Library / Glossary

Data Processing Agreement (DPA)

A contract between a data controller and a data processor governing how the processor handles personal data on the controller's behalf.

Also: Data Processing Addendum · Article 28 agreement

A Data Processing Agreement is the contract that turns a vendor's general terms of service into a legally compliant privacy arrangement. If a vendor processes personal data on your behalf — and most B2B SaaS vendors do — GDPR Article 28 requires a written DPA between you (the controller) and them (the processor). CCPA, UK GDPR, and most modern privacy laws have equivalent requirements.

What a DPA must cover

Article 28(3) is specific about the minimum contents:

  • Subject matter and duration of the processing.
  • Nature and purpose of the processing.
  • Type of personal data and categories of data subjects.
  • Obligations and rights of the controller.
  • A binding clause requiring the processor to:
    • Process data only on documented controller instructions.
    • Ensure personnel handling data are bound by confidentiality.
    • Implement appropriate technical and organisational security measures (Article 32).
    • Engage subprocessors only with prior authorisation.
    • Assist the controller with data subject requests, breach notifications, and DPIAs.
    • Delete or return all personal data at the end of the engagement.
    • Make available all information necessary to demonstrate compliance, including audits.

Most vendors publish a standard DPA online (Stripe, AWS, Google, etc.). Larger customers can sometimes negotiate redlines; smaller customers usually accept the published version.

What to actually check when reviewing one

Beyond the legal minimum, the practical questions are:

  • Subprocessor list. Does the DPA reference an external list, and is that list maintained and dated? How are you notified of changes?
  • Subprocessor change notice period. 14 days, 30 days, "reasonable advance notice"? Shorter than 14 days is a yellow flag.
  • Audit rights. Most DPAs limit audits to "third-party attestation reports" (SOC 2, ISO 27001) rather than physical site audits. That's industry standard but worth confirming.
  • Data location. Where is the data stored, and where is it processed? Cross-border transfers need a separate basis (SCCs, adequacy decision).
  • Breach notification. GDPR requires notice to the controller "without undue delay." Many DPAs spell out 48 or 72 hours; some say "without undue delay" with no number, which is weaker.
  • Sub-processing of AI training. Newer concern: does the vendor or its subprocessors use customer data to train AI models? The DPA should explicitly prohibit it for any data the vendor processes on your behalf.

Why this matters operationally

A DPA isn't a set-and-forget document. The subprocessor list it references changes over time, sometimes monthly. Auditors increasingly want evidence that you're tracking those changes — not just that you have a DPA on file. Thorgate's job in this picture is the ongoing-monitoring side: did the vendor add a new subprocessor, change retention, change jurisdictions, or quietly update the DPA itself.

A DPA you signed two years ago and haven't looked at since does not, by itself, demonstrate vendor oversight to a SOC 2 or GDPR auditor.

Related terms