Data Processing Agreement Guide (2026): What SaaS Vendors and Customers Should Review

Key Takeaways: What a Data Processing Agreement Is and When You Need One · GDPR Article 28 Requirements and Standard Contractual Clauses · Key Provisions: Security, Subprocessors, and Data Subject Rights · How DPAs Work Under CCPA, HIPAA, and Other Frameworks · Practical Guide to Negotiating and Managing DPAs

The data processing agreement (DPA) has become one of the most important contracts in the modern business landscape. Any time a company shares personal data with a third party — whether that's a cloud hosting provider, email marketing platform, payroll processor, analytics tool, or CRM system — a DPA should govern how that data is handled, protected, and eventually deleted.

The legal mandate for DPAs originates primarily from the EU's General Data Protection Regulation (GDPR), which requires data controllers to enter into a binding contract with every data processor that handles personal data of EU residents (Article 28). But the DPA has expanded beyond GDPR compliance — the California Consumer Privacy Act (CCPA), Brazil's LGPD, Canada's PIPEDA, and numerous other privacy frameworks have similar requirements.

The financial stakes are enormous. GDPR enforcement actions exceeded €4.5 billion in total fines by the end of 2025, with multiple fines exceeding €100 million for a single violation. But beyond fines, inadequate DPAs create practical risks: data breaches without clear response obligations, vendor lock-in without data portability guarantees, and regulatory investigations without documented compliance evidence.

This guide explains what a DPA must contain, how the requirements differ across major privacy frameworks, what provisions are most commonly negotiated, and how to build a DPA management process that scales with your vendor ecosystem.

When You Need a Data Processing Agreement

Not every vendor relationship requires a DPA. The key question is whether the vendor processes personal data on your behalf.

Key Definitions

• Data controller: The entity that determines the purposes and means of processing personal data — this is typically you (the company that collects data from customers, employees, or users)
• Data processor: The entity that processes personal data on behalf of the controller — this is typically your vendor (cloud provider, SaaS platform, marketing tool, payroll service)
• Sub-processor: A third party engaged by your processor to help perform processing — for example, your cloud CRM's database hosting provider
• Personal data: Any information relating to an identified or identifiable natural person — names, email addresses, IP addresses, cookie identifiers, location data, health information, financial data, and much more

Common Scenarios Requiring a DPA

• Cloud hosting and infrastructure: AWS, Azure, GCP — they process data you store on their platforms
• SaaS applications: CRM systems, email marketing platforms, project management tools, HR software
• Payment processing: Stripe, PayPal, Square — they handle customer financial data
• Analytics and advertising: Google Analytics, Facebook Pixel, advertising networks that receive user data
• Outsourced services: Payroll processing, customer support BPOs, data entry services
• AI and ML services: Tools that process your data to provide insights, recommendations, or automation

When a DPA Is Not Needed

• Joint controllers: When both parties independently determine the purposes and means of processing, you need a joint controller agreement, not a DPA
• Controller-to-controller transfers: When you share data with another entity that processes it for their own purposes (e.g., business partners, co-marketers), a data sharing agreement is more appropriate
• Aggregated/anonymized data: If data has been properly anonymized so that it can no longer identify individuals, privacy law generally doesn't apply

Required DPA Provisions Under GDPR

GDPR Article 28 specifies the minimum content requirements for a DPA. Here's what must be included:

Subject Matter and Duration

• Description of the processing: What categories of personal data are processed, what types of data subjects are involved (customers, employees, website visitors), and what processing activities are performed (storage, analysis, communication, etc.)
• Duration: How long the processing will continue — typically tied to the underlying service agreement

Processor Obligations

The DPA must require the processor to:

• Process only on documented instructions: The processor can only process personal data as instructed by the controller — not for their own purposes. Any processing outside the controller's instructions (including for training AI models, improving services, or marketing) must be explicitly authorized
• Confidentiality: Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations
• Security measures: Implement appropriate technical and organizational measures to protect personal data, including:
  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security testing and vulnerability assessments
  • Incident response procedures
  • Business continuity and disaster recovery
  • Employee training on data protection
• Sub-processor management: Only engage sub-processors with the controller's prior written authorization (specific or general), and impose the same data protection obligations on sub-processors through a written contract
• Data subject rights: Assist the controller in responding to data subject requests (access, rectification, deletion, portability, objection, restriction of processing)
• Breach notification: Notify the controller without undue delay (GDPR specifies this; practically, 24-48 hours is the expected timeframe) after becoming aware of a personal data breach
• Data Protection Impact Assessments (DPIAs): Assist the controller in conducting DPIAs when processing is likely to result in high risk to individuals
• Audit rights: Allow the controller (or an independent auditor) to conduct audits and inspections to verify compliance with the DPA
• Data deletion/return: Upon termination of the processing relationship, delete or return all personal data and certify that no copies remain (unless retention is required by law)

International Data Transfers

If the processor transfers personal data outside the European Economic Area (#EEA):

• Standard Contractual Clauses (SCCs): The EU-approved template clauses that provide adequate safeguards for international transfers — most commonly used mechanism
• Adequacy decisions: Transfers to countries the EU has determined provide adequate protection (UK, Japan, South Korea, etc.)
• Supplementary measures: Following the Schrems II decision, additional technical, contractual, and organizational measures may be required depending on the destination country's surveillance laws

DPAs Under Other Privacy Frameworks

CCPA/CPRA (California)

The California Consumer Privacy Act (as amended by CPRA) requires contracts with "service providers" and "contractors" that process personal information:

• The contract must restrict the business purpose for which personal information is processed
• The service provider cannot sell or share personal information
• The service provider must comply with CCPA obligations and allow audits
• The service provider must notify the business of any sub-contractor engagement
• Consumer rights (access, deletion, opt-out) must be supported

HIPAA (Healthcare)

For entities handling protected health information (PHI), a Business Associate Agreement (BAA) serves a similar function as a DPA:

• The business associate can only use PHI for specified purposes
• Appropriate safeguards (administrative, physical, technical) must be implemented
• Breach notification within 60 days (but practically expected much sooner)
• PHI must be returned or destroyed upon termination
• The business associate must make records available to HHS for compliance investigations

LGPD (Brazil)

Brazil's data protection law mirrors GDPR in many respects:

• Processing agreements between controllers and operators are required
• The agreement must address security measures, processing instructions, and data subject rights
• International transfer mechanisms must be in place for cross-border data flows
• The ANPD (Brazilian Data Protection Authority) has issued specific guidance on contractual requirements

Cross-Framework DPA Strategy

Companies operating globally often need DPAs that satisfy multiple frameworks simultaneously. The most efficient approach:

1. Use GDPR Article 28 as the baseline (it's the most comprehensive)
2. Add CCPA-specific provisions (service provider restrictions, consumer rights support)
3. Include HIPAA-specific terms if PHI is involved
4. Append EU Standard Contractual Clauses for international transfers
5. Add jurisdiction-specific schedules for other applicable laws

This modular approach avoids maintaining separate DPA templates for each jurisdiction while ensuring comprehensive compliance.

Negotiation, Execution, and Lifecycle Management

Common Negotiation Points

DPA negotiations between controllers and processors typically focus on:

• Breach notification timeline: Controllers want 24 hours; processors may push for 48-72 hours or "without undue delay." Negotiate a specific timeframe
• Sub-processor control: Controllers prefer prior specific consent (approval of each sub-processor); processors prefer general authorization with notice. A common compromise is general authorization with a right to object within 30 days of notification
• Audit frequency and cost: Unlimited audit rights are impractical; negotiate reasonable limits (e.g., one audit per year, with 30 days' notice) and agree on who bears the cost
• Liability caps: Processors often try to limit their liability to 12 months of fees; controllers may push for higher caps or uncapped liability for data protection breaches. This is often the hardest-fought provision
• Data deletion timeline: How quickly the processor will delete data after the relationship ends — 30-90 days is standard
• Security measures: Whether the processor commits to specific measures (encryption standards, SOC 2 certification) or only "appropriate" measures (which is vague)

DPA Lifecycle Management

With the average company engaging thousands of vendors, DPA management at scale requires:

• Vendor data mapping: Understanding which vendors process personal data, what categories of data they access, and what processing activities they perform
• DPA inventory: Maintaining a register of all executed DPAs, their key terms, and renewal/review dates
• Sub-processor monitoring: Tracking processor notifications about sub-processor changes and exercising objection rights when appropriate
• Annual review: Reviewing DPAs alongside changing privacy laws, new processing activities, and vendor risk assessments
• Incident coordination: When a breach occurs, knowing immediately which DPA governs the relationship and what the notification requirements are

Electronic DPA Management

DPA execution and management is a perfect use case for electronic signature and document management:

• Template library: Maintain pre-approved DPA templates for different vendor categories and risk levels
• Negotiation tracking: Track redlined versions and negotiation history
• Counter-signature workflows: Route DPAs through internal legal review before sending to the vendor for execution
• Expiration management: Automated alerts for DPA renewals, SCC updates, and compliance certification expirations
• Secure storage: All executed DPAs stored with audit trails in a single searchable repository

ZiaSign provides the document execution and management infrastructure that modern privacy compliance requires — from template creation through multi-party signature, amendment tracking, and secure archival.

Manage data processing agreements with ZiaSign →

This article is part of ZiaSign's comprehensive resource library. Explore more guides at ziasign.com/blogs, or try our 119 free PDF tools.