The Subprocessor Problem — Occu·NX Privacy Advisory
Occu · NX
Privacy Advisory Series
2026 · Vol. 1
Privacy Advisory — Professional Services

The Subprocessor Problem:
You're Responsible for Vendors
You've Never Reviewed

Regulators have spent the last two years constructing a framework that holds law firms, CPA practices, and wealth managers accountable not just for their own data security — but for every vendor in their software stack, and every vendor those vendors use. Most small and mid-sized firms are not ready for this.

Audience Law Firms · CPA Practices · Wealth Managers
Risk Level High — Active Regulatory Enforcement
Published 2026
Classification Public Advisory
Bottom Line

When you sign up for a software platform, you are not contracting with one company. You are entering a data-sharing relationship with every company that platform has contracted with — known as subprocessors. Regulators now require you to know who those subprocessors are, what they do with your client data, and what controls govern them. Most professional services firms cannot answer any of those questions. That is no longer a gap regulators are willing to ignore.

Section 01

What a Subprocessor Is — and Why You Already Have Dozens of Them

A subprocessor is any third party that a software vendor has authorized to handle data on its behalf. When you use practice management software to store client files, the software vendor does not keep that data on its own infrastructure. It routes it through cloud storage providers, analytics platforms, monitoring tools, authentication services, and infrastructure vendors — each of which may route it further.

The practical result is that your client data does not stay where you put it. It travels. And unless you have reviewed the subprocessor list published in the vendor's Data Processing Addendum — assuming they publish one at all — you have no reliable picture of where it goes.

Why This Matters Specifically for Professional Services

Attorneys, CPAs, and wealth managers handle a category of information that carries elevated confidentiality obligations: financial records, legal strategies, tax filings, estate plans, medical information relevant to matters, and data about clients who are themselves often public figures or business owners with outsized exposure if their information leaks.

A retail company managing a subprocessor exposure event faces reputational and regulatory risk. A law firm managing the same event may face disciplinary proceedings, malpractice exposure, and client notification obligations that trigger secondary consequences for those clients.

The 2024 ABA Legal Technology Survey found that 75% of legal professionals now rely on cloud tools for core firm operations. The majority of those tools have subprocessor chains they have never disclosed to clients and that attorneys have never reviewed. ABA Model Rule 5.3 requires lawyers to make reasonable efforts to ensure that non-lawyer assistance — including vendors — complies with professional obligations. A subprocessor list you've never read is not "reasonable effort."

3,322 Data breaches reported
in the U.S. in 2025
(ITRC Annual Report)
70% of 2025 breach notifications
failed to disclose
the attack vector
$13M FCC settlement with AT&T
for a supply chain breach
in 2024
Section 02

The Regulatory Ratchet: What Changed Between 2022 and 2026

The regulatory framework around third-party vendor oversight has tightened substantially and rapidly. What follows is not an abstract concern about future rules. These are active requirements with passed deadlines and active enforcement programs.

Wealth Managers
SEC Regulation S-P Amendments (May 2024)

Registered investment advisers, broker-dealers, and investment companies are now required to establish written policies for service provider oversight , including due diligence, monitoring, and 72-hour breach notification requirements. Larger entities had a December 3, 2025 compliance deadline. Smaller RIAs must comply by June 3, 2026. "Customer information" is now defined to include all client data handled by third parties on the firm's behalf — even data that originated elsewhere.

CPA Firms
FTC Safeguards Rule (GLBA) — Updated 2021–2024

The FTC classifies CPA firms and tax preparers as financial institutions under the Gramm-Leach-Bliley Act. The Safeguards Rule's amended provisions require documented vendor oversight programs. As of May 2024, breach reporting to the FTC is mandatory when 500 or more consumer records are compromised. The rule explicitly places responsibility for vendor compliance on the covered firm — not the vendor.

Law Firms
ABA Formal Opinion 512 (July 2024) + Ethics Rule 5.3

The ABA's first formal guidance on generative AI tools held that attorneys using AI platforms must ensure client information remains confidential, obtain informed consent for certain uses, and actively oversee vendor data practices under Rule 1.6 and Rule 5.3. The NYC Bar's Formal Opinion 2024-3 extended this to cybersecurity incidents: lawyers must evaluate whether client data held by third-party vendors has been compromised and notify clients accordingly.

All Entities — State Level
30-Day Breach Notification Mandates

New York Governor Hochul signed a firm 30-day breach notification deadline in December 2024, joining Colorado, Florida, Maine, and Washington. California's SB 446 set a similar 30-day window effective 2026. These laws apply to any business that "maintains" personal data — not just companies that own it. If your vendor is breached and your client data is exposed, the clock starts on you when you find out — regardless of which server it lived on.

The Supply Chain Enforcement Signal

In 2024, the FCC settled with AT&T for $13 million over a supply chain breach in which a vendor's systems were compromised, exposing customer data AT&T was responsible for. AT&T was required to update its data governance and supply chain integrity practices. The enforcement message is explicit: a breach at a vendor you contracted with is a breach you are accountable for.

GDPR enforcement bodies in Europe have made the same signal. The European Data Protection Board is prioritizing supply chain security in 2025–2026, with focus on "the liability of processors who serve multiple controllers." U.S. regulators are following the same trajectory.

Section 03

Where the Exposure Lives: Industry-Specific Risk Breakdown

01
Law Firms

Law firms face a tripled exposure surface: professional ethics rules impose stricter-than-average confidentiality obligations, client data is often highly sensitive by nature, and the legal technology market has consolidated around a small number of cloud platforms that aggregate data into rich subprocessor chains.

  • Practice Mgmt Platforms like Clio and MyCase serve as the operational core of most small and mid-sized firms — matter management, client communications, billing, document storage, and payments. Each publishes a subprocessor list in its Data Processing Addendum. Those lists include cloud infrastructure providers, analytics vendors, payment processors, and monitoring services. Most firms have never read them and have no written DPA in place with their provider.
  • E-Signature DocuSign, Adobe Sign, and similar platforms retain signed documents — including client identities, financial terms, legal matter details, and deal structures — on third-party infrastructure with their own subprocessor chains. Behavioral analytics layers collect page dwell time, re-open events, and device fingerprints. These platforms rarely have signed DPAs with small law firms. The subprocessor exposure on a single real estate closing or estate plan is substantial.
  • AI Drafting ABA Formal Opinion 512 addressed this directly in July 2024: when staff use generative AI tools to draft letters, summarize discovery, or review documents, client names and matter details enter platforms with broad data retention rights. Most consumer-tier AI platforms retain input data to train future models by default. Using ChatGPT or Microsoft Copilot for client work without reviewing data handling terms is likely a Rule 1.6 violation in most jurisdictions.
  • Client Portal Secure client portals embedded in practice management platforms or operated through standalone services pass authentication and document data through third-party identity management vendors, CDN providers, and session analytics tools. A secure portal that routes through an unreviewed subprocessor is not, in practice, secure.

ABA Model Rule 5.3 requires supervising attorneys to make reasonable efforts to ensure that vendor conduct is compatible with professional obligations. That standard cannot be met by a firm that has never identified its vendors' subprocessors.

02
CPA and Tax Practices

The FTC classifies CPA firms as financial institutions under GLBA. That is not a hypothetical or a recent development — it has been the governing framework since the Safeguards Rule's original passage. What changed between 2021 and 2024 is that the rule now requires documented, auditable vendor oversight programs. "My IT vendor handles it" is, per regulators, evidence of negligence, not a defense.

  • Tax Software Drake, ProConnect, Lacerte, and UltraTax are widely used by small practices. Each routes return preparation data — including Social Security numbers, income figures, account numbers, and business financial records — through cloud infrastructure and third-party modules. Many firms are not aware that federal tax return data processed through cloud-connected software may pass through data centers in jurisdictions the IRS guidance does not cover.
  • Client Portals Document delivery portals used to share tax returns, financial statements, and audit materials operate their own subprocessor chains. If a client portal vendor is breached, the firm holding the subscription is the covered entity responsible for breach notification — not the portal vendor, regardless of what the vendor's terms say.
  • Practice Mgmt Workflow and client management tools used in accounting practices (including cloud-connected scheduling, billing, and workflow tools) aggregate client PII in systems governed by vendor terms most practitioners have not read. The FTC Safeguards Rule requires firms to identify all third parties with access to customer information and maintain documented oversight programs.
  • IRS WISP The IRS requires every tax and accounting firm to maintain a Written Information Security Plan that addresses vendor oversight. The IRS Security Summit has made clear that WISP compliance is not satisfied by listing vendor names — it requires documented risk assessments, safeguard clauses in vendor contracts, and evidence of ongoing monitoring. Most solo and small-firm WISPs do not meet this standard.

FTC Safeguards Rule penalties reach $50,120 per violation, per day. As of May 2024, covered entities must notify the FTC within 30 days of a breach affecting 500 or more consumer records. The question is not whether a breach will happen, but whether the firm can demonstrate it had a functioning vendor oversight program when it did.

03
Wealth Management and RIAs

Wealth managers hold a uniquely sensitive data profile: not just names and addresses, but account values, estate structures, trust arrangements, business ownership interests, tax situations, and family relationship data. This is a target-rich data set for threat actors and a legally complex one for regulators. The SEC's May 2024 Reg S-P amendments made vendor oversight a first-class compliance obligation with hard deadlines.

  • CRM Platforms Salesforce, Redtail, and Wealthbox are the dominant CRM platforms in wealth management. Each operates an extensive subprocessor infrastructure. Salesforce's subprocessor list is publicly available and runs to multiple pages of global infrastructure providers. Client relationship data — notes, holdings summaries, meeting records, estate planning details — flows through this infrastructure. Most firms have no written service provider agreement that meets Reg S-P's oversight requirements.
  • Fintech Aggregators Account aggregation tools like Plaid and Yodlee are frequently integrated into client-facing portals or planning tools. These services request credentials for or access tokens to client financial accounts, aggregate holdings data, and share it through their own API infrastructure. The exposure profile of a high-net-worth client's account data sitting inside a fintech aggregator's platform is not trivial — and the aggregator's subprocessor chain is rarely reviewed by the RIA that enabled the integration.
  • Planning Software Financial planning platforms used to model retirement, estate, and insurance scenarios ingest sensitive client financial data and often integrate with cloud-based analytics and AI modules. Several major planning platforms have expanded into AI-assisted analysis, triggering the same data handling concerns as AI drafting tools in legal contexts.
  • Reg S-P Gap The SEC's amended Reg S-P requires RIAs to: (1) establish written policies for service provider oversight, (2) require service providers to notify the firm within 72 hours of a breach, and (3) maintain records documenting compliance. Smaller RIAs have until June 3, 2026 to comply. Most have not started. SEC examinations conducted after that deadline will assess compliance with these requirements directly.

The SEC's amended Regulation S-P defines "customer information" to include all client data handled by third parties on the firm's behalf — even data that originated with another institution. A breach at a portfolio reporting vendor or an account aggregator is a breach your firm is responsible for disclosing.

Section 04

What Regulators Are Actually Looking For

Across all three regulatory frameworks — SEC Reg S-P, FTC Safeguards Rule, and state breach notification laws — the evidentiary standard is similar: regulators want to see that a firm had a functioning, documented vendor oversight program before an incident occurred. Retroactive remediation after a breach is not a defense. It is, in many cases, an admission of prior non-compliance.

In practical terms, regulators conducting examinations or investigations are looking for:

Item What They Want to See Most Firms Have…
Vendor Inventory A documented list of all service providers with access to customer or client information No list. A vague sense of the major platforms.
Subprocessor Mapping Evidence that the firm has reviewed vendor subprocessor lists and assessed downstream exposure Never reviewed. No idea the lists exist.
Contractual Safeguards Written agreements or DPAs with service providers including data protection requirements Clicked through the vendor's standard ToS.
Breach Notification Protocols Written procedures requiring vendors to notify the firm within a defined window of a breach No protocol. No contractual notification requirement.
Risk Assessment Documentation Periodic assessment records showing the firm evaluated vendor risks over time No documentation. "The IT guy checks on things."
Incident Response Plan A written plan that includes vendor breach scenarios and client notification procedures No plan. Or a template downloaded from the internet and never updated.
Section 05

What to Do: A Tiered Action Framework

The goal of this advisory is not to create alarm but to create a clear picture of a gap that has specific, addressable components. The following framework is organized by time horizon and practical complexity.

Immediate (Within 30 Days)

  • Inventory List every software platform your firm uses that touches client data. Include practice management, email, document storage, e-signature, client portals, billing, CRM, and any AI tools used by staff. This is your system inventory baseline.
  • Locate DPAs For each platform on your list, find the Data Processing Addendum or subprocessor disclosure page. These are typically buried in the legal or privacy section of the vendor's website. Start with your highest-volume platforms.
  • AI Audit Identify any generative AI tools currently in use by staff. Review whether those tools are consumer-tier (which typically retain input data) or enterprise-tier (which typically provide data isolation commitments). This is not optional — it is a live ethics exposure under ABA Formal Opinion 512 for any firm using AI in legal work.

90-Day Actions

  • Subprocessor Map For each major platform, document the subprocessors identified in the DPA. Record what data each subprocessor accesses, where they are located, and what data protection commitments govern the relationship. This map is the foundation of every regulatory requirement above.
  • Contract Gaps Identify which vendors have no DPA in place. Request one. For vendors unwilling to provide a DPA, document that gap and assess whether the platform represents an acceptable risk level for the type of data it handles.
  • WISP / ISP Update CPA firms: update your IRS Written Information Security Plan to include vendor oversight language and the results of your inventory. Wealth managers: update or create a Reg S-P-compliant information security program with a service provider oversight section. Law firms: document your vendor review process in a written policy that can be produced in a disciplinary or malpractice proceeding.

Structural (Ongoing)

  • DPA Review Cycle Establish a review cycle — at minimum annually, and triggered by any new platform adoption — for subprocessor lists. Vendors add and change subprocessors. HubSpot, for example, publishes its subprocessor updates with 30-day notice and allows clients to subscribe to change notifications. Build a process to receive and review these updates.
  • Breach Protocol Build a written incident response plan that includes a vendor breach scenario: what constitutes reportable exposure, who is responsible for making the regulatory notification, and what the notification must contain. Map this to the 30-day notification windows now in effect in New York and California and applicable under Reg S-P and the Safeguards Rule.
  • Reduce Surface The simplest subprocessor risk mitigation is reducing the number of platforms. Consolidating to fewer, well-reviewed tools with strong data handling terms reduces the attack surface and simplifies the oversight program. Software sprawl is a privacy risk, not just an operational one.
On Engagement Letters and Client Disclosure

Several state bar opinions have begun flagging the question of whether clients should be informed that their data may be processed by third-party vendors and subprocessors. This is currently a gray area in most U.S. jurisdictions — but it is moving toward required disclosure, particularly for AI tool use under ABA Opinion 512's informed consent guidance. Updating engagement letters to address cloud storage and third-party data processing now is a forward-looking risk management step, not a retroactive fix.

About This Advisory

About Occu·NX

Occu·NX (pronounced OH-kyoo-en-ex) is a privacy-first systems and risk consultancy serving small and mid-sized professional services firms in Charlotte, Greenville, and Atlanta. Our work focuses on subprocessor mapping, AI data exposure analysis, and business privacy audits — the structural components of a defensible data governance program, not software resale or IT maintenance.

This advisory is research-based and published without byline in the Occu·NX Privacy Advisory series. It does not constitute legal or regulatory advice. Firms with specific compliance obligations should consult qualified counsel familiar with their regulatory environment.

Sources & References
  • ABA 2024 Legal Technology Survey American Bar Association Legal Technology Resource Center. 75% cloud adoption figure. Published 2024.
  • ABA Formal Opinion 512 (2024) Standing Committee on Ethics and Professional Responsibility. Generative AI tools and confidentiality obligations under Model Rules 1.6, 1.4, 5.3. July 29, 2024.
  • NYC Bar Formal Opinion 2024-3 Ethical Obligations Relating to a Cybersecurity Incident. New York City Bar Association, August 2024.
  • SEC Regulation S-P Amendments Advisers Act Release No. IA-6604. Service provider oversight, 72-hour breach notification, recordkeeping requirements. Adopted May 15–16, 2024. Large entity compliance: Dec. 3, 2025; small entities: June 3, 2026.
  • FTC Safeguards Rule 16 C.F.R. Part 314 (GLBA). Amended 2021; breach notification provisions effective May 2024. Applies to CPA firms and tax preparers as financial institutions.
  • IRS Written Information Security Plan (WISP) IRS Publication 5708; IRS Publication 4557, Safeguarding Taxpayer Data. IRS Security Summit guidance on vendor oversight documentation requirements.
  • AT&T / FCC Supply Chain Settlement$13M FCC settlement, 2024. Supply chain breach resulting in customer data exposure. AT&T required to update data governance and supply chain integrity practices.
  • ITRC 2025 Annual Data Breach Report Identity Theft Resource Center. 3,322 breaches in 2025; 70% of breach notifications did not disclose attack vector. Published February 2026.
  • Perkins Coie — 2025 Breach Notification Law Update State breach notification timelines; New York 30-day rule (signed Dec. 24, 2024); California SB 446. Published 2025.
  • GDPR Enforcement & Data Breach Landscape 2025–2026 ComplianceHub.Wiki synthesis of GDPR enforcement trends; EDPB supply chain security focus; corporate leadership personal accountability signal.
  • ABA Model Rule 5.3 Responsibilities Regarding Nonlawyer Assistance. Requires law firms to make reasonable efforts to ensure vendors comply with professional obligations.
  • Paul Hastings / CBIZ / Alston & Bird — Reg S-P Analysis Multiple law firm client alerts on Reg S-P compliance requirements. December 2025.
Take the Next Step
Your firm's subprocessor exposure
can be mapped and addressed.

Occu·NX conducts Business Privacy Audits that produce a complete subprocessor map, risk memo, and remediation roadmap for professional services firms. The output is a document you can show a regulator, a client, or a malpractice insurer. Contact us to discuss scope and availability.

Contact
occunx.com
Charlotte · Greenville · Atlanta

This advisory is published for informational purposes only and does not constitute legal, regulatory, tax, or professional compliance advice. The regulatory landscape described herein changes frequently. Firms with specific compliance obligations should consult qualified legal counsel and compliance professionals familiar with their regulatory environment and jurisdiction. Occu·NX is a privacy and risk consultancy; it is not a law firm, accounting firm, or registered investment adviser. © 2026 Occu·NX. All rights reserved.