Why Public Subprocessor Lists Are a Security Risk

Many trust center platforms encourage you to publish your full subprocessor list on a public page. No major compliance framework requires this. And doing it creates a real attack vector.

What compliance frameworks actually require

The common assumption is that regulations force you to list your subprocessors publicly. They don't. Here's what each framework actually says:

GDPR (Article 28)

Processors must disclose subprocessors to their data controllers and get prior authorization. Controllers have the right to object to new subprocessors. The obligation is contractual, between two parties. There is no requirement to publish anything publicly.

Read GDPR Article 28

SOC 2 (Trust Services Criteria CC6.1, CC7.2)

SOC 2 reports must include information about sub-service organizations. But SOC 2 reports are restricted-use documents under AICPA rules. They are shared under NDA with authorized parties only. Publishing subprocessor details from your SOC 2 report in public goes against the spirit of that restriction.

ISO 27001 (Annex A.5.19 through A.5.22)

ISO 27001 requires you to manage supplier relationships, maintain a supplier inventory, and monitor changes. All of this is internal control and contractual governance. The standard does not ask you to publish your supplier list on a webpage.

CCPA / CPRA

California privacy law requires service provider disclosure in contracts between businesses and providers. Businesses must approve new subprocessors before engagement. None of this is public-facing. Your privacy policy should mention that you use service providers, but listing each one by name is not required.

The pattern is clear: every major framework handles subprocessor disclosure through contracts or upon request. None of them require a public page listing your vendors for anyone to see.

How public subprocessor lists help attackers

Consider this scenario. A critical vulnerability is disclosed in a popular SaaS tool. The vendor is working on a fix. Patches will take days or weeks to roll out.

1

Attacker learns about the vulnerability (from a CVE, a blog post, or a security advisory).

2

Attacker searches Google for companies that publicly list that tool as a subprocessor.

3

Within minutes, they have a list of targets. They know exactly which companies use the vulnerable tool.

4

They exploit the vulnerability across multiple targets before patches are applied.

Without public subprocessor lists, an attacker would need to invest significant effort to discover which companies use a specific vendor. They would have to probe each target individually. That is a slow, targeted attack.

Public subprocessor lists turn targeted attacks into mass, opportunistic ones. The attacker gets the reconnaissance for free, courtesy of your trust center page.

Related reading: Tech stack uniformity as a systemic vulnerability

Why enterprise trust centers encourage public display

Platforms like Vanta, SafeBase, and similar enterprise trust center products include built-in subprocessor list widgets. They come with icons, sortable tables, and polished layouts. It looks professional.

But the reason these features exist has more to do with justifying the platform's price than with actual security. When you're paying thousands per year for a trust center, the vendor needs to fill the page with something. Subprocessor lists, compliance badges, and vendor logos all serve that purpose. They make the product feel comprehensive.

The more data you publish, the more valuable the platform appears. The vendor's incentive is to encourage maximum disclosure, because that's what makes their product look worth the cost.

At Simple Trust Portal, the plan costs $20/month. We don't need to pad the interface with features that look impressive but weaken your security posture. That frees us to focus on doing things the right way: controlled access, audit trails, and gated document sharing.

A better approach: share on request

Every compliance framework we covered above supports the same model: disclose subprocessor information to the people who need it, when they need it. Not to the entire internet by default.

You know who has the information

Every person who receives your subprocessor list went through an access request. You have their name, email, and company on record.

You can require an NDA first

Gate sensitive documents behind NDA acceptance. The requester agrees to your terms before seeing anything.

Downloads are tracked

Full audit log of who accessed the document, when, and how many times. Useful for compliance and incident response.

You can notify recipients of changes

When your subprocessor list changes, you know exactly who to inform, because you have a record of everyone who received it.

This is exactly what Simple Trust Portal is built for. Upload your subprocessor list as a private document, require access requests, optionally gate it behind an NDA, and track every download. Your prospects get the information they need. Random visitors and attackers do not.

Share sensitive documents on your terms

Upload your subprocessor list, SOC 2 report, and other security documents. Control who sees them with access requests, NDA gating, and audit logs.

Start Free Trial

Free for 30 days. No credit card required.