A data processing agreement governs how a processor handles personal data on behalf of a controller or customer.
A Data Processing Agreement (DPA) is the contract required under GDPR Article 28 between a data controller and a data processor that handles personal data on the controller's behalf. It defines what data can be processed, how, by whom, and under what safeguards.
Or 4% of global revenue, whichever is higher. Maximum GDPR fine for failing to maintain a valid DPA or transparent data transfer language. The DPA is no longer optional — its absence disqualifies vendors in most enterprise procurement processes.
GDPR Article 83(5); EDPB updated subprocessor guidance 2024.
TL;DR
- DPAs are required between data controllers and processors when personal data is handled under GDPR.
- Subprocessors require prior authorization plus binding sub-DPAs that provide equivalent protection.
- Cross-border transfers need Standard Contractual Clauses or an adequacy decision.
- Vallor reads every DPA in your portfolio, surfaces gaps, and tracks subprocessor changes over time.
Anatomy of a DPA
Sample clause — SaaS DPA between controller and processor
DATA PROCESSING AGREEMENT
1. ROLES. Customer is the 1data controller; Vendor is the 2data processor.
2. SCOPE. Vendor shall process personal data 3only on documented instructions from Customer.
3. SUBPROCESSORS. Vendor may engage subprocessors only with 4Customer's prior written authorization.
4. TRANSFERS. Cross-border transfers shall be governed by 5Standard Contractual Clauses (SCCs) where required.
5. AUDITS. Customer may audit Vendor's compliance 6upon reasonable notice.
1
Controller roleThe party that decides why and how personal data is processed. Carries primary GDPR liability.
2
Processor roleThe party that processes data on the controller's behalf. Carries direct GDPR liability for its own breaches.
3
Documented instructionsProcessor cannot act outside what the controller has authorized. Verbal instructions are insufficient.
4
Subprocessor authorizationMost enterprise breach disputes start here. Listing approved subprocessors at signing is now best practice.
5
Cross-border transfersPost-Schrems II, US transfers require SCCs plus supplementary measures. Adequacy decisions cover only a handful of countries.
6
Audit rightsCustomer can verify processor compliance. Most contracts qualify this with reasonable notice and confidentiality.
How Vallor handles data processing agreement
1
Extract roles, scope, and subprocessor lists from every DPAVallor structures controller, processor, scope, subprocessors, transfer mechanism, and audit rights into queryable fields.
2
Compare each DPA to your privacy playbookSurface DPAs that have permissive subprocessor language, missing SCCs, weak audit rights, or non-compliant breach notification windows.
3
Track subprocessor changes over timeMost vendors update their subprocessor lists 2-4x per year. Vallor surfaces additions so your privacy team can approve or object on time.
4
Answer 'where does our data go?' across the portfolioCited answers with the source DPA visible. Audit-ready by default.
Where teams trip up
✗
Signing a DPA without listing approved subprocessorsIf subprocessors are not enumerated at signing, every vendor change becomes a re-negotiation. Best practice: list current subprocessors as an annex.
✗
Missing the 72-hour breach notification windowGDPR requires processors to notify controllers 'without undue delay'. Most DPAs translate that to 24-72 hours. Late notice is itself a violation.
✗
Not tracking SCC versionThe 2021 SCCs replaced the 2010 ones. Contracts still referencing the old version are non-compliant for transfers initiated after Dec 27, 2022.
✗
Treating DPAs as legal-only documentsProcurement and security teams use the DPA daily. If they cannot find it or query it, the controls are theoretical.
See also
FAQ
Is a DPA required for every vendor that processes personal data?
Yes, under GDPR Article 28, any processor handling personal data on a controller's behalf must have a written DPA in place. The absence of a DPA exposes both parties to regulatory fines.
What is the difference between a DPA and an NDA?
An NDA protects confidential information of any type. A DPA specifically governs how personal data is processed, including the legal roles, technical safeguards, subprocessor management, and cross-border transfer rules required by GDPR.
Do I need a DPA with subprocessors my vendor uses?
No directly, but your vendor (the processor) must have a binding sub-DPA with each of its subprocessors that provides at least equivalent protection. You authorize subprocessors; your vendor contracts them.
How does Vallor handle DPA updates from vendors?
Vallor monitors each vendor's DPA and trust pages, flags subprocessor additions and SCC changes, and routes the diff to your privacy team with the source language cited.
Does Vallor itself sign DPAs with its customers?
Yes. Vallor enters into DPAs with every customer who processes personal data through the platform, with current SCCs and a published subprocessor list.
Last updated: 2026-05-21. Part of Vallor's contract intelligence glossary.
