When is a DPA legally required?

Whenever a data controller engages a processor to handle personal data of EU or EEA residents. Controllers and processors outside the EU are equally covered if they process EU residents' data. The UK has its own near-identical regime under the UK GDPR.

What is the difference between a DPA and a contract of services?

A contract of services (or master service agreement) covers the commercial relationship — scope, price, SLA. A DPA specifically covers data protection and can be a standalone document, an annex, or a section of the main contract. Most mature SaaS vendors use a standalone DPA that is incorporated by reference.

Do I need a new DPA for each customer?

Most vendors maintain a single DPA template that they use with all customers, negotiating only customer-specific supplements (e.g., a specific sub-processor list or audit frequency). A standard DPA speeds procurement; per-customer bespoke DPAs slow deal cycles substantially.

Data Processing Agreement (DPA)

Data Processing Addendum · Article 28 DPA · GDPR DPA

A Data Processing Agreement (DPA) is a contract between a data controller and a data processor that defines how personal data may be processed on the controller's behalf. Under GDPR Article 28, a DPA is mandatory whenever a controller uses a processor and must cover subject matter, duration, scope, and the processor's obligations.

What a DPA actually does

A DPA translates GDPR's abstract processor obligations into concrete contractual commitments. It defines what data is processed and why, how long, who counts as a sub-processor and how they are approved, what security measures apply, how data breaches are reported, how audit rights work, what happens at the end of the relationship, and how international transfers are handled. For any SaaS vendor that stores or processes personal data on behalf of EU-facing customers, a compliant DPA is a sales prerequisite — procurement teams will not sign without one. For customers, the DPA is what makes the vendor legally accountable for the security commitments the marketing pages promise.

Why it matters

GDPR fines are calculated as a percentage of global revenue, and DPAs are the primary contractual mechanism controllers use to allocate compliance risk. A weak DPA leaves the controller exposed if the processor mishandles data; a strong DPA forces concrete security commitments, audit rights, and prompt breach notification. For vendors, DPA quality is a deal-size predictor: enterprise customers require mature DPAs with specific sub-processor lists, audit rights, and defined breach-notification timelines. A generic template no longer clears enterprise procurement.

Common pitfalls

1.Sub-processor list is missing or out of date — GDPR requires the controller to know who actually touches their data.
2.Breach-notification deadline is vague — "as soon as possible" gets replaced with concrete hour counts (24, 48, 72) in mature DPAs.
3.Audit rights are absent or purely hypothetical — controllers typically need either on-site audit or a recent SOC 2 / ISO 27001 report.
4.International transfer mechanism is unspecified — post-Schrems II, DPAs must name the transfer mechanism (SCCs, adequacy decision) and cover supplementary measures.
5.Return or deletion of data at termination is optional — GDPR makes this mandatory; the DPA should specify which and by when.

Frequently asked questions

When is a DPA legally required?: Whenever a data controller engages a processor to handle personal data of EU or EEA residents. Controllers and processors outside the EU are equally covered if they process EU residents' data. The UK has its own near-identical regime under the UK GDPR.
What is the difference between a DPA and a contract of services?: A contract of services (or master service agreement) covers the commercial relationship — scope, price, SLA. A DPA specifically covers data protection and can be a standalone document, an annex, or a section of the main contract. Most mature SaaS vendors use a standalone DPA that is incorporated by reference.
Do I need a new DPA for each customer?: Most vendors maintain a single DPA template that they use with all customers, negotiating only customer-specific supplements (e.g., a specific sub-processor list or audit frequency). A standard DPA speeds procurement; per-customer bespoke DPAs slow deal cycles substantially.

Your DPA with Attorly is ready to review

Attorly ships a GDPR-Article-28-compliant DPA covering encryption at rest and in transit, Bring-Your-Own-Key on Enterprise, and breach notification within 72 hours.

See Attorly's DPA

Data Processing Agreement (DPA)

What a DPA actually does

Why it matters

Common pitfalls

Related terms

Frequently asked questions

Your DPA with Attorly is ready to review

Data Processing Agreement (DPA)

What a DPA actually does

Why it matters

Common pitfalls

Related terms

Frequently asked questions

Your DPA with Attorly is ready to review