A third party engaged by a Data Processor to assist in processing personal data on behalf of the Data Fiduciary.
A sub-processor is any entity engaged by a Data Processor to carry out specific processing activities on behalf of the Data Fiduciary. For example, if your CRM vendor uses a cloud provider to host data, that cloud provider is a sub-processor. Under DPDPA, the Data Fiduciary must be informed of and consent to sub-processors, as they maintain ultimate accountability. The chain of responsibility extends through all processing tiers.
Your compliance risk extends beyond direct vendors to their sub-processors. If your payment gateway uses an analytics sub-processor that suffers a breach, you are still liable. Maintaining visibility into the sub-processor chain is essential.
A Pune SaaS startup uses HubSpot (processor) for CRM. HubSpot uses AWS (sub-processor) for hosting and SendGrid (sub-processor) for emails. The startup's DPA with HubSpot must address these sub-processors and require notification of changes.
Many startups assume their vendor's choice of sub-processors is "not my problem." Under DPDPA, you remain accountable for the entire processing chain and must maintain appropriate contractual controls.
DPDPA Shield automates Vendor Management. See how →