Praisma Hub LogoPraisma Hub

8.2.3 Security & Compliance — Compliance & Governance — Subprocessors — Overview

Subprocessors are third-party service providers that process data on behalf of the platform to support specific operational functions. The platform maintains strict controls over subprocessors to ensure compliance, security, and transparency.

Definition and Scope

A subprocessor is any external party that processes personal or operational data as part of delivering platform services.

Typical subprocessor functions:

Infrastructure hosting

Email and notification delivery

Analytics and monitoring

AI and automation services

Subprocessors are engaged only when necessary.

Selection and Due Diligence

Subprocessors are selected through formal evaluation processes.

Evaluation criteria:

Security posture

Compliance certifications

Data protection commitments

Operational reliability

Engagement requires contractual safeguards.

Contractual Controls

All subprocessors are bound by data processing agreements.

Contractual guarantees:

Processing limited to defined purposes

Confidentiality obligations

Security measure requirements

Audit and inspection rights

Transparency and Disclosure

Tenants are informed about subprocessors in use.

Disclosure practices:

Published subprocessor lists

Advance notice of changes

Change objection windows where applicable

Change Management

Subprocessor changes follow a controlled process.

Change rules:

Risk assessment before onboarding

Tenant notification

Documented approval

Emergency changes are logged and reviewed.

Data Localization and Transfers

Subprocessor data locations are documented. Cross-border transfers comply with applicable safeguards.

Transfer safeguards:

Standard contractual clauses

Adequacy decisions where applicable

Monitoring and Oversight

Subprocessor performance and compliance are monitored continuously.

Oversight activities:

Periodic reviews

Incident reporting obligations

Compliance reassessments

Security and Isolation

Subprocessors receive only the minimum data required. Data is isolated per tenant and protected through encryption and access controls. Subprocessors cannot access platform systems beyond their contractual scope.