Go to kintent.com

Docy Child

Updated on March 16, 2023

Vendor vs Subprocessor vs Third-Party Supplier

Estimated reading: 3 minutes 24 views

Overview

These three terms are often used interchangeably, but, are so very different. Highlighting the differences is necessary, especially for customers tailoring their processing agreements or preparing for GDPR.

Overall, in the context of business, vendors, third-party suppliers and sub processors are all entities that provide goods and services to another company. Now, let’s dive into some key differences among them.

Vendors

In general, vendors are typically a third-party company or organization and are often associated with technology or software. But they can provide a wide range of products or services, including office supplies, furniture, raw materials and consulting services.

Vendors are often used to procure goods or services that are necessary for the operation of the company, but are not directly involved in the production or delivery of the company’s products or services.

For example, a vendor may provide cloud hosting services, software tools, or consulting services to an organization (or data controller for GDPR context). While the vendor may have access to personal data in order to provide these services, it does not process the data on behalf of the company that uses them.

Third-Party Suppliers

A third-party supplier is a company or individual and is typically involved in the production or delivery of the purchasing company’s products or services.

Suppliers are often associated with manufacturing or production, but they can provide a wide range of products or services, including raw materials, equipment, components, or sub-assemblies that are used in the production of the final product, or they may provide services such as logistics, warehousing, or transportation.

Subprocessors

A subprocessor is a third-party company or organization that processes personal data on behalf of an organization (or data controller for GDPR context), and is typically engaged by a vendor. For example, if a company (data controller) uses a cloud hosting vendor to store personal data, the vendor may engage a subprocessor to provide backup or database management services. The subprocessor would then process the personal data on behalf of the vendor, and by extension, on behalf of the organization/data controller.

Summary

To recap:

  • Vendors are organizations that provides services or products. Vendors are involved in the operation of an organization as opposed to the production and delivery aspects. Vendors may store, transmit data, but, do not process data on behalf of the organization
  • Third-party suppliers are companies or individuals that are directly involved with the production or delivery of product/services.
  • Subprocessors specifically, processes personal data on behalf of the organization.
Compliance 101 - Previous Policy Best Practices Next - Compliance 101 Is a Board of Directors (BoD) required for SOC 2?

Join the conversation

ON THIS PAGE
SUBSCRIBE
FlightSchool
SHARE THIS ARTICLE
Twitter Facebook LinkedIn

FlightSchool is the fun way to learn about compliance, trust, and TrustCloud’s products.

© 2023 TrustCloud Corporation. All rights reserved.
TrustOps® is a registered trademark of TrustCloud Corporation.

FlightSchool RSS Feed

TOPICS

Platform

ABOUT US

AICPA
Monitored by TrustCloud

❤️  Joyfully crafted by a 100% distributed team.