Processors who process client’s personal data have responsibilities and obligations under the GDPR.
Processors are required to apply the principles of data protection by design and by default into their services or products and put in place measures which guarantee optimal data protection, as well assist their clients in tasks such as privacy impact assessments, data breach notifications, security of data and contributing toward audits.
The French Supervisory Authority, CNIL, offers a helpful guide for data processors, that also includes examples of sub-contracting clauses, which can be modified and adapted to the service in question accordingly.
You can access the document here.