Skip to main content
RiscLens

Vendor Risk Assessment

Subprocessors vs Vendors

Make subprocessor visibility part of your vendor risk playbook so SOC 2 evidence and contracts stay accurate.

How they differ

  • Vendors provide services directly to you; subprocessors are vendors your vendor relies on to deliver service to you.
  • Customers expect transparency for both when their data is involved.
  • Contractual rights may flow differently; subprocessors often need pre-approval or notice.

What to track

  • Data types, regions, and residency for each subprocessor.
  • Security reports (SOC/ISO) and change notifications.
  • Incident history and breach notice commitments.

Practical handling

  • Require vendors to disclose subprocessors and update you before changes.
  • Map evidence asks to the highest-risk element in the chain.
  • Terminate or escalate cadence if unapproved subprocessors appear.

Evidence you can request

  • Subprocessor register with services, regions, and certifications.
  • Notification process for additions/changes with lead time.
  • Flow-down of security obligations and incident notice.

Related

Run VRA TriageVRA HubVRA ROI CalculatorGet Readiness ScoreSOC 2 HubSOC 2 Cost GuidePentest Cost Estimator