Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'FTC Act Section 5 covers deceptive practices regarding data sharing with third parties; inadequate sub-processor disclosure and chain-of-custody failures can constitute unfair or deceptive data practices.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Sub-Processor Disclosure and Data Processing Agreements clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Sub-Processor Disclosure and Data Processing Agreements — Glean

Share 𝕏 Share in Share 🔒 PDF

What it is

Glean uses third-party vendors (sub-processors) to help deliver its services and requires those vendors to follow data protection rules, with a list of sub-processors available on request.

Consumer impact (what this means for users)

Your workplace data may be processed by multiple third-party vendors used by Glean, not just Glean itself, which expands the potential exposure of your personal information.

Cross-platform context

See how other platforms handle Sub-Processor Disclosure and Data Processing Agreements and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Enterprise customers need to know exactly which sub-processors handle their employees' data to assess risk and ensure GDPR Article 28 chain-of-custody compliance; a list that is only available 'on request' rather than prominently published creates transparency concerns.

View original clause language

When Glean engages sub-processors to process personal data on its behalf, Glean enters into data processing agreements with those sub-processors that require them to process personal data only as instructed and to implement appropriate security measures. A list of Glean's sub-processors is available upon request or through our website.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: GDPR Article 28(2) requires controllers to authorize use of sub-processors and mandates that processors impose equivalent data protection obligations on sub-processors by contract. Article 28(4) requires flow-down of all processor obligations. Failure to obtain prior written authorization for new sub-processors is a direct GDPR violation. UK GDPR imposes the same requirements. The ICO and EU DPAs (particularly the Irish DPC for US tech companies) enforce these obligations.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

FTC Act Section 5 covers deceptive practices regarding data sharing with third parties; inadequate sub-processor disclosure and chain-of-custody failures can constitute unfair or deceptive data practices.
File a complaint →

Provision details

Document information

Document

Glean Privacy Policy

Entity

Glean

Document last updated

April 29, 2026

Tracking information

First tracked

April 30, 2026

Last verified

April 30, 2026

Record ID

CA-P-004385

Document ID

CA-D-00505

Evidence Provenance

Source URL

https://www.glean.com/privacy-policy

Wayback Machine

View archived versions →

SHA-256

bf35161360eff21ce3dcd83598198afb291214ea440a7d5ff199884f65aef203

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Glean | Document: Glean Privacy Policy | Record: CA-P-004385
Captured: 2026-04-30 09:15:11 UTC | SHA-256: bf35161360eff21c…
URL: https://conductatlas.com/platform/glean/glean-privacy-policy/sub-processor-disclosure-and-data-processing-agreements/
Accessed: May 2, 2026

Classification

Severity

Medium

Sub-Processor Disclosure and Data Processing Agreements