Vendor + sub-processor inventory template

Updated Apr 24, 2026

Vendor inventory CSV-style markdown table with risk-score column. Required by every SOC 2 audit + GDPR sub-processor disclosure. Update quarterly; publish at /sub-processors.

How to use

Update quarterly; publish redacted version at /sub-processors; full version internal.

Template (markdown)

copy-paste, replace {{PLACEHOLDERS}}

# Vendor + Sub-Processor Inventory
**Last updated:** {{DATE}} · **Owner:** {{DPO}} · **Review:** Quarterly

| Vendor | Service | Data Categories | Sub-processor? | Region | DPA Signed | Risk Score | Last Reviewed |
|---|---|---|---|---|---|---|---|
| AWS | Cloud infra (compute, S3, RDS) | All customer data | Yes | us-east-1, eu-west-1 | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |
| Vercel | Application hosting + CDN | All customer data, traffic logs | Yes | Global edge | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |
| Supabase | Postgres + auth | All customer data | Yes | {{REGIONS}} | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |
| Stripe | Payment processing | Payment metadata only (no PAN) | Yes | Global | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |
| OpenAI | LLM inference | Prompts only (no customer-PII unless opt-in) | Yes | us | {{DPA_DATE}} | Medium | {{REVIEW_DATE}} |
| Anthropic | LLM inference | Prompts only (no customer-PII unless opt-in) | Yes | us | {{DPA_DATE}} | Medium | {{REVIEW_DATE}} |
| Resend | Transactional email | Recipient email + subject + body | Yes | us | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |
| Sentry | Error monitoring | Stack traces, redacted env | Yes | us | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |
| GitHub | Source control + GitHub App | Source code | Yes (employee data) | us | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |
| Vanta / Drata | Compliance automation | Security evidence | Yes | us | {{DPA_DATE}} | Medium | {{REVIEW_DATE}} |
| Securie | Security review + attestation | PR diffs + finding metadata | Yes (when self-hosted: no sub-processor) | us | {{DPA_DATE}} | Low | {{REVIEW_DATE}} |

**Risk Score** legend:
- **Low** — vendor has SOC 2 + GDPR DPA + clear sub-processor disclosure
- **Medium** — vendor has SOC 2 OR sub-processor has weaker posture
- **High** — vendor missing SOC 2 OR vendor has had a security incident in past 12 months

**Quarterly review checklist:**
- [ ] Re-score every vendor against the legend above
- [ ] Confirm DPAs are still signed + counterparts still in business
- [ ] Cross-reference against /incidents — has any vendor been breached recently?
- [ ] Update /sub-processors public page with any add/remove
- [ ] Notify customers of material changes per DPA Section 7