Data Processing Agreement Template

A DPA is required when you use vendors who process personal data on your behalf. Here's what needs to be in it.

// required elements

Subject matter and duration of processing. Nature and purpose of processing. Type of personal data. Categories of data subjects. Rights and obligations of the controller.

// processor obligations

Process only on documented instructions. Ensure personnel confidentiality. Implement appropriate security measures. Assist with data subject requests. Delete or return data at end of engagement. Make available information for audits.

// subprocessor requirements

Prior authorization for subprocessors. Flow-down of data protection obligations. Liability for subprocessor actions.

// practical notes

Most major SaaS vendors have their own DPAs. Your job is to review them, not draft from scratch. Look for: clear security commitments, reasonable audit rights, subprocessor lists, and breach notification timelines.

Red flags: unlimited liability carve-outs, no subprocessor transparency, vague security commitments.