Disclosure of Data Sub-processors

[All Actors]
1. Disclose to data owners or customers every sub-processor that will access personal or sensitive data before processing begins, and promptly update the disclosure when a sub-processor is added, removed, or changes scope.

2. Maintain detailed logs or registers of all sub-processor engagements - including purpose, data categories accessed, approval / consent status, and effective dates - for audit or regulatory review.

3. Provide mechanisms to obtain, record, and honour explicit consent or approval (e-g., in-app settings, contract clauses, service-catalog workflows) wherever law or contract demands it.

4. Share relevant privacy-and-security documentation for each sub-processor (DPIAs, technical controls, certifications, access protocols) with customers, regulators, or internal stakeholders on request.

5. Perform risk-based due-diligence and embed contractual clauses that bind sub-processors to the same data-protection and disclosure obligations the actor has accepted.

[Shared among: MP, OSP, CSP]
1. Implement telemetry and visibility tooling (dashboards, access logs) to track real-time data-access events by sub-processors across model-training, orchestration, or infrastructure layers the actor operates, and surface those records for audit.

1. Policies, Roles and Contracts: Examine the CSP’s documented policies, procedures, and contractual requirements requiring sub-processors to disclose access to PII before processing begins; identify and address any areas where contractual controls are insufficient, and ensure appropriate risk mitigation is in place; verify that roles and responsibilities for managing disclosures and approvals are defined and documented; review contracts with sub-processors and customers to ensure they mandate equivalent privacy and security standards; and include disclosure of subcontractors, and enforce data minimization (only necessary PII shared).

2. Sample-Based Validation: Select a sample of data transfers to sub-processors and validate that disclosures were made before processing and controls and reporting comply with CSP’s policies.

3. Disclosure Records and Record-Keeping: Verify that the CSP maintains complete records of all sub-processor disclosures, including: what was disclosed, when, to whom, the authority/legal basis, and confirm that these records are maintained and auditable throughout the service lifecycle.

4. Customer Notification and Legal Requests: Confirm the CSP has documented processes to notify customers of any legally binding disclosure requests, reject non-legally binding requests unless customers consent, ensure timely notification in compliance with contractual and legal obligations, and notify customers of any changes to sub-processors that may affect PII processing.

5. Sub-processor Management and Infrastructure Transparency: Review the CSP’s documentation and disclosures regarding their infrastructure sub-processors who may access PII through provided services, Verify that agreements and communications with customers make transparent how the CSP’s infrastructure and sub-processors handle PII.

6. Customer Transparency Mechanisms: Assess whether the CSP has implemented technical capabilities (e.g., logging, monitoring, dashboards) to enable customers to track data access and flows, meet their own sub-processor disclosure obligations, and review customer-facing documentation explaining how the CSP’s infrastructure supports transparency and disclosure requirements.