Generate a public sub-processor list for your SaaS — required under GDPR Art. 28(4). List all third-party vendors who process your customers' personal data, with legal entities, transfer mechanisms, and DPA links.
GDPR Art. 28(2): general authorisation allows you to add sub-processors by notifying the controller; specific requires individual consent.
GDPR Art. 28(4)
Controllers must authorise sub-processors in writing. You must impose equivalent data protection obligations on each sub-processor.
Keep it updated
Update this list whenever you add or remove a vendor. Give customers advance notice (usually 30 days) so they can object.
Publish publicly
Host at /sub-processors or /legal/sub-processors. Link it from your DPA and privacy policy. Enterprise buyers check this during due diligence.