Skip to main content

Vendor and Sub-Processor Register

Under GDPR Article 28, a data controller may only engage a processor that provides sufficient guarantees that it will implement appropriate technical and organisational measures to meet GDPR requirements and protect data subject rights. This obligation flows downstream: PensionPortal.ai, as a processor to trustee clients, must provide those guarantees — and must ensure that any sub-processors it engages provide equivalent guarantees in turn. This page documents PensionPortal.ai’s approach to sub-processor management, the categories of sub-processors currently used, trustee obligations regarding their own processor documentation, and the process for sub-processor change notifications.
GDPR Article 28(2): A processor shall not engage another processor (a sub-processor) without the prior specific or general written authorisation of the controller. Where general authorisation is used, the processor must inform the controller of any intended changes, giving the controller the opportunity to object. GDPR Article 28(4): Where a processor engages a sub-processor, the same data protection obligations as set out in the contract with the controller shall be imposed on the sub-processor by way of contract. If the sub-processor fails to fulfil its data protection obligations, the processor remains fully liable to the controller. What this means for trustee clients:
  • Trustees must authorise PensionPortal.ai’s use of sub-processors. This authorisation is provided through the Data Processing Agreement (DPA) executed at onboarding, which grants general authorisation subject to the notification obligations described below.
  • Trustees should include PensionPortal.ai in their own processor register (maintained under their trust deed and GDPR documentation).
  • The DPA imposes on PensionPortal.ai the obligation to flow down Article 28 requirements to all sub-processors.

How PensionPortal.ai Manages the Sub-Processor Register

1
Register Maintenance
2
PensionPortal.ai maintains a current, versioned sub-processor register. The register is reviewed:
3
  • On any change to sub-processor arrangements (addition, replacement, or removal)
  • Quarterly as part of internal compliance review
  • Annually as part of the full information security review cycle
    • 4
    The register records for each sub-processor:
    5
  • Legal name and registered address
  • Category of service provided
  • Data categories processed
  • Processing locations (country/region)
  • Transfer mechanism for EEA transfers (SCCs, adequacy decision, or intra-group agreement)
  • Data Processing Agreement or equivalent contractual documentation in place
    • 6
    Sub-Processor Due Diligence
    7
    Before engaging any sub-processor, PensionPortal.ai conducts due diligence including:
    8
  • Review of the sub-processor’s data protection and information security policies
  • Verification of ISO 27001 certification or equivalent (where applicable)
  • Review of the sub-processor’s own sub-processor arrangements
  • Assessment of any international transfer risks and available safeguards
    • 9
    Contractual Requirements
    10
    All sub-processors are engaged under contracts that include, at minimum:
    11
  • GDPR Article 28(3) mandatory clauses (instructions, confidentiality, security, sub-processor restrictions, data subject rights assistance, deletion/return, audit rights)
  • Standard Contractual Clauses (SCCs — Commission Implementing Decision 2021/914) where processing involves international transfers outside the EEA
  • Incident notification obligations no less stringent than PensionPortal.ai’s own obligations to trustee clients

    • Current Sub-Processor Categories

    PensionPortal.ai uses the following categories of sub-processors. This register is maintained as a live document; clients receive 30 days’ advance notice of material changes. Specific vendor details are provided in the current version of the DPA schedule, available on request.
    CategoryPurposeProcessing LocationTransfer Mechanism
    Cloud InfrastructureApplication hosting, compute, database services, storageEU/EEA (primary); documented fallback regionsSCCs / adequacy where applicable
    Authentication & IdentityUser authentication, MFA, session managementEU/EEAN/A (EEA processing)
    AI / LLM ServicesAI-assisted document drafting, compliance analysis, data quality alertingEU/EEA preferred; SCCs in place for US-based providersSCCs (Module 2 — controller to processor)
    Application MonitoringError tracking, performance monitoring, log aggregationEU/EEAN/A (EEA processing)
    Document StorageSecure document vault, version control, scheme document repositoryEU/EEAN/A (EEA processing)
    Email / CommunicationsSystem-generated notifications, rights request correspondenceEU/EEAN/A (EEA processing)
    Payment ProcessingSubscription billing (no member personal data processed)EU/EEAN/A (EEA processing)
    No member personal data (member identifiers, salary, benefit, or contribution data) is transmitted to AI/LLM sub-processors for model training purposes. AI processing is subject to strict data minimisation — only data necessary for the specific AI function in context is transmitted, and transmission is subject to confidentiality obligations in the sub-processor contract.

    Sub-Processor Change Notification

    PensionPortal.ai provides 30 days’ advance written notice of any intended changes to sub-processor arrangements. This notice is issued to the designated compliance contact at each trustee client. Notice includes:
    • Name and description of the new, replaced, or removed sub-processor
    • Nature of the change (addition, replacement, or removal)
    • Categories of data affected
    • Processing location and transfer mechanism (for new or replacement sub-processors)
    • Effective date of the change
    Trustee right to object: Within the 30-day notice period, trustees may raise a written objection if they have legitimate grounds to believe the new sub-processor arrangement does not provide sufficient guarantees under Article 28. PensionPortal.ai will engage in good faith to resolve the objection. Where the objection cannot be resolved, either party may terminate the DPA without penalty in respect of the affected processing.
    Where a trustee client does not respond within the 30-day notice period, the sub-processor change will be deemed accepted for the purposes of the DPA. Trustees should ensure that sub-processor change notifications are routed to an active compliance inbox monitored by the DPO or responsible trustee.

    What Trustee Clients Must Do

    Trustees, as data controllers, have their own Article 28 obligations. PensionPortal.ai’s sub-processor register satisfies PensionPortal.ai’s processor obligations — but trustees must maintain their own documentation:

    Include PensionPortal.ai in Your Processor Register

    Trustees’ own Article 30 RoPA and processor register should list PensionPortal.ai as a processor. The DPA executed at onboarding provides the contractual basis. Details: categories of data processed, processing purposes, retention arrangements.

    Review and Retain the DPA

    The Data Processing Agreement is a mandatory Article 28 document. Trustees should retain a signed copy in their scheme governance files. The DPA should be reviewed when the scheme undergoes material change or when PensionPortal.ai notifies a significant update.

    Document Sub-Processor Authorisation

    Trustees’ DPIA and RoPA should record that general authorisation has been granted for PensionPortal.ai’s sub-processor use, subject to the 30-day notification mechanism. The basis for this authorisation and the notification mechanism should be documented.

    Update Your Privacy Notice

    Member-facing privacy notices should describe the categories of third parties (processors and sub-processors) to whom member data is disclosed and the purpose. Specific vendor names are not required — category descriptions are sufficient for Article 13/14 compliance.

    International Transfers and SCCs

    Where sub-processors operate outside the EEA, GDPR Chapter V requires that an appropriate transfer mechanism is in place. PensionPortal.ai uses: Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller to processor) for transfers from PensionPortal.ai (as processor for trustees) to sub-processors outside the EEA. The SCCs impose data protection obligations on the sub-processor equivalent to those under EU GDPR. Transfer Impact Assessments (TIAs): For transfers to countries without an EU adequacy decision (e.g. United States under most circumstances), PensionPortal.ai conducts a Transfer Impact Assessment evaluating the legal framework in the destination country and the risk of government access to transferred data. TIAs are documented and reviewed annually.
    Following the Schrems II judgment (C-311/18, 16 July 2020) and the EDPB’s supplementary transfer guidelines, reliance on SCCs alone is insufficient where there is a risk of access by third-country authorities inconsistent with EU fundamental rights standards. PensionPortal.ai’s TIAs address this requirement. Trustee clients may request a copy of the relevant TIA for their DPA files.

    Requesting the Sub-Processor Register

    The current, specific sub-processor register (including named vendors) is available to trustee clients under the terms of the DPA. To request a copy:
    • Contact your PensionPortal.ai account manager
    • Raise a support ticket referencing “Sub-Processor Register Request”
    • Direct your DPO to the compliance portal within the platform
    The register will be provided within 5 business days. Updates to the register are notified proactively via the 30-day change notification mechanism described above.