GDPR & subprocessors

GDPR Article 28 governs how data processors (you, when handling your customers' data) work with sub-processors (your subprocessors). This page explains how Attestly helps you meet those obligations.

The core obligations

1. Use only sub-processors that provide sufficient guarantees (Art. 28(1)). Attestly maintains a list of every detected subprocessor; their location and DPA terms are surfaced in your DPA.
2. General or specific written authorization from the controller before using a new sub-processor (Art. 28(2)).
3. Inform the controller of any intended changes with the chance to object (Art. 28(2)).

How Attestly automates this

• When the scanner detects a new subprocessor, your DPA enters a Pending notification state.
• Customers who have signed your DPA receive a templated email with the diff.
• A 30-day clock starts (configurable). Customers who object can be flagged and routed to your CS team.
• After the clock expires, the DPA is republished and the subprocessor list on your trust center is updated.

International transfers

If a detected subprocessor is outside the EEA, the DPA generator incorporates the EU Standard Contractual Clauses by reference and adds the relevant transfer-impact assessment hooks. We do not produce TIAs themselves — talk to your lawyer.

Records of processing

Article 30 requires processors to maintain records of processing activities. Attestly's audit log includes:

• Every scan (commit SHA, started, completed, by whom).
• Every document version (created, approved, published, by whom).
• Every subprocessor change (added, removed, modified).
• Every DPA signature (signer, version, hash).

The log is append-only, exportable as CSV, and retained for 13 months by default.