Data Processing Agreement (DPA)
A legally binding contract between a data controller and a data processor that governs how personal data is handled.
A Data Processing Agreement (DPA) is a mandatory contract required under GDPR Article 28 whenever a business (data controller) shares personal data with a third-party vendor (data processor). It defines the scope, purpose, duration, and nature of the data processing activity.
A DPA must specify what categories of personal data are processed, the rights and obligations of both parties, security measures in place, and subprocessor restrictions. Without a valid DPA, transferring personal data to processors like cloud providers, analytics tools, or email platforms constitutes a GDPR violation.
Common examples of relationships requiring a DPA include: SaaS companies using AWS or Google Cloud, e-commerce stores using Stripe for payment processing, and businesses using email marketing platforms.
Generate a GDPR Art. 28 policy in 60 seconds
Our AI drafts privacy policies, terms of service, and cookie policies that cover GDPR Art. 28 requirements — tailored to your business.