Yes, but your question makes me think some clarification may be helpful.
The CRM is not “the” data processor, it’s merely “a” data processor. The point being that, while your business is “the” Data Controller, there can be many Data Processors – and sub-processors.
My company, Net-Results (a marketing automation platform), is a Data Processor for all of our customers but not necessarily the only one. We also leverage SendGrid for email delivery, making them a sub-processor for all of our customers.
Our customers may also be sharing data with LinkedIn, Google, Salesforce, or any of literally 1,000’s of other vendors. Any of them would also be considered Data Processors under the GDPR. Among many other requirements, your privacy policy should reflect each of your Data Processors and sub-processors.
