The Security Questionnaire That Started This You land a new enterprise client. The SOW is signed. The kickoff call goes well. Then legal sends over a 47-page security questionnaire, and question 14 reads: "List all sub-processors that will have access to customer data, including the nature of processing, data categories involved, and the jurisdiction of processing infrastructure." You look at your stack. The PDF parsing goes through a US-based extraction API. The image resizing runs through a CDN provider with edge nodes in 40 countries. The document generation uses a SaaS tool that stores templates in AWS us-east-1. And the OCR step — you're not actually sure where that runs. The vendor's docs don't say. This is the moment most technical agencies realize that data security isn't just an engineering problem. It's a supply chain problem. Every third-party service that touches client data is a link in the chain, and your client's legal team is going to pull on every one.…