Subprocessor notice FAQ for SaaS teams
Fast answers for founders who need to turn one vendor change into a clean customer notice, deadline, and evidence trail without overbuilding the process.
This page explains the workflow in plain language. Your DPA, privacy policy, procurement terms, and counsel decide the actual notice obligation.
When do I need to send a notice?
Use a subprocessor notice when you add, replace, or materially change a vendor that may process customer data and the controlling agreement requires advance notice. The trigger is usually the vendor change plus the customer-facing obligation, not just the existence of a new tool.
What should the notice include?
Vendor facts
List the legal vendor name, what it does, the data categories involved, and the processing region in customer-facing language.
Timing
Show the notice date, effective date, and objection deadline together so the timeline is easy to review without recalculating it.
Audience
State the affected customer segment so you do not send a broad notice to accounts that are not covered by the change.
Proof
Keep the final copy, recipient list, send timestamp, page snapshot, and reviewer notes together in one evidence folder.
Do I need to notify every customer?
Usually not. Many teams split notices by DPA version, region, product line, or procurement terms so only the affected customers receive the update. If your contracts differ, the segment should match the agreement that actually controls the change.
How long should the objection window be?
Use the objection period in the agreement that controls the change. Some teams work from 7 days, some from 14 days, and some from 30 days. The key is to make the deadline visible and keep the math consistent from the notice to the evidence log.
Where should proof live?
- Final notice copy.
- Recipient list or export.
- Send timestamp.
- Updated public subprocessor page snapshot.
- Reviewer signoff or approval note.
- Any objection reply and final resolution.
What if a customer objects?
Route the reply to the internal owner, record the request, and decide whether the contract requires a response. A simple reply template and objection tracker are usually enough for the first pass; the attorney review packet can capture the edge cases later.
Short notice formula: vendor name, purpose, data involved, region, notice date, effective date, deadline, and a link to the current public list.
Use when: you need a repeatable first draft before counsel or procurement reviews the change.
Need the workflow, not just the answers?
Run the self-audit to score the gap, then pick Starter or Pro if you need the editable notice, tracker, and evidence files.