What is a subprocessor for purposes of data privacy laws?
Under a variety of data privacy laws (including the EU GDPR, the UK GDPR, and the Swiss equivalent), companies that are given personal data directly by consumers are typically known as "controllers" of personal data. When a controller engages a third party (such as a SaaS service) to help the controller provide its services, that third party is a "processor" it processes personal data at the controller's instruction. If a processor then similarly engages third parties to assist it in providing its services to the controller, then each of those third parties is a "subprocessor." Not every third party that is involved in assisting the controller in providing its services is a "processor" or "subprocessor." Processors and subprocessors are typically only defined with respect to personal data being processed.