A list of all subcontractors should be kept that includes; the name and contact information for the subcontractor, the work they do for the organization, and what projects or what data that they have access to. This list simplifies the process of managing data and data access permissions.

It is important to organizations to know who has access to their information and where the data is being stored. The organization may have certain requirements about where data is stored and who can access it.

They will want to know that you have a list of all your subcontractors which includes the name and contact information for the subcontractor, the work they do for the organization, and what projects or what data that they have access to. In certain cases, they may ask for a subset of those contractors who will be accessing or storing their data.

Third party data processing is where your organization utilizes the services of another organization to perform some action involving the data supplied or gathered on behalf of the originating party.  That service may store, process, gather, transform, or otherwise have access to the data for your business purposes.

They ask about the use of third party data processing because their use introduces additional factors in their management of data to meet legal and regulatory requirements. Additionally, every party that has access to the data could be a weak spot where the data may be disclosed, changed improperly, or lost.

They expect the disclosure of any use of third parties. The use of third parties will require more information to be provided about the handling of their data by third parties.  Likely, additional questions will include the nature of the relationship to the organization, where the data will be stored and processed, and what security measures will be taken by the third party.