Will you notify customers before engaging new sub-processors who will handle their data?

Explanation & Context

Explanation of the Question:

This question is asking whether your organization informs its customers before you start working with new third-party service providers (sub-processors) that will handle their data. In the context of data security and privacy, sub-processors are entities that your organization engages to perform specific tasks involving customer data, such as cloud storage, data analytics, or customer support services.

Why It Matters:

Notifying customers before engaging new sub-processors is crucial for several reasons. First, it ensures transparency and builds trust with your customers by keeping them informed about who has access to their data. Second, it allows customers to assess the security practices of these new sub-processors and make informed decisions about whether they are comfortable with their data being handled by these third parties. Finally, many data protection regulations, such as the General Data Protection Regulation (GDPR), require organizations to inform customers about changes in data handling practices, including the engagement of new sub-processors.

Example of Evidence:

To demonstrate that you notify customers before engaging new sub-processors, you might provide documentation of your notification process. This could include templates of notification emails sent to customers, records of customer acknowledgments, or policies outlining the steps your organization takes to inform customers about new sub-processors. Additionally, you could show evidence of customer feedback mechanisms in place to allow customers to voice concerns or objections regarding the engagement of new sub-processors.

Example Responses

Example Response 1

We notify our customers via email at least 30 days before engaging any new sub-processors. This notification includes details about the sub-processor, the nature of the data that will be handled, and the reasons for the engagement. Customers are given the option to object to the engagement within a specified timeframe.

Example Response 2

Our policy mandates that customers are informed about new sub-processors through an update in our service terms, accompanied by an email notification. This process is documented in our data processing agreement and is reviewed annually to ensure compliance with relevant data protection regulations. Customers can also access detailed information about our sub-processors on our website.

Example Response 3

As our software is exclusively on-premises and does not involve cloud services or third-party data handling, the question of notifying customers about new sub-processors does not apply to our operations. Our data handling is entirely internal, ensuring full control and security over customer data.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron