Data Processing Agreement (DPA)

A Data Processing Agreement is the contract under GDPR Article 28 that binds a processor to specific instructions, security obligations, and sub-processor flow-down requirements.

What is a DPA?

A Data Processing Agreement is a written contract under GDPR Article 28 (and increasingly required under U.S. state privacy laws including the CCPA/CPRA, Virginia's VCDPA, and others) that binds a processor to act only on the controller's documented instructions when processing personal data. The DPA specifies the subject matter and duration of processing, the nature and purpose, the type of personal data, the categories of data subjects, and the controller's instructions.

What a good DPA includes

Beyond the Article 28 minimums, a substantive DPA includes: the security measures the processor implements (Article 32 lists the floor), sub-processor authorization and flow-down obligations, breach notification timelines (GDPR requires "without undue delay" but specific SLAs are negotiable), data return or destruction at termination, audit rights, cross-border transfer mechanisms (SCCs, adequacy, Binding Corporate Rules), and individual rights cooperation (responding to data subject requests).

DPAs for AI vendors

For AI vendors, the DPA must explicitly address: training-data use (does the processor train on the controller's prompts and outputs — this is the single most important question), sub-processors disclosure including upstream model APIs, retention policies for prompts and outputs, and data residency. Standard SaaS DPAs often miss the AI-specific clauses entirely. If a vendor's DPA template doesn't mention training data or upstream model APIs, push back; this is the procurement leverage moment.