Subprocessors and SaaS tools: what to disclose responsibly

Updated 2026-04-11 · Practical guide for NZ small businesses

Short answer: Subprocessors are vendors who process personal data on your behalf (hosting, email, CRM, analytics). Customers and the Privacy Act landscape expect you to name categories honestly—not every SKU, but not silence either.

Transparency supports SEO-adjacent trust signals when procurement teams compare suppliers.

What to list

Category + example (“email delivery: transactional provider X”).
Purpose tied to your operations.
Overseas transfers if applicable, at a high level.

Maintain without chaos

Review subprocessors when you adopt a new tool; annual audit of your stack beats perfect realtime dashboards for SMEs.

Contracts matter

Data processing terms should clarify breach notification, deletion assistance, and security expectations—especially for health, finance, or children’s data contexts.

Frequently asked questions

Do I list free tools?

If they process personal data on your behalf, yes—free does not mean invisible.

What about server locations?

Disclose honestly; “may route globally” beats guessing. Users doing due diligence notice vagueness.