing personal data. When you use a SaaS vendor, you're typically the controller — the vendor is your processor.
Data processor
The entity that processes personal data on behalf of the controller. Your SaaS vendors are processors. They must follow your instructions and meet Article 28 requirements.
Sub-processor
A processor engaged by another processor. When your SaaS vendor uses AWS for hosting and Stripe for payments, AWS and Stripe are sub-processors. GDPR requires you to know about them.
Data Processing Agreement (DPA)
Article 28(3) requires a contract between controller and processor covering subject matter, duration, nature of processing, and categories of data. Every vendor should have one.
Standard Contractual Clauses (SCCs)
EU-approved contractual safeguards for international data transfers. Required when your processor transfers data outside the EU/EEA and no adequacy decision exists.
EU-US Data Privacy Framework (DPF)
The adequacy decision for US-based processors. Companies self-certify with the Department of Commerce. Sudory tracks DPF participation for every vendor in the directory.
Records of Processing Activities (ROPA)
Article 30 documentation listing all processing activities, categories of data, recipients, and transfers. Your vendor register feeds directly into your ROPA.
Transfer Impact Assessment (TIA)
Post-Schrems II requirement. When using SCCs, you must assess whether the recipient country's laws provide adequate protection. Data processing regions matter.
How Sudory helps
Sub-processor management, automated
Sudory's vendor directory and scanning engine produce the evidence GDPR's processor requirements demand. Sub-processor chains, DPA links, data regions, and DPF status — structured and searchable.
Sub-processor directory
1,500+ vendor profiles with documented sub-processor chains. See who your vendors share data with — and who those sub-processors use in turn.
DPA availability
Direct links to each vendor's Data Processing Agreement. No more hunting through legal pages. Know immediately which vendors have DPAs — and which don't.
Data processing regions
Filter vendors by where they process data. EU, US, or global — know exactly which transfer mechanisms (SCCs, DPF, adequacy) you need for each vendor.
DPF participation tracking
Sudory tracks EU-US Data Privacy Framework certification for every US-based vendor. Know which vendors have a valid adequacy basis — and which need SCCs.
Security posture scanning
Article 32 requires appropriate technical measures. Sudory scans vendors' public infrastructure — TLS configuration, DNSSEC, email authentication, security headers — as continuous evidence.
Change notification
Article 28(2) requires processors to inform controllers of sub-processor changes. Sudory monitors vendor profiles for changes — new sub-processors surface automatically.
For MSPs
GDPR processor management across clients
Your clients are controllers. They need to know their processing chains. As an MSP, you can deliver sub-processor visibility and DPA management as a service.
ROPA across clients
Each client needs records of processing activities. Sudory provides the vendor data that feeds their ROPA — processors, sub-processors, data regions, and transfer mechanisms.
DPA management
Track which clients have DPAs in place with which vendors. Surface gaps where contracts are missing or where sub-processor authorisations are outdated.
Transfer impact at scale
After Schrems II, every non-EU transfer needs assessment. Sudory shows which vendors process data outside the EU and whether they're covered by DPF or need SCCs.
Map your sub-processor chain
Browse 1,500+ vendor profiles with sub-processor chains, DPA links, data processing regions, and DPF status. The due diligence Article 28 requires — already done.