// Glossary · compliance

DPA (Data Processing Agreement)

Also: data processing addendum

Contract between a data controller and processor required under GDPR. Defines scope, security measures, subprocessors, and liability.

A Data Processing Agreement is a contract required under Article 28 of GDPR between a data controller (the party deciding why data is processed) and a data processor (the party processing it on the controller behalf). Every SaaS vendor that handles EU personal data on behalf of its customers needs DPAs in place with those customers, and every subprocessor (cloud provider, analytics tool, support platform) needs a DPA from the SaaS vendor in turn. The agreement defines the scope of processing, the purposes, the categories of data and data subjects, security measures, breach notification timelines, audit rights, and liability allocation.

For a funded SaaS, DPA management quickly becomes the unsung labor of compliance. Every new enterprise customer wants their own DPA signed, often with their own template attached. Every new vendor added to the stack (a new analytics tool, a new outbound platform) needs an outbound DPA executed before personal data flows. The number of DPAs in motion grows roughly linearly with revenue and headcount, and by Series B most teams are juggling 40 to 80 active agreements. Without a tracking system the work falls through cracks, expires silently, or accumulates inconsistent terms that fail under enterprise security review.

The practical compliance setup uses a DPA template aligned with current Standard Contractual Clauses for international transfers, a tracked subprocessor list published on the public site, and a signing workflow that captures DPAs alongside the master service agreement. Funded teams running an AI Ops Department automate the operational layer: tracking expirations, refreshing template clauses when SCCs update, maintaining the subprocessor list, and producing DPAs on demand for enterprise security reviews. The fractional CISO or DPO reviews the substantive terms; the agents handle the workflow that otherwise eats hours per deal.

// Examples
  • A Series A SaaS maintains 47 active customer DPAs and 18 vendor DPAs through a single tracking workflow, with auto-alerts 60 days before any expire.
  • A fintech updates its DPA template to reflect the 2023 SCCs and pushes the refresh to 31 enterprise customers in 14 days, satisfying renewal-cycle compliance checks.
  • A vertical AI company publishes a public subprocessor list with 24 entries, satisfying GDPR Article 28(2) transparency obligations across all enterprise reviews.
// Common questions
What is the difference between a controller and a processor?
A controller decides why and how personal data gets processed. A processor handles the data on the controller behalf. Your SaaS is typically a processor for customer data and a controller for your own prospects and employees. The DPA flows from the controller down to each processor in the chain.
Do I need a DPA with every vendor?
Every vendor that processes personal data on your behalf, yes. This includes cloud hosts, analytics platforms, email providers, support tools, and any AI service handling customer data. Vendors that only receive aggregate or anonymized data fall outside Article 28 and do not require a DPA, but the threshold for anonymization is high.
Should I use my DPA template or sign the customer one?
Push yours first. Customer DPAs vary widely and reviewing each costs legal time. A well-drafted template aligned with current SCCs, including reasonable liability caps, gets accepted by most enterprise buyers without changes. Reserve negotiation effort for the 10% of deals where the customer template materially differs.
What goes in a subprocessor list?
Every third party processing personal data on your behalf: cloud hosts, analytics, support, payment processors, AI services. For each, include the name, processing purpose, location of processing, and a link to their certifications. The list lives on a public page and gets updated whenever you add or remove a vendor.
// Related terms
// Ready to ship?

EOI runs fractional AI departments for funded teams under 50. Sales, Content, Ops, Support. Live in 14 days on a monthly retainer.

Apply for a sprint See all departments