Envello
Trust

What actually belongs on a subprocessor list (and why most are stale)

Envello Team·2026-07-16·4 min read

A subprocessor list exists to answer one question for a DPO doing due diligence: who else touches this data besides the vendor I'm signing with? A list that's a year out of date, or vague about what each subprocessor actually does, doesn't answer that question, it just checks a box.

What a useful subprocessor list actually contains

  • The specific vendor name, not a category ("a cloud provider" tells a reviewer nothing)
  • What that vendor actually processes (infrastructure hosting vs. payment processing vs. analytics are very different risk profiles)
  • Where that vendor processes data, since this is what determines whether SCCs or another transfer mechanism apply

Envello's approach

The current, full subprocessor list is available on request rather than published as a static page, specifically so it can be given directly and stay attached to a specific request rather than drifting out of sync with a page nobody remembers to update. Active customers get 30 days' notice by email before any subprocessor is added or replaced, and any subprocessor operating outside the EEA is bound by the EU Standard Contractual Clauses as an additional safeguard on top of its own GDPR compliance.

The 30-day notice is the part that matters most

A subprocessor list is a snapshot; what actually protects you over time is the notice period before it changes. 30 days is enough time to raise an objection, ask questions, or in the extreme case, plan a migration, before a new subprocessor starts touching your data. A vendor that reserves the right to add subprocessors silently, with no notice period, has effectively made the list decorative.

Envello

EU-hosted transactional email, done right by default.