The Anatomy of a Data Processing Agreement (DPA)

If your SaaS company is doing business with Enterprise companies or handling personal data in general, you’ll likely be required by your Enterprise customers to sign a Data Processing Agreement in addition to your standard Terms of Service/Software as a Service Agreement.

In case you’re not familiar, a Data Processing Agreement (DPA), sometimes called a Data Processing Addendum, is a legally binding document entered into between you (the Processor of data and the Provider of Services) and your customer (the Controller of data and the Customer) that regulates the specifics around data processing – like scope, purpose, and the relationship between your companies.

DPA’s used to be required only when if you’re doing business with Customers who host data subject to the European Union General Data Protection Regulation (GDPR), but more recently, have become a standard if you’re handling ANY personal data due to the continuing onslaught of data privacy regulations worldwide. DPA’s are not just for our customers, either. You should enter into DPA’s with your vendors to also ensure that they are appropriately protecting and processing any personal data that you may be handling.

This post will give you a high level overview of a Data Processing Agreement.

  • Definitions – Your DPA should lay out specifics around what you define as Personal Data, and what data privacy regulations you are referring to (such as the CCPA, GDPR, etc.). Further, this section should also lay out what you consider a security breach, and any other undefined terms throughout the agreement.
  • Personal Information Types and Processing Purposes – Explicitly lay out what type of personal information you will be processing, and what the legal basis/purpose of your processing is. This can refer out to an Appendix to the agreement if necessary, so you can go into more detail.
  • Provider’s Obligations – Lay out what the Provider (either you, or your vendor) obligations are – including WHAT the provider is using the data for, what they are to do if there is a deletion request, what to do in case there is a breach, and any additional requirements.
  • Provider’s Employees and Independent Contractors – In this section, clearly lay out that the responsibilities laid out in the DPA forward to the Provider’s employees and independent contractors.
  • Security – In this section, lay out the security requirements Providers have in place – including technical, administrative, and physical security.
  • Security Breaches and Personal Information Loss – specifically lay out the requirements of the Provider of notifying of any security breaches, and remediation steps that must be taken in notification – including requirements of gaining access to relevant data.
  • Cross-Border Transfers of Personal Data – many countries require additional safeguards in place for transfers of personal data out of their borders. This section should lay out what those additional safeguards are, including references to additional documents such as the EU Standard Contractual Clauses (required by companies that handle EU data).
  • Subcontractors and Vendors – this is a big one, where you lay out how the Provider may only authorize a third party subcontractor or vendor to process personal data if they’ve essentially entered into DPA’s as well.
  • Data Subject Rights – many data privacy laws have laid out strict rights that data subjects have, and how you should respond in case there is a request. This section lays out those requirements, and what is expected of the Provider if a data subject request comes through.
  • Term and Termination – how long does this agreement last? It should generally expire when the underlying agreement expires, and according to any applicable data privacy regulation.
  • Data Return and Destruction – Carve out how a Customer can request that a Provider returns or destroys their data after the completion of the term o the agreement, or upon request and in accordance with applicable data privacy laws.
  • Records – In accordance with applicable data privacy laws and regulations, Providers should keep detailed and up-to-date records of the processing of personal data.
  • Audit – Controllers like to reserve the right to audit Processors to ensure that they are indeed following the requirements of the DPA, and this section lays out those specifics. These audits can be done by third parties, and in accordance with known standards such as SSAE 16 SOC 2, or ISO 27001.
  • Appendices – The appendices to the DPA generally include information around Processing Information, Processing Purpose, and Details, as well as the text of the Standard Contractual Clauses.

Let us Help

This post is just a high level overview of the what should be in a Data Processing Agreement. These agreements are negotiated and signed with almost every enterprise deal, and you should have proper guidance around navigating these and what they mean.

There are many more nuances and specifics around this type of arrangement, and you should have an experienced attorney help you through drafting the right one to make sure you and your customers are protected.

Kader Law can help you draft, edit, or negotiate your Data Processing Agreement. If you’re interested, feel free to contact us.

This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader.