Rudrriv remains accountable
Using a subcontractor does not remove Rudrriv’s responsibility for the services and obligations assigned to Rudrriv under the applicable customer agreement.
Rudrriv uses a risk-based process to evaluate, approve, oversee and offboard subcontractors and subprocessors. Specialist capability is used where it adds value without reducing accountability for information, quality, continuity or contractual commitments.
Rudrriv manages subcontractors as an extension of its service-risk environment—not as an unmanaged handoff. Before material work or access begins, the need, role, data, systems, location, dependency and customer obligations are considered. Controls are then applied according to the risk and documented scope.
Rudrriv may use different types of third parties across professional services, technology, cloud infrastructure and operational support. The exact providers, safeguards, customer rights and processing locations depend on the contracted service and should be confirmed in the applicable agreement or due-diligence process.
A third party engaged to perform part of a service, activity or contractual obligation.
A processor engaged by another processor to process personal data on a controller’s behalf.
These principles support consistent decision-making across professional-service providers, independent specialists, cloud platforms, technology vendors and other delivery partners.
Using a subcontractor does not remove Rudrriv’s responsibility for the services and obligations assigned to Rudrriv under the applicable customer agreement.
Review depth is based on the work performed, information involved, system access, delivery dependency, location, legal requirements and potential customer impact.
Relevant confidentiality, security, privacy, service, audit, incident, continuity and deletion requirements are addressed through appropriate written terms.
Subcontractors should receive only the information, systems and permissions needed for an approved purpose and defined period.
Rudrriv seeks to understand who supports delivery, what they do, where material processing occurs and which risks require ongoing oversight.
Governance covers selection, onboarding, operation, change, incident response, renewal, access removal, return or deletion and transition.
The depth of each stage is proportionate to the subcontractor’s access, criticality and potential impact. Low-risk suppliers do not require the same review as a provider that handles sensitive data or supports a critical service.
Define the business need, service boundary, data involved, systems required, delivery location, criticality and customer commitments.
Assess capability, ownership, security, privacy, confidentiality, continuity, legal status, reputation and relevant assurance evidence.
Obtain the required business, delivery, security, privacy, legal or customer approval before access or material work begins.
Set written obligations, permitted use, access boundaries, reporting duties, service expectations and onboarding controls.
Track performance, material changes, access, issues, incidents, control evidence and renewal requirements proportionate to risk.
Remove access, recover assets, return or delete information, preserve required records and support an orderly handover.
Not every control applies identically to every relationship. The applicable contract, customer requirements, access model, data sensitivity, jurisdiction and provider capability determine the final control set.
Control boundary: Customer-managed systems, customer-selected platforms and customer-mandated providers can create shared responsibilities. Those responsibilities should be documented so approval, configuration, monitoring, incident response and access removal are not assumed or duplicated.
This table explains Rudrriv’s general approach. It is not a substitute for the service agreement, data processing agreement, statement of work or approved subprocessor schedule.
| Topic | Rudrriv approach | What the customer should confirm |
|---|---|---|
| Use of subcontractors | Rudrriv may use qualified subcontractors where appropriate for service delivery, subject to the applicable agreement, approved scope and risk. | The customer agreement remains the controlling document for any restrictions, approval rights or service-specific commitments. |
| Responsibility | Rudrriv does not treat subcontracting as a transfer of its contractual accountability. | Customers continue to engage Rudrriv as the responsible contracting party unless the agreement expressly states otherwise. |
| Subprocessor authorisation | Where Rudrriv acts as a processor and engages another processor, authorisation and notice are handled according to the applicable data processing terms and law. | Service-specific subprocessor information can be addressed during contracting or a privacy and security review. |
| Material changes | Changes that materially affect an agreed service, data flow, location, risk profile or customer right are reviewed before implementation. | Notice, objection or approval mechanisms apply only where required by the contract or applicable law. |
| Evidence and assurance | Rudrriv may request policies, questionnaires, reports, certifications, testing summaries or other evidence proportionate to the risk. | Evidence availability can be limited by confidentiality, licensing, security and the scope of the supplier relationship. |
| Termination | Access, information, assets and transition obligations are addressed when a subcontractor relationship ends. | Return, deletion, retention and handover follow the applicable contract, legal requirements and technical capabilities. |
Where Rudrriv acts as a processor, the use of subprocessors is governed by the applicable data processing terms, documented instructions and relevant privacy law. The objective is sufficient transparency, appropriate authorisation and protection that continues through the processing chain.
This page does not state that every Rudrriv service uses the same providers, countries, data flows or transfer mechanisms. Those details must be confirmed for the service being purchased.
For relevant services, Rudrriv seeks sufficient information about the identity, role, location and processing activities of material subprocessors.
Personal data should be processed only for documented service purposes and according to the controller’s instructions as reflected in the applicable terms.
Data protection obligations appropriate to the processing are intended to flow down to subprocessors through written terms.
Cross-border processing and transfer mechanisms are assessed where applicable to the service, data, countries and customer requirements.
Relevant subcontractors may be required to support requests, investigations, audits, incidents and regulatory obligations within their service boundary.
Retention, return and deletion obligations are defined according to the contract, legal requirements, backup design and technical feasibility.
Subcontractor governance must respond when the service, provider, location, risk or customer impact changes.
Rudrriv’s approach is informed by widely recognised security, supply-chain and privacy guidance. These references help structure governance but do not create a certification claim.
Provides a risk-based management-system reference that includes supplier relationships, supplier agreements and monitoring of supplier services.
Provides guidance for establishing, managing and improving information-security practices across supplier relationships.
Supports identification, assessment and treatment of cybersecurity risks across products, services and supply-chain relationships.
Includes cybersecurity supply-chain risk management outcomes within the Govern function and supports repeatable risk oversight.
Organises supply-chain security around understanding risks, establishing control, checking arrangements and continuous improvement.
Provides European data-protection guidance on controller, processor and subprocessor obligations, transparency and sufficient guarantees.
These answers provide general information. Service-specific commitments are defined by the applicable contract, statement of work, data processing terms and approved supporting documents.
Last reviewed: July 2026
Share your service scope, data categories, location restrictions, approval requirements and due-diligence process so subcontractor and subprocessor responsibilities can be defined early.