In third-party risk management, what is a subprocessor?

Subprocessors are third-party entities that a data processor hires to perform data processing on behalf of another vendor. They operate under the contract with the primary vendor, so their data protection obligations are carried down to them through flow-down controls. This is why the best answer describes a vendor that processes data for someone else and requires oversight and flow-down safeguards. In practice, if a cloud provider uses a separate data-processor firm to handle some data tasks, that firm is a subprocessor, and the primary provider must assess, monitor, and contractually require it to meet the same security and privacy requirements. The other descriptions don’t capture this relationship: a vendor that collects data directly from customers is a primary processor or controller, a security tool is a technology, and a regulatory body is an authority, not a processor.