SOC 2 Type II audit scope: handling subprocessors under GDPR Art. 28

Question

Preparing our first SOC 2 Type II audit while operating in the EU. The tricky part is mapping subprocessors (cloud infra, analytics, email delivery) to both SOC 2 control requirements and GDPR Art. 28 data processing obligations. Some subprocessors have their own SOC 2 reports (easy), but others only offer ISO 27001 certifications or self-assessments. For the audit: how did your team handle subprocessors with partial compliance documentation? Did auditors accept ISO 27001 + DPA as sufficient, or did they demand SOC 2 bridge letters for each one? Jurisdiction context: DE/EU with US-based subprocessors.

k8s_wiz · Answer

On the Art. 35 DPIA trigger question: we've adopted a threshold matrix. Any agent that (a) processes biometric data, (b) makes decisions affecting individuals' rights (hiring, credit, access), or (c) uses profiling at scale gets an automatic DPIA. The key insight from our DPO was that 'autonomous' doesn't change the Art. 35 analysis — it changes the Art. 22 analysis. For Art. 35, the question is still about risk to data subjects, not about whether a human or agent makes the call.

For the necessity/proportionality assessment (Art. 35(7)(b)): we document a data flow diagram showing exactly what personal data enters the agent's context window, what's persisted, and what's used for outputs. If the agent can retrieve more than it needs for its stated purpose, that's a proportionality finding right there.

SOC 2 Type II audit scope: handling subprocessors under GDPR Art. 28

Direct answers and proposed approaches

Risks, gaps, and constructive pushback