GDPR-011 critical Privacy Documentation

Third-party processors documented

Maintain list of all third parties processing user data. Have DPAs with each processor. Disclose processors in privacy policy. Vet new vendors for GDPR compliance.

Question to ask

"Which vendors touch your users' data — and are they GDPR-compliant?"

Related items

GDPR-004 Cross-service data deletion GDPR-009 Privacy policy current and complete GDPR-010 Data processing records maintained

Verification guide

Severity: Critical

You need to know every third party that processes your users' data, have DPAs with them, and disclose them to users.

Check automatically:

# Look for vendor/processor documentation
grep -riE "third.*party|vendor|processor|sub.*processor|data.*sharing" docs/ --include="*.md" 2>/dev/null

# Check for DPA (Data Processing Agreement) references
grep -riE "dpa|data.*processing.*agreement|processor.*agreement" docs/ contracts/ --include="*.md" --include="*.pdf" 2>/dev/null

# Identify third parties from code (common services)
grep -riE "stripe|sendgrid|mailchimp|intercom|segment|mixpanel|amplitude|hubspot|zendesk|twilio|cloudflare|aws|gcp|azure|datadog|sentry" package.json src/ --include="*.json" --include="*.ts" --include="*.js" 2>/dev/null | head -20

# Check privacy policy for third-party disclosures
grep -riE "third.*part|share.*with|service.*provider|processor" public/ docs/ --include="*.html" --include="*.md" 2>/dev/null

Ask user:

  • "Do you have a list of all third parties that process user data?"
  • "Do you have DPAs (Data Processing Agreements) with each?"
  • "Are these disclosed in your privacy policy?"
  • "How do you vet new vendors for GDPR compliance?"

Common processors to document:

Category Examples DPA Required?
Payment Stripe, Braintree Yes
Email SendGrid, Mailchimp, Postmark Yes
Analytics Segment, Mixpanel, Amplitude Yes
Support Intercom, Zendesk Yes
Error tracking Sentry, Bugsnag Yes
Infrastructure AWS, GCP, Azure Yes (usually covered)
CRM HubSpot, Salesforce Yes

Cross-reference with:

  • GDPR-004 (need to delete from third parties too)
  • GDPR-009 (privacy policy should list processors)
  • GDPR-010 (processors are part of ROPA)

Pass criteria:

  • Complete list of third-party processors maintained
  • DPAs in place with each processor
  • Processors disclosed in privacy policy
  • Process for vetting new vendors

Fail criteria:

  • No list ("we use a bunch of tools but haven't documented them")
  • Missing DPAs ("we just signed up, never asked about GDPR")
  • Processors not disclosed to users
  • New tools added without GDPR consideration

Evidence to capture:

  • Location of processor list
  • Number of processors with DPAs vs. without
  • Whether disclosed in privacy policy
  • Vendor vetting process (exists/doesn't exist)

Section

37. GDPR & Privacy Compliance

Operations & Incident Management

← Previous

GDPR-010

Data processing records maintained

 Next →

COST-001

Cloud provider budget alerts configured