Data processing agreement
dee-pee-AY
A contract between a data controller and data processor that defines how personal data will be handled, required under GDPR.
A DPA is a legal contract that defines how a vendor (data processor) will handle personal data on behalf of a customer (data controller). GDPR requires one whenever personal data is shared with a third party for processing.
The DPA specifies what data is processed, for what purpose, how long it is retained, what security measures are in place, and what happens when the contract ends. It also covers sub-processors: if your vendor uses another vendor that touches the data, that chain needs to be documented.
For SaaS companies, DPAs are a routine part of enterprise sales. Every customer in the EU will ask for one. Most companies publish a standard DPA on their website. Larger customers may negotiate custom terms. DPAs typically include standard contractual clauses as an annex for cross-border data transfers.
Examples
A European company signs up for an analytics platform.
Before the contract is final, the customer's legal team requires a signed DPA. The analytics platform shares its standard DPA template, which lists AWS and Google Cloud as sub-processors.
A SaaS company adds a new sub-processor.
The company switches from one email provider to another. Under the DPA terms, they must notify all customers of the sub-processor change and give them 30 days to object.
A customer requests data deletion after contract termination.
The DPA states that all customer data will be deleted within 90 days of contract end. The engineering team runs the deletion process and provides a certificate of destruction.
Frequently asked questions
Who needs a DPA?
Any company that processes personal data on behalf of another company under GDPR. If you are a SaaS vendor and your customer's user data flows through your systems, you need a DPA with that customer.
Is a DPA the same as an NDA?
No. An NDA protects confidential business information. A DPA specifically addresses personal data processing under privacy regulations like GDPR. A company may need both.
Related terms
The European Union regulation that governs how companies collect, store, and process personal data of EU residents.
A legal document that explains what personal data a company collects, how it uses that data, and how it protects it.
EU-approved contract templates that allow the lawful transfer of personal data from the EU to countries without equivalent data protection laws.
The requirement that data be stored and processed within specific geographic boundaries, often mandated by local laws or regulations.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.