Skip to main content

Trust

Subprocessor Register

Review the decision, evidence, boundaries, and next step for this route.

ForPeople conducting policy, privacy, security, or access review

FocusControls, ownership, evidence, and review paths

CONTROL RECORD

A policy names its scope, evidence state, limit, and correction path.

  1. 01Scope
  2. 02Owner
  3. 03Evidence state
  4. 04Review / correct
A published policy does not become technical enforcement or external assurance by itself.

Current register

Review healthcare data posture
Ask a subprocessor question

Before a provider enters an approved production flow, the register records its legal name, service, purpose, data classes, subjects, systems, countries and regions, transfer basis where required, client visibility, access, retention/deletion, security and incident terms, subcontracting, contract owner, evidence state, approval date, last review, change notice, and exit plan.

A product evaluation, account, working model, integration seam, development dependency, or marketing claim does not approve a provider. Approval is tied to an actual purpose, data flow, contract, configuration, decision owner, evidence review, and client obligations. Providers that do not process client production data remain outside this production register but are still governed internally as appropriate.

The actual agreement will define any client notice, objection, or transition rights. Notice timing follows the applicable agreement and recorded data-flow owner. A material provider or data-flow change is reviewed before production use and added with an effective date and owner.

Table — scroll horizontally to review every column.

ProviderServiceData/purposeRegionState
No production subprocessor approved