In modern cloud and SaaS operations, many providers — including Talkdesk — rely on subprocessors to carry out portions of their service (hosting, analytics, support, integrations, etc.). The use of subprocessors raises essential legal, contractual, and operational challenges, especially when dealing with regulated jurisdictions (such as the European Union under the GDPR) or the US (with FedRamp).
What is a Subprocessor and why It's Important
A subprocessor is a third-party engaged by a data processor (in this case, Talkdesk) to perform processing activities on behalf of the processor, acting under the instructions of the controller. In typical data protection frameworks:
- The data controller (Talkdesk’s customer) delegates processing to a processor (Talkdesk).
- The processor (Talkdesk) may further delegate tasks to subprocessors.
- The processor retains responsibility for ensuring that subprocessors comply with the same data protection obligations it owes to the processor.
Data Protection and Subprocessor Obligations under GDPR
Because the GDPR is one of the most stringent regimes globally, much of the subprocessor handling logic must comply with it (or equivalent standards in other jurisdictions). Some of the key obligations:
- Written contracts / Data Processing Agreements (DPAs) with subprocessors.
- Approval and notice to controllers of changes in the subprocessor list.
- Liability and accountability.
- Technical and organizational measures.
- Data subject rights and assistance.
- International transfers / onward transfers.
- Breach notification and audit rights.
Transfer Mechanisms & Cross-Border Data Movement
As Talkdesk is a US-headquartered multinational, and many of its systems and services operate globally, cross-border transfers of personal data pose a critical challenge.
By default, data is processed and stored in the U.S.. Still, customers can choose to host in other regions (Europe, UK, Canada, and the United Kingdom) depending on their privacy requirements.
Transfers between EEA countries in the EEA or those that are recognised as adequate by the EDPB (European Data Protection Board) rely on adequacy decisions.
For third countries, Talkdesk relies on Standard Contractual Clauses (SCCs) under the EC’s model contracts.
Third-Party Risk Management and Due Diligence
Effectively managing subprocessor risk is central to maintaining compliance, security, and trust. Some key practices that Talkdesk follows for third-party / subprocessor risk management:
1. Due Diligence Before Engagement, which includes security and privacy inquiries, legal compliance evaluation, reference checks, and background and contractual provisions.
2. Contracts and Binding Commitments, which include clauses mirroring processor obligations (confidentiality, security, audits, assistance with data subject rights, deletion/return of data), use standard terms (e.g., SCCs) if cross-border transfers are involved, and a clause for cooperation in breach notifications and root cause investigations—termination rights and migration assistance in the event of a subprocessor breach or inability to perform.
3. Ongoing Monitoring and Audits, including security audits/assessments, performance and compliance monitoring, renewal of certifications, and onboarding and offboarding oversight
4. Change Management & Notification, maintain transparent, updated lists of subprocessors, and notify controllers of subprocessor changes to controllers with the right to object to new subprocessors.
5. Incident Management & Remediation, the obligation to notify the processor and controller promptly upon any incident. Collaborative investigation, root cause analysis, remediation, and reporting to controllers and (if required) to supervisory authorities and liability via contractual penalties or indemnities.
6. Exit Planning, defined exit mechanisms such as migration support, data return, or deletion.
For more information or clarification, you can reach out to our privacy team at privacy@talkdesk.com