How to Write a Subprocessor Page for a SaaS Product
A subprocessor page is one of the simplest trust assets a SaaS team can create. It answers the buyer question: “Which third parties help process our data?”
Quick note
This guide is practical product education, not legal advice, security advice, SOC 2 certification, GDPR certification, or compliance certification. Review every answer against your actual product and company processes before sending it to a buyer.
What to include
Include vendor name, purpose, data category, role, location or region if known, and a short note about whether the vendor is essential to the service. Keep the language clear.
Common subprocessors
Depending on your product, your list may include hosting, database, payments, email, analytics, monitoring, support, authentication, file storage, and AI providers. Do not include vendors that do not touch customer data unless you clearly mark them as internal tools.
Keep it updated
The page is only useful if it stays accurate. Review it whenever you add a new vendor or remove one.
Make change handling clear
Some buyers ask whether they will be notified about subprocessor changes. If you offer notice, explain how. If you do not yet have a formal process, do not pretend.
Use a generator for the first draft
VettBase includes a free subprocessor page generator that turns vendor notes into a cleaner first draft. You still need to review it before publishing.
Make this easier in VettBase
VettBase helps small SaaS teams draft security questionnaire answers, save reviewed wording, reuse approved answers, and flag missing information before sending unsupported claims.