Controller vs Processor
The legal distinction between the party that determines the purposes and means of processing personal data (controller) and the party that processes it on the controller's behalf (processor). Subprocessors sit one layer further down the chain.
Overview
The controller/processor distinction is the foundational division of responsibility in every US state privacy law. It determines which party owes which obligations to the consumer — who must publish a privacy notice, who must honor DSARs, who must obtain consent, and who bears the primary regulatory penalty when something goes wrong.
- A controller (CCPA calls this a "business") is the entity that, alone or jointly, decides why and how personal data is processed.
- A processor ("service provider" in CCPA; "processor" everywhere else) processes personal data on behalf of a controller and only on the controller's documented instructions.
- A subprocessor is a processor engaged by another processor to assist with the controller's work.
The label is not self-assigned — regulators apply a functional test. An entity that unilaterally combines the controller's data with other data for its own purposes, or that uses the data for its own marketing, is operating as a separate controller regardless of what the contract calls it.
When It Applies
The controller/processor/subprocessor framework applies to every flow of personal data between two entities. Before any such flow, the parties should be able to answer:
- Who decided to collect this data, and for what purpose?
- Who decides when it is deleted?
- Who the consumer will contact to exercise rights?
- Who is the downstream recipient, and what is their role?
A misclassification is costly. If a controller treats a true-third-party recipient as a processor, transfers to that recipient are unlawful sales under CCPA and require opt-out notice. If a processor operates outside the controller's instructions, it becomes a controller in its own right and inherits the full notice, rights-response, and DPIA burden.
Variations Across Jurisdictions
The concept is uniform; the terminology and nuances differ.
| Jurisdiction | Controller Term | Processor Term | Notable Nuance |
|---|---|---|---|
| California (CCPA/CPRA) | Business | Service provider (or contractor) | Distinguishes "service provider" (paid) from "contractor" (other relationship); "third party" is the residual bucket |
| Virginia, Colorado, Connecticut, 17 other state laws | Controller | Processor | Aligned with GDPR terminology |
| GDPR | Controller | Processor | Original source; also recognizes "joint controllers" |
| HIPAA | Covered entity | Business associate | Parallel but distinct concept; a HIPAA business associate usually doubles as a privacy-law processor |
Joint controllers arise when two entities genuinely share purpose-setting — for example, a commercial landlord and a property-management company that jointly decide what COI data to collect and how long to retain it. Joint controllers must agree in writing how responsibilities are divided.
Subprocessors are permitted under every state law but only with the controller's prior written authorization (sometimes general, sometimes specific) and a flow-down of equivalent terms. The DPA (see DPA) is the instrument that establishes and manages the chain.
How Inori Handles This
Inori operates as a processor for every customer and as a controller only for its own first-party relationships (employees, billing contacts, leads responding to marketing).
Grounding in code and policy:
- Role declaration —
src/content/legal/privacy.mdxv1.2 explicitly declares Inori's processor role for customer data and controller role for Inori's own operations. - Purpose binding —
src/content/legal/dpa.mdxincorporates the customer's purposes; Inori's APIs atsrc/app/api/only process tenant-scoped data on tenant-owner instructions. - Subprocessor transparency — current list at
/legal/subprocessors(Anthropic, Supabase, Firebase, Vercel; Stripe/Resend/S3 pending LLC). Changes trigger customer notice per DPA. - Controller carve-outs — first-party data (employees, marketing leads) is segregated in a separate Supabase schema and governed by the first-party privacy notice.
- DSAR routing —
src/app/api/dsar/automatically forwards any request received about controller-owned data to the correct customer tenant rather than fulfilling it directly, preserving the processor role. - GPC handling —
middleware.ts:respectGpcapplies the GPC signal to Inori's first-party controller contexts (marketing site); processor contexts inherit the customer's GPC posture.
Related Concepts
The DPA is the contract that formalizes the controller/processor relationship. The DPIA is the risk analysis the controller owes before sharing data with a processor for high-risk processing. In the commercial real-estate vendor context, the Certificate of Insurance attests to the vendor's insurance coverage — the DPA attests to its privacy posture; the two instruments answer complementary questions about the vendor relationship.
See how Inori handles controller vs processor
Try our free COI checker first, or start a free trial of the full platform.