Data Processing Agreement (DPA)

Back to Contract Clauses Central

TL;DR: A data processing agreement (DPA), sometimes called a data processing addendum or processor agreement, is a written contract between a data controller and a data processor that allocates responsibilities for handling personal data under GDPR Article 28 and parallel statutes like the UK GDPR, California's CCPA/CPRA service provider rules, and Brazil's LGPD. DPAs are legally mandatory whenever a controller engages a processor to handle personal data on its behalf, and they typically live as an addendum or schedule to a master services agreement, SaaS order form, or vendor contract.

What Is a Data Processing Agreement?

A data processing agreement is a legally required contract that governs the relationship between a data controller (the business that determines the purposes and means of processing personal data) and a data processor (the vendor or service provider that processes personal data on the controller's behalf). The DPA sets out the subject matter, duration, nature, and purpose of processing; the categories of personal data and data subjects; and the specific obligations the processor owes the controller.

Under GDPR Article 28(3), a DPA must address at least eight mandatory topics: documented instructions, confidentiality commitments for personnel, security measures, subprocessor engagement rules, data subject rights assistance, support with breach notification and data protection impact assessments, return or deletion of data at the end of services, and audit rights. Contracts that fail to include these elements are not just unenforceable - they expose both parties to administrative fines of up to 10 million euros or 2 percent of global annual turnover, whichever is higher.

A DPA is distinct from a general confidentiality clause or a broader data protection clause. Confidentiality protects information from disclosure; a DPA allocates statutory data protection obligations. A data protection clause in a master agreement may reference the DPA but rarely substitutes for one. When a vendor both determines processing purposes and processes data (for example, a marketing analytics platform that enriches customer lists), the parties are joint controllers and need a joint controller arrangement under Article 26 rather than a DPA.

DPAs see the heaviest activity in three contexts: SaaS procurement (where every cloud vendor publishes a standard DPA that customers review and sometimes negotiate), cross-border transfers (where DPAs incorporate Standard Contractual Clauses as a Chapter V transfer mechanism), and M&A diligence (where buyers audit the target's DPA inventory for Article 28 gaps and unlawful subprocessing chains).

Why It Matters

  • Legal Mandate, Not a Negotiating Chip: Unlike most commercial clauses, a DPA is not optional. GDPR Article 28, UK GDPR Article 28, and CPRA Section 1798.140(ag) all require a written contract with specified content whenever personal data is processed on another party's behalf. Signing a master services agreement without a DPA leaves both parties in per-se violation.
  • Direct Fines and Joint Liability: Data protection authorities have fined both controllers and processors tens of millions of euros for missing or defective DPAs. The CNIL fined Clearview AI 20 million euros in 2022 for Article 28 violations, and the Irish Data Protection Commission's 2023 Meta decision cited inadequate DPA terms among multiple issues driving a 1.2 billion euro fine.
  • Vendor Risk Transfer: DPAs are the primary mechanism for pushing security, confidentiality, and breach response obligations from the controller onto the processor. Without the DPA, the controller bears full regulatory responsibility for vendor conduct; with a properly drafted DPA, responsibility aligns with control.
  • Cross-Border Transfer Foundation: DPAs typically incorporate the EU Standard Contractual Clauses or UK International Data Transfer Agreement as the legal basis for moving personal data outside the EEA or UK. Without this layer, most SaaS deployments with U.S. vendors are unlawful after Schrems II.
  • Customer Trust and Procurement Gate: Enterprise procurement teams increasingly treat DPA terms as a gating issue before signing a vendor. Vendors without a ready DPA template lose deals; vendors whose DPAs conflict with customer requirements face prolonged negotiation cycles that delay revenue.
  • Breach Response Readiness: The 72-hour GDPR breach notification clock runs from controller awareness. If the DPA fails to obligate the processor to notify the controller "without undue delay," the controller may miss its regulatory deadline and incur penalties even when the root cause lies with the vendor.

Key Elements of a Well-Drafted Data Processing Agreement

  1. Processing Particulars Annex: Include a schedule identifying subject matter, duration, nature, and purpose of processing; categories of personal data; categories of data subjects; and the controller's documented instructions. Article 28(3) requires these specifics in writing.
  2. Documented Instructions Clause: State that the processor will process personal data only on documented instructions from the controller, including regarding transfers to third countries, unless required by applicable law. The clause should obligate the processor to notify the controller of any legal requirement that conflicts with instructions.
  3. Confidentiality of Personnel: Require the processor to ensure that all personnel authorized to process personal data have committed to confidentiality or are under an appropriate statutory duty.
  4. Security Measures (Article 32): Either attach a detailed technical and organizational measures (TOM) schedule or incorporate by reference the processor's security documentation (SOC 2 Type II report, ISO 27001 certificate, cloud provider shared responsibility matrix). Specific measures - encryption at rest and in transit, access controls, logging - should be enumerated.
  5. Subprocessor Controls: Address whether the processor needs prior specific authorization or may rely on general authorization with 14 to 30 day advance notice and a right to object. List existing subprocessors in an annex. Flow down equivalent Article 28 obligations to every subprocessor.
  6. Data Subject Rights Assistance: Obligate the processor to assist the controller in responding to access, rectification, erasure, restriction, portability, and objection requests, taking into account the nature of processing and the information available to the processor.
  7. Breach Notification Timeline: Require notification of personal data breaches "without undue delay" after the processor becomes aware, and specify a contractual maximum such as 24 or 48 hours. Identify the notification method and minimum content (nature, categories, approximate numbers, likely consequences, measures taken).
  8. Return or Deletion at Termination: Specify whether the processor returns all personal data to the controller or deletes it (at controller's election) at the end of services, with a documented certification of deletion and a defined retention exception for applicable law.
  9. Audit and Inspection Rights: Give the controller a right to audit the processor's compliance through on-site inspection, third-party audits, or review of independent attestations (SOC 2, ISO 27001). Address frequency, cost allocation, reasonable notice, and scope limits for audits.
  10. International Transfer Mechanism: If the processor or any subprocessor operates outside the EEA, UK, or other source jurisdictions without an adequacy decision, incorporate Standard Contractual Clauses (EU 2021/914 or UK IDTA/Addendum) and document a transfer impact assessment.

Market Position & Benchmarks

Where Does Your Clause Fall?

  • Processor-Favorable: Notification of breaches "without undue delay" with no contractual maximum; audit limited to annual SOC 2 review with no on-site right; general authorization for all existing and future subprocessors with 30-day notice; controller bears full cost of any audit; processor's standard TOMs with no commitments to maintain specific certifications; liability cap aligned with the master agreement (often 12 months of fees).
  • Market Standard: Breach notification within 48 to 72 hours of awareness; annual audit via SOC 2/ISO review plus one on-site audit right per year with 30 days' notice; general subprocessor authorization with 14 to 30 days' advance notice and a right to object; processor commits to maintain ISO 27001 and SOC 2 Type II; liability carve-out for data protection breaches above the general cap; SCCs incorporated by reference.
  • Controller-Favorable: Breach notification within 24 hours; unlimited audit rights with reasonable notice and at processor's cost for breach-related audits; prior specific authorization for every subprocessor change; detailed TOM schedule with binding commitments; super-cap or uncapped liability for data protection violations; controller-selected SCC Module with additional safeguards; certified data deletion within 30 days of termination.

Market Data

  • The IAPP-EY 2024 Privacy Governance Report found that 93 percent of organizations operating across the EU maintain DPAs with every processor, up from 71 percent in 2019.
  • According to Vanta's 2024 State of Trust Report, SaaS vendors reported an average of 47 customer-negotiated DPA redlines per enterprise deal, with security measures, subprocessor approval, and breach timelines the most contested terms.
  • Thomson Reuters Practical Law's 2023 DPA Benchmarking Survey indicated that 68 percent of market-standard DPAs require breach notification within 48 hours, 19 percent require 24 hours, and 11 percent use the GDPR default of "without undue delay" without a fixed hour commitment.
  • The European Data Protection Board's 2024 coordinated enforcement action on Article 28 compliance resulted in 156 corrective actions across EU member states, with documented instructions and subprocessor controls cited as the most common deficiencies.
  • OneTrust's 2024 Third-Party Risk Report estimates that enterprise-scale organizations maintain DPAs with an average of 1,247 third-party processors, up from 394 in 2019, reflecting the explosion of SaaS vendor sprawl.
  • Under California's CPRA (effective January 2023), the California Privacy Protection Agency's first enforcement actions in 2024 included multiple findings that service provider contracts failed to include the specific restrictions required under Section 1798.140(ag), triggering the loss of service provider status and converting the vendor into a third party with far greater restrictions.

Sample Language by Position

Processor-Favorable: "Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach. Processor shall maintain industry-standard technical and organizational measures as described in Processor's then-current Security Documentation. Controller may audit Processor's compliance no more than once per twelve (12) month period through review of Processor's most recent SOC 2 Type II report."
Market Standard: "Processor shall notify Controller of a Personal Data Breach without undue delay and in any event within forty-eight (48) hours of becoming aware, including the information required by Article 33(3) GDPR to the extent reasonably available. Processor shall implement and maintain the technical and organizational measures set forth in Schedule 2 (TOMs) and shall maintain ISO 27001 certification and annual SOC 2 Type II attestation throughout the term. Controller may audit compliance through (a) review of Processor's independent audit reports on request, and (b) one (1) on-site audit per calendar year with thirty (30) days' prior written notice."
Controller-Favorable: "Processor shall notify Controller of any Personal Data Breach within twenty-four (24) hours of becoming aware, by email to the designated Controller contact, including all information reasonably necessary for Controller to meet its notification obligations under Applicable Data Protection Law. Processor shall implement the specific technical and organizational measures set forth in Schedule 2, which Processor may not materially diminish without Controller's prior written consent. Controller may audit Processor's compliance at any reasonable time, with costs to be borne by Processor in the event the audit identifies a material breach of this DPA."

Example Clause Language

A subprocessor authorization clause in an enterprise SaaS DPA with a list of existing subprocessors in an annex:

"Controller provides general authorization for Processor's engagement of the subprocessors listed in Schedule 3 as of the Effective Date. Processor shall notify Controller at least fourteen (14) days before authorizing any new subprocessor or replacing an existing one. Controller may object on reasonable grounds related to data protection within ten (10) days of notice, in which case the parties will work in good faith to address the concern, failing which Controller may terminate the affected service without penalty. Processor shall impose the same Article 28 obligations on each subprocessor by written contract and shall remain fully liable to Controller for subprocessor performance."

An international transfer clause incorporating the EU Standard Contractual Clauses for a controller-to-processor transfer:

"Where Processor processes Personal Data originating in the EEA in a country without an adequacy decision, the parties hereby enter into the Standard Contractual Clauses approved by the European Commission in Decision 2021/914 (Module Two: Controller to Processor), which are incorporated into this DPA by reference. Clause 7 (docking clause) applies. In Clause 9, Option 2 applies, with the time period specified as fourteen (14) days. In Clause 11(a), data subjects may not lodge complaints with an independent dispute resolution body. In Clause 17, Irish law governs. In Clause 18, the courts of Ireland have jurisdiction. The supervisory authority is the Irish Data Protection Commission."

A data return and deletion clause for a contract ending processing:

"Upon termination or expiration of the Services, Processor shall, at Controller's election communicated within thirty (30) days: (a) return all Personal Data to Controller in a commonly used, machine-readable format; or (b) delete all Personal Data, including copies, from Processor's systems and those of subprocessors, and provide Controller with a written certification of deletion signed by an authorized officer. Processor may retain Personal Data only to the extent required by applicable law, in which case Processor shall continue to apply the protections of this DPA to such retained data."

Common Contract Types

  • SaaS and Cloud Services Agreements: The default context for DPAs. Every major SaaS vendor publishes a standard DPA (Salesforce, Microsoft, AWS, Google Cloud, Workday). Enterprise procurement teams redline these heavily.
  • Marketing and Advertising Technology Contracts: Ad tech and martech vendors (HubSpot, Marketo, Segment, LiveRamp) process large volumes of personal data and typically require DPAs with extensive flow-down obligations to downstream partners.
  • Payment Processor and Fintech Agreements: Stripe, Adyen, Plaid, and similar processors combine DPAs with PCI DSS obligations, often as layered addenda to master services agreements.
  • Human Resources Technology Vendors: Workday, ADP, Greenhouse, and payroll providers handle sensitive employee personal data, including sometimes special category data. DPAs in this space often include enhanced TOMs and location restrictions.
  • Customer Support and Contact Center Platforms: Zendesk, Intercom, Salesforce Service Cloud - any platform logging customer communications requires a DPA, with particular attention to recording, transcription, and AI analysis features.
  • Data Analytics and Business Intelligence Tools: Snowflake, Databricks, Looker, Tableau - platforms that process customer or employee data for analytics must sign DPAs, and the controller should verify the lawful basis for any profiling.
  • Security and IT Operations Vendors: MSSPs, SIEM platforms, endpoint detection vendors, and email security providers handle log data containing personal data and require DPAs addressing retention, subprocessing, and cross-border transfers.
  • Professional Services Engagements: Law firms, accounting firms, consulting firms, and BPOs that receive personal data as part of their engagement require DPAs, though some argue law firms act as independent controllers and should use a joint controller or controller-to-controller framework.

Negotiation Playbook

Key Drafting Notes

  • Use a Stand-Alone DPA Addendum, Not Inline Clauses: Because the Article 28 obligations are long, technical, and frequently updated (new SCCs, UK IDTA, Swiss addendum), a separate addendum is easier to version, negotiate, and reuse across vendors. Inline drafting creates drift over time.
  • Align the Breach Clock With the Controller's Regulatory Timeline: The GDPR gives controllers 72 hours to notify supervisory authorities, but that clock starts from controller awareness. Processor notification must be short enough to allow the controller time to investigate and report. A 24 to 48 hour processor commitment is the practical floor.
  • Pick a Subprocessor Model the Controller Can Actually Operate: Prior specific authorization is the strictest form but is impractical for large SaaS vendors with dozens of subprocessors. General authorization with a robust change notice and objection right is market-standard and enforceable.
  • Incorporate SCCs and IDTA By Reference With Precise Module Selection: For cross-border transfers, incorporating the standard forms by reference is cleaner than rewriting. Be explicit about which Module applies, what docking option is used, and which supervisory authority and courts have jurisdiction.
  • Layer Audit Rights Realistically: The controller rarely exercises on-site audit rights but needs them for leverage. A three-tier audit structure (SOC 2 review annually, on-site right in case of material concern, full regulatory cooperation) balances controller needs and processor operational reality.
  • Carve Out Data Protection From the Liability Cap: The general limitation of liability in the master agreement is rarely sufficient for regulatory fines, class actions, and remediation costs from a major breach. Negotiate a super-cap (for example, 2x to 5x annual fees) or an uncapped carve-out for the processor's breach of Article 32 or gross negligence.

Common Pitfalls

  • Missing DPA Altogether: The simplest and most common failure. Procurement signs an MSA, skips the DPA, and the vendor begins processing personal data without the statutorily required contract. Remediate immediately and document the gap in the privacy incident log.
  • Stale SCCs: DPAs signed before June 2021 often reference the 2001/2004/2010 Standard Contractual Clauses, which were superseded by Commission Decision 2021/914. Old SCCs are no longer a lawful transfer mechanism. Every vendor DPA must be refreshed to the 2021 SCCs (and UK IDTA for UK transfers).
  • Conflicting Terms Between MSA and DPA: When the MSA has a broad data ownership, use, or aggregation right that contradicts the DPA's "documented instructions" limitation, courts and regulators will look to both. Draft an order-of-precedence clause placing the DPA above the MSA on data protection matters.
  • Inadequate TOMs Schedule: A one-paragraph reference to "industry-standard measures" is not a binding commitment. TOMs should be specific, verifiable, and maintained over time. Reference independent certifications and attach a detailed annex.
  • No Flow-Down to Subprocessors: Failing to require Article 28-equivalent terms with every subprocessor breaks the chain and leaves both controller and processor exposed. Periodic verification of subprocessor contracts is part of the controller's due diligence obligation under Article 28(1).
  • Ambiguous Data Return or Deletion Process: "Return or delete upon termination" without specifying format, timeline, certification method, and scope (including backups and subprocessor systems) produces disputes and incomplete deletions that surface in later audits or litigation.

Jurisdiction Notes

  • U.S. (Federal/CCPA/CPRA): California's CPRA (Cal. Civ. Code Section 1798.140(ag) and 1798.100) requires service provider and contractor contracts to include specific terms: limiting processing to business purposes, prohibiting sale or retention outside the contract, requiring notice and cooperation on consumer rights requests, and allowing monitoring. The California Privacy Protection Agency's 2024 enforcement actions have emphasized that DPA-equivalent contract terms are mandatory, not best practice.
  • U.S. (State Privacy Laws): Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and nineteen additional state privacy laws as of 2025 include processor contract requirements closely modeled on GDPR Article 28. Cross-jurisdictional DPA templates typically satisfy all state requirements through layered terms.
  • EU (GDPR Article 28): The core international template. Article 28(3) mandates the written contract; Article 28(4) flows obligations down to subprocessors; Article 28(10) provides that a processor exceeding instructions becomes a controller for that processing. The EDPB's 2021 Guidelines on Controller and Processor Concepts (07/2020) and the EDPB's 2020 Contractual Requirements Guidelines remain authoritative.
  • U.K. (UK GDPR and DPA 2018): Article 28 obligations survived Brexit in identical form under the retained UK GDPR. Cross-border transfers now use the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU SCCs, approved by the ICO in 2022.
  • Brazil (LGPD Article 39): Article 39 requires a written contract with similar Article 28 content between controller and operator (processor). The ANPD has published contractual guidance modeled closely on EDPB guidance.
  • Other Jurisdictions: Switzerland's revised FADP, Japan's APPI amendments, South Korea's PIPA, Singapore's PDPA, and India's DPDPA all require some form of processor contract, though specific content and enforcement rigor vary. Multinational vendors typically maintain jurisdiction-specific DPA addenda rather than a single global document.

Related Clauses

  • Data Protection Clause - The general clause in the master agreement that references and incorporates the DPA by attachment.
  • Confidentiality Clause - Covers information beyond personal data, including trade secrets and business confidential information. Operates alongside the DPA.
  • Audit Clause - The DPA's audit right often references or overlaps with the general audit provision in the master agreement.
  • Indemnification - Supplies a contractual remedy when processor breach of the DPA triggers regulatory fines, data subject claims, or class actions.
  • Limitation of Liability - Typically carved back for data protection breaches via super-cap or exclusion from the general cap.
  • Compliance With Laws - Overlaps with DPA requirements and sometimes creates double coverage; draft the precedence clause carefully.
  • Insurance Clause - Cyber and technology E&O coverage requirements are often elevated for processors handling high-risk or sensitive personal data.

This glossary entry is provided for informational and educational purposes only. It does not constitute legal advice, and no attorney-client relationship is formed by reading this content. Consult qualified legal counsel for advice on specific contract matters.

Related Clauses:
Audit Clause
Compliance with Laws
Confidentiality
Data Protection Clause
Indemnification
Insurance Clause
Limitation of Liability

ContractKen help you review and draft contracts, inside Microsoft Word - automatically flagging clauses like this one.

Book Demo
Watch it in action
Back to Contract Clauses Central
contractken
Backed by:
upekkha
youtubelindintwitter
©ContractKen 2026. All rights reserved