Data Processing Agreement

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that governs how personal data is collected, processed, stored and transferred. Most privacy laws, GDPR being the most prominent, require one whenever an outside party handles personal data on your behalf.

How It Works

At its core, a DPA answers a few basic questions: what data is being processed, why and under what conditions. It sets out security requirements, confidentiality obligations and each party's rights. It also covers the less obvious stuff, like whether the processor can bring in subprocessors, what happens if there's a breach and how data gets returned or deleted when the relationship ends.

In practice, organisations sign DPAs when onboarding cloud providers, SaaS vendors, payroll services and anyone else who touches personal data on their behalf. It's become a standard step in vendor contracting, not an optional one.

Why Legal & CLM Teams Should Care

Here's where legal teams often run into trouble. A DPA gets signed during vendor onboarding, filed away and never looked at again until something goes wrong.

Privacy regulations don't leave much room for that approach. If a vendor mishandles personal data and there's no properly executed DPA in place, the liability falls on the controller. A well-drafted DPA creates a clear paper trail of obligations, defines breach reporting timelines and gives legal teams something to point to if a regulatory question comes up.

For teams managing dozens or hundreds of vendor relationships, tracking DPA status and obligations becomes as important as signing them in the first place.

Example Use Case

A company rolls out a new SaaS platform to manage employee records. The vendor processes personal data on the company's behalf, so both parties sign a DPA before go-live.

The agreement spells out how employee data can be used, what security standards the vendor must meet and how quickly they need to report a breach. Six months later, the vendor flags a security incident. Because the DPA was in place, the company knows exactly what to expect and how to respond.

How It Relates to Adjacent Concepts

DPAs rarely travel alone. They're commonly paired with Non-Disclosure Agreements (NDAs) and service agreements when sensitive data is involved. They also connect directly to vendor management workflows and contract lifecycle management systems that track when DPAs were signed, what they require and when they need to be reviewed.

As regulations evolve, keeping DPAs current has become an ongoing obligation, not a one-time task.

FAQs

When is a data processing agreement required?

Whenever one organisation processes personal data on behalf of another. Under GDPR this is a hard requirement, and several other privacy laws follow similar logic.

Who signs a Data Processing Agreement?

The data controller, which decides how personal data is used, and the data processor, which handles it on the controller's behalf. Both parties have obligations under the agreement.

What should a data processing agreement include?

Processing instructions, security requirements, confidentiality obligations, subprocessor terms, breach notification timelines and provisions for returning or deleting data when the agreement ends.

Related Terms

• Non-Disclosure Agreement
• Service Level Agreement
• Master Service Agreement
• Obligation Management
• Contract Lifecycle Management
• Audit Trail

Looking to manage vendor agreements and compliance obligations more effectively? Explore SpotDraft Contract Management or request a demo to see how teams track contractual obligations and regulatory requirements in one place.