Data Processing Agreement (DPA): What It Is and When You Need One
Ask most startup founders if they have Data Processing Agreements in place, and the answer is usually no.
This is one of the most common — and most serious — GDPR compliance gaps a business can have.
Under GDPR Article 28, you are legally required to have a signed Data Processing Agreement (DPA) with every third-party service that processes personal data on your behalf.
This is not optional. It is a fundamental element of GDPR compliance, and the absence of DPAs has been cited in numerous regulatory enforcement actions and enterprise procurement failures.
This guide explains exactly what a DPA is, when you need one, what it must contain, and how to manage them efficiently.
What Is a Data Processing Agreement?
A Data Processing Agreement is a legally binding contract between a data controller (the business that determines the purpose and means of processing personal data) and a data processor (a third party that processes personal data on behalf of the controller).
In simple terms: if you use a software tool or service that handles your users' personal data, that tool is your data processor — and you need a DPA in place before they process any data.
The Legal Requirement: GDPR Article 28
GDPR Article 28 states that processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller. The contract must set out specifically:
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
The Article also specifies mandatory obligations that must be placed on the processor in the DPA — these are non-negotiable minimums set by the regulation itself.
Data Controller vs Data Processor vs Sub-Processor
Data Controller
Your business — you decide what data is collected and why. You are responsible for compliance and for ensuring your processors have appropriate DPAs in place.
Data Processor
Any third-party service processing personal data on your behalf. They must follow your instructions and implement appropriate security measures. Examples include:
- Email platforms (Mailchimp, SendGrid, Postmark)
- Analytics tools (Google Analytics, Mixpanel, Amplitude)
- CRM systems (HubSpot, Salesforce, Pipedrive)
- Customer support tools (Intercom, Zendesk, Freshdesk)
- Payment processors (Stripe, PayPal)
- Cloud hosting (AWS, Google Cloud, Azure)
- Video conferencing (Zoom, Google Meet, Teams)
- HR software (BambooHR, Workday, Charlie)
Sub-Processor
When your processor uses another service to help them process your data. For example, your CRM may use AWS for hosting — AWS is a sub-processor. Your processor must inform you of sub-processors and give you the ability to object to new ones.
When Do You Need a DPA?
You need a DPA whenever you instruct a third party to process personal data on your behalf. The key test is whether the third party is processing the data to provide a service to you — not for their own independent purposes.
Situations that require a DPA:
- You use Mailchimp to send emails to your user list
- You use Google Analytics to track behaviour on your website
- You use Stripe to process customer payments
- You use HubSpot to manage customer relationships
- You use AWS or Google Cloud to host your application
- You use Intercom to manage customer support conversations
- You use Zoom for customer calls
- You use a payroll provider to process employee salaries
Situations that do not require a DPA (but may require other contractual provisions):
- Your bank or financial institution (they are a controller, not your processor)
- Your legal advisors (lawyer-client privilege applies)
- Regulatory authorities (they operate under their own legal powers)
The 12 Mandatory Elements of a GDPR-Compliant DPA
GDPR Article 28 specifies that the DPA must stipulate that the processor shall:
1. Process Only on Your Instructions
The processor must only process personal data on documented instructions from you, except where required to do so by law.
2. Ensure Confidentiality
All persons authorised to process the data must be subject to a confidentiality commitment.
3. Implement Appropriate Security Measures
The processor must implement appropriate technical and organisational security measures — referencing GDPR Article 32.
4. Engage Sub-Processors Only With Your Consent
The processor must not engage another processor (sub-processor) without prior written authorisation from you. They must impose the same data protection obligations on sub-processors.
5. Assist With Data Subject Rights
The processor must assist you in responding to data subject rights requests (access, deletion, correction, portability).
6. Assist With Security Obligations
The processor must assist you in meeting your obligations under GDPR Articles 32–36, including breach notification and DPIAs.
7. Delete or Return Data at End of Service
At the end of the contract, the processor must delete or return all personal data, as directed by you.
8. Provide Audit Assistance
The processor must make available all information necessary to demonstrate compliance and allow for audits by you or your appointed auditor.
9. Subject Matter and Duration
The DPA must specify what data is being processed and for how long.
10. Nature and Purpose of Processing
Clearly define what the processor is doing with the data and why.
11. Types of Personal Data and Categories of Data Subjects
Specify the categories of data being processed and who the data subjects are.
12. Rights and Obligations of the Controller
Clearly document your responsibilities as the controller — the instructions you are giving the processor and the oversight you will maintain.
How to Obtain DPAs From Your Vendors
Most major software providers have pre-drafted DPAs that you can sign or accept through their platform. Here is how to approach this:
- Check the vendor's website: DPAs are usually linked in the legal or privacy section
- Log in and accept digitally: Many providers (Google, Stripe, AWS) require you to accept the DPA through your account settings
- Contact the vendor: For providers without a published DPA, contact their legal or data protection team
- Review before accepting: Even pre-drafted DPAs should be reviewed against the GDPR Article 28 requirements
Managing DPAs at Scale — Vendor Registry Best Practices
As you add tools and services, the number of DPAs you manage can grow quickly. Best practices include:
- Maintain a vendor registry documenting every third-party tool that processes your users' data
- Record the DPA status for each vendor (signed/accepted, date, version)
- Log the sub-processors disclosed by each vendor
- Set review reminders to check for DPA updates when vendors update their terms
- Include DPA requirements in your vendor onboarding process
Standard Contractual Clauses (SCCs) for International Transfers
When your DPA involves transferring personal data outside the EEA (e.g., from the EU to US-based tools), your DPA must also incorporate Standard Contractual Clauses (SCCs) — pre-approved contract terms that provide GDPR-adequate safeguards for international transfers.
The European Commission updated the SCCs in 2021, and these updated clauses should be used in any DPA involving international data transfers. The major US cloud providers (Google, Amazon, Microsoft) include updated SCCs in their DPAs by default.
How PolicyOwn Helps with DPA Documentation
PolicyOwn generates DPA templates and compliance documentation that align with GDPR Article 28 requirements. For SaaS companies that need to offer DPAs to their own customers, PolicyOwn creates customer-facing DPAs that:
- Include all mandatory GDPR Article 28 provisions
- Address sub-processor disclosure requirements
- Include updated SCC language for international transfers
- Are written clearly and professionally
- Are fully customisable for your specific service
Visit https://policyown.com/ to build your DPA documentation today.
Frequently Asked Questions
Does Stripe have a DPA I can sign?
Yes. Stripe provides a Data Processing Agreement that you can access and accept through your Stripe dashboard under legal and privacy settings.
What happens if I use a processor without a DPA?
This is a GDPR violation. Even if the processor itself is compliant, your failure to have a DPA in place means you cannot demonstrate the contractual controls required under Article 28. This exposes you to regulatory fines and is typically cited in enforcement actions.
Does my DPA need to be physically signed?
No. Electronic acceptance (including clicking "I agree" to a DPA in your account settings) is legally valid, provided you retain a record of acceptance.
Does a DPA replace a privacy policy?
No. A DPA is a business-to-business contract between you and your vendors. A privacy policy is a public-facing notice to your users. Both are required and serve different purposes.
Final Thoughts
DPAs are not paperwork for paperwork's sake. They are the legal mechanism that makes your entire data processing ecosystem compliant with GDPR.
Without them, every third-party tool you use is a compliance risk. With them, you have a documented, auditable record of your processor relationships — and a much stronger legal position if you ever face a regulatory inquiry.
Build your DPA documentation and compliance stack at PolicyOwn — GDPR-aligned and ready in minutes.
