Registry Entry · File No. 28(2) · EU Reg 2016/679
Your subprocessor
page, on the record.
Registora keeps the subprocessor list that your customers, your auditors, and the regulator all read. We watch every upstream provider — Stripe, OpenAI, Vercel, the rest — and amend the registry the moment they change.
The Notice
i.
The Statute
GDPR Article 28(2) requires you to publish a current list of every subprocessor that touches your customers' personal data, and to notify them at least thirty days before any addition or replacement.
ii.
The Custom
Nine in ten small SaaS companies maintain their subprocessor list in a Notion document that hasn't been opened in eleven months. When an enterprise buyer asks, the founder rebuilds it at 11pm.
iii.
The Remedy
Registora hosts the page, watches every upstream provider, drafts the customer notification, and files the audit trail. The page is current because it is built from the source.
The Method
II.1
Open the register.
List your subprocessors from a curated catalogue of common providers — Stripe, OpenAI, Vercel, Postmark, Sentry, Twilio, and twenty-five others. Add custom entries by hand. The whole exercise takes five minutes.
II.2
Point your domain.
Set subprocessors.your-company.com to point at us. The page is rendered fresh on every visit, branded as you, hosted by us, always current. The free tier carries a small Registora mark; paid tiers do not.
II.3
Let the registrar work.
Every twenty-four hours we read each upstream provider's own subprocessor declaration. When Stripe adds a new vendor, we amend your page within the hour, draft a notification to your customers for your approval, and file the change in your audit log.
Sample entry
Each entry is generated from the upstream provider's own subprocessor declaration. Where the declaration changes, the entry changes; where it does not, the entry remains.
The Sample
What a customer of yours sees when they visit subprocessors.acme.com. Live, current, always.
Acme Analytics Inc.
Subprocessor Register
Recorded subprocessors
| № | Provider | Purpose | Location | Categories of data |
|---|---|---|---|---|
| 001 | Stripe, Inc. | Payment processing | US, IE | Card, billing address |
| 002 | OpenAI, L.L.C. | AI inference for in-product assistants | US | Prompt content |
| 003 | Vercel Inc. | Hosting and edge network | US (Global edge) | IP address, user-agent |
| 004 | Postmark (Wildbit, LLC) | Transactional email delivery | US | Recipient email, message body |
| 005 | Sentry (Functional Software, Inc.) | Application error monitoring | US | Stack traces, user identifier |
Recent amendments
All amendments are notified to controllers per Art. 28(2) at least thirty days in advance, with right to object.
- 22 May 2026Stripe added Plaid (fraud detection sub-processor). Notification dispatched to controllers; objection period closes 21 Jun 2026.
- 14 May 2026Postmark removed Mandrill from upstream chain. No controller action required.
- 02 May 2026Sentry added Datadog for internal monitoring. Within scope; notification dispatched.
Schedule of Subscription
Free
Starter
Growth
Recommended
DORA