Data Processing Agreement

A Data Processing Agreement (DPA) is the contract between a data controller and a data processor required by GDPR Article 28 and similar privacy regulations. The controller is the company that decides why and how personal data is processed; the processor is the vendor that handles data on the controller's behalf. The DPA specifies what security measures the processor will maintain, what the processor can and cannot do with the data, breach notification procedures, sub-processor restrictions, and data subject rights handling. DPAs are mandatory whenever a vendor processes personal data on behalf of a company subject to GDPR (or analogous regulations like CCPA). If a vendor handles personal data of your EU users, you need a DPA with that vendor.

The required contents (per GDPR Article 28):

Subject matter and duration: what processing is being done, for how long.

Nature and purpose of processing: what types of data, for what purpose.

Type of personal data and categories of data subjects: customer data, employee data, EU residents, etc.

Controller obligations and rights: what the controller must do and is entitled to.

Processor obligations:

• Process only on documented controller instructions.
• Ensure personnel confidentiality.
• Implement security measures (Article 32).
• Engage sub-processors only with controller authorization.
• Assist controller with data subject rights requests.
• Assist with breach notification.
• Delete or return data at end of contract.
• Make available information demonstrating compliance.

Sub-processor terms:

• List of approved sub-processors.
• Notification process for new sub-processors.
• Flow-down of DPA terms to sub-processors.

International transfers:

• Standard Contractual Clauses (SCCs) if processor or sub-processors are outside EU.
• Or other transfer mechanism (adequacy decision, etc.).

Security measures:

• Technical and organizational measures.
• Often references SOC 2 or ISO 27001 attestations.

Breach notification:

• Processor must notify controller without undue delay (typically 24-72 hours).
• Sufficient information for controller to meet 72-hour GDPR notification requirement.

Audit rights:

• Controller right to audit processor.
• Often satisfied via third-party audit reports.

Common DPA scenarios:

SaaS vendor DPAs: most B2B SaaS vendors have standard DPAs. Customer signs vendor's form or vendor signs customer's form.

Cloud infrastructure DPAs: AWS, Google Cloud, Azure all have DPAs.

Marketing tools: email providers, analytics, ad platforms all process personal data and require DPAs.

Subprocessors: vendors' subprocessors (often listed in DPA) also need DPAs back to the vendor.

What founders get wrong: Skipping DPAs with vendors processing personal data, then facing GDPR exposure when those vendors have incidents. The right discipline: DPAs with every personal data processor; standard vendor forms when possible; maintain inventory.

Related: GDPR Compliance · Privacy Policy · Vendor Contract · SOC 2 Compliance · Mutual NDA

FAQ

What is a Data Processing Agreement?
The contract between a data controller and data processor required by GDPR Article 28, specifying how personal data will be processed, what security measures will be maintained, breach notification, sub-processor restrictions, and data subject rights handling.

When do I need a DPA?
Whenever a vendor processes personal data on behalf of your company subject to GDPR or similar privacy regulations. This includes SaaS vendors, cloud infrastructure, marketing tools, analytics platforms, and any vendor handling EU resident data.

What goes in a DPA?
Subject matter, processing purpose, data types, controller obligations, processor obligations (security, sub-processors, breach notification, data subject rights), international transfer mechanisms (SCCs), and audit rights. Standard requirements from GDPR Article 28.