What is a Data Processing Agreement?

A DPA is a contract between a data controller and a processor that sets out how the processor may handle personal data on the controller's behalf. Under GDPR Article 28, such an agreement is mandatory whenever one party processes personal data for another.

Who is the controller and who is the processor?

The controller decides why and how personal data is processed; the processor acts only on the controller's documented instructions. A SaaS vendor handling its customers' user data is typically the processor, and the customer is the controller.

What is a sub-processor and why does it matter?

A sub-processor is a third party the processor engages to help deliver the service, such as a hosting or email provider. GDPR requires the processor to inform the controller of sub-processors and impose equivalent data-protection obligations on them.

Does a DPA cover international data transfers?

It should reference a lawful transfer mechanism — such as Standard Contractual Clauses or an adequacy decision — whenever personal data leaves the originating region. The outline flags this so you do not overlook cross-border transfer safeguards.

Is this outline enough on its own?

No. It is a structured starting point that names the clauses an Article 28 DPA needs. Data-protection law is nuanced and jurisdiction-specific, so a qualified privacy lawyer must review and complete it before you rely on it.

Data Processing Agreement (DPA) Outline Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

A DPA outline that names every Article 28 clause

When one company processes personal data for another, GDPR Article 28 requires a written Data Processing Agreement. Drafting one from scratch is easy to get wrong because it has many mandatory parts — instructions, confidentiality, security, sub-processors, data-subject rights, breach notification, and deletion. This builder produces a complete outline so nothing is missed before a lawyer finalises it.

How it works

You enter the controller and processor names, the governing jurisdiction, the categories of personal data, the data-subject types, and the purposes of processing, then choose your sub-processor stance and security measures. The tool assembles a numbered Markdown DPA outline mapped to Article 28 requirements: definitions, scope and roles, processor obligations and documented instructions, confidentiality, security measures, sub-processing, data-subject rights assistance, breach notification, international transfers, audit rights, and return or deletion of data on termination. Your inputs are merged into the relevant clauses.

Tips and example

Be specific about data categories — name, email, IP address, usage logs — rather than a vague “user data”, since the law expects precision.
List your actual sub-processors (e.g. hosting, email, analytics providers) so the controller can object to changes.
If data leaves its origin region, reference a transfer mechanism such as Standard Contractual Clauses.
This is a template outline, not legal advice — have a qualified privacy lawyer review it before signing.