Which documents support monitoring of subprocessors?

Monitoring subprocessors relies on documents that bind them to your data protections and provide evidence of their controls. Flow-down clauses ensure the same data protection obligations that apply to the primary processor also apply to any subprocessors, making compliance enforceable across the supply chain. Data processing agreements formalize roles, security requirements, breach notification, and the processor’s use of subprocessors, often including explicit approval and oversight rights. Attestations give verifiable, third-party evidence of controls through audits or certifications, helping you verify that subprocessors maintain appropriate security and privacy practices. In contrast, data retention schedules, privacy notices, and marketing briefs serve other purposes and don’t establish or demonstrate ongoing monitoring of subprocessors. Together, flow-down clauses, DSAs, and attestations provide the mechanisms and evidence needed to monitor subprocessors effectively.