A Data Processing Agreement (DPA) is the contract addendum that governs how a vendor (the processor) will handle personal data on behalf of the customer (the controller). Required by GDPR Article 28, equivalent obligations under the UK Data Protection Act, CCPA/CPRA, Brazilian LGPD, and most modern privacy regimes. The DPA is rarely the document the deal teams care about — but it is the document that decides whether your customer data is exposed in a vendor breach.
When you need a DPA
You need a DPA from any vendor that:
- Stores personal data on your behalf (CRM, support desk, marketing automation, analytics)
- Processes personal data on your behalf (enrichment vendors, data brokers, AI services)
- Has access to personal data through a subprocessor relationship (cloud infra, sub-vendors)
You do not need a DPA from vendors that don’t touch personal data (most internal-tool vendors that process only your own employee/business data — though employee data is itself personal data, so most B2B vendors end up needing one).
If a vendor offers both a Standard MSA and a “DPA available on request,” request it. If they don’t have one, that’s a red flag about their privacy maturity.
The 12-point DPA checklist
Every DPA you sign should cover:
| # | Element | What to verify |
|---|---|---|
| 1 | Subject matter and duration | Personal data processed only for service purpose, only for term of MSA |
| 2 | Nature and purpose of processing | Clear description; not “any business purpose” |
| 3 | Categories of data subjects | Customers, prospects, employees, etc. — enumerated |
| 4 | Categories of personal data | What fields are processed (no special categories without express provision) |
| 5 | Controller / processor obligations | Article 28 list — confidentiality, security, subprocessors, audit |
| 6 | Subprocessors | Listed; advance notice of changes; right to object |
| 7 | International transfers | SCCs, adequacy decisions, or equivalent transfer mechanism |
| 8 | Data subject rights assistance | Vendor must help respond to access, deletion, portability requests |
| 9 | Breach notification | 24-72 hours; what info; what channel |
| 10 | Data return / deletion | On termination; certification; retention exceptions documented |
| 11 | Audit rights | Reasonable, on notice; vendor’s most recent SOC 2 / ISO 27001 typically suffices |
| 12 | Liability and indemnification | Aligned with MSA; not capped below regulatory fine exposure |
Vendor templates routinely fail on subprocessor notice (no advance warning, no objection right), international transfers (relying on outdated transfer mechanisms), and breach notification (vague timing, vague channel).
How to operationalize
- Standard DPA template attached to every MSA. Don’t negotiate from the vendor’s DPA — push your standard DPA as the default. Most vendors will accept it.
- Subprocessor list maintained by vendor. Subscribe to subprocessor change notifications. Add to vendor management calendar for review.
- Cross-border transfer audit. Once per year, audit which vendors process EU/UK personal data outside the EEA and verify the transfer mechanism is current (especially after Schrems II / Data Privacy Framework changes).
- Breach notification drill. Annually, simulate a vendor breach notification and verify your team’s response process — who notifies whom, in what time frame, with what regulatory implications.
- AI-vendor DPA scrutiny. AI vendors that train on customer data are a special case — verify the DPA explicitly excludes training use, or that opt-out/no-training mode is contractually guaranteed.
Common pitfalls
- Accepting the vendor’s DPA without negotiation. Vendor DPAs are written for the vendor’s benefit; standard customer concessions hide in the boilerplate.
- Ignoring subprocessor flow-down. Your vendor’s subprocessors process your data — flow-down obligations matter.
- Outdated transfer mechanisms. Standard Contractual Clauses revised in 2021; some legacy DPAs still reference old SCCs that are no longer valid.
- AI training language. Many AI vendor DPAs default to “we may use customer data to improve the service.” Negotiate to explicit no-training, or verify the no-training enterprise tier is what’s being purchased.
- No audit log of DPAs signed. When a regulatory inquiry asks “which vendors process data subject X’s information,” you need to answer in days, not months.
Related
- MSA redlining rubric — the parent contract the DPA attaches to
- Vendor due diligence workflow — the broader vendor onboarding process
- Contract review SOP — the process governing DPA review tier