Sub-processor flow-down

Sub-processor flow-down is the contractual mechanism that requires a vendor to impose the same data-protection obligations on its sub-processors that the customer imposed on the vendor.

Why flow-down exists

Under GDPR Article 28(4), a processor that engages a sub-processor must impose the "same data protection obligations" on the sub-processor that exist between the controller and the processor. The vendor remains fully liable to the controller for the sub-processor's acts. Similar requirements appear in CCPA/CPRA (service provider obligations), HIPAA (business associate sub-contractors), and most enterprise DPAs. The mechanism by which this works in practice is a flow-down clause: the vendor's contract with each sub-processor must contain materially equivalent terms.

What buyers should verify

A mature vendor maintains a public sub-processor list with each sub-processor's purpose, location, and the high-level data categories it processes. The vendor's DPA with the buyer commits to flow-down (often citing GDPR Article 28(4) or jurisdiction-equivalent), to advance notice of new sub-processors with a buyer right to object, and to liability for the sub-processor's actions as if they were the vendor's own. AI vendors often have many sub-processors (foundation model providers, vector DB hosts, observability tools, CRM) — the list should be complete, not selectively redacted.

Common gaps

Three common gaps surface in diligence: (1) a sub-processor list that omits the underlying foundation model provider (e.g., an AI app vendor using GPT-4 via Azure OpenAI must list Microsoft as a sub-processor); (2) flow-down to one tier deep but no contractual obligation that the sub-processor flows down to its sub-sub-processors; (3) flow-down language that copies the form but omits substantive obligations like SCCs or breach notification SLAs. Procurement should request the sub-processor agreement template (or at minimum its flow-down section) under NDA when the buyer's regulatory exposure is meaningful.