Free template
Data Processing Agreement (DPA)
Clearly define data handling responsibilities to ensure compliance with this Data Processing Agreement Template.
Downloaded 1829 times
Data Processing Agreement (DPA)
This Data Processing Agreement ("Agreement") is entered into on [Date], by and between:
Controller (Company): [Company Name]
Address: [Company Address]
Website: [Website URL]
and
Processor (Service Provider): [Processor Name / Company Name]
Address: [Processor Address]
1. Purpose
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided under the main agreement between the Parties ("Main Agreement").
2. Definitions
"Personal Data": Any information relating to an identified or identifiable natural person.
"Processing": Any operation or set of operations performed on personal data (e.g., collection, storage, access, deletion).
"Applicable Law": All relevant data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").
3. Scope and Duration
The Processor shall process Personal Data only as necessary to perform services under the Main Agreement and for the duration of that agreement unless otherwise required by law.
4. Nature and Purpose of Processing
Subject matter: [e.g., User data, client data, HR records]
Categories of data subjects: [e.g., Website users, employees, customers]
Types of personal data: [e.g., Name, email, IP address, purchase history]
5. Processor Obligations
The Processor agrees to:
Process Personal Data only on documented instructions from the Controller
Ensure confidentiality of personnel involved
Implement appropriate technical and organizational security measures
Assist the Controller in responding to data subject requests
Notify the Controller of any data breach without undue delay
Provide records and audits upon request
6. Sub-processors
The Processor shall not engage sub-processors without prior written authorization from the Controller. A current list of authorized sub-processors shall be maintained and made available upon request.
7. Data Transfers
Processor shall not transfer Personal Data outside the EEA/UK unless such transfer is in compliance with Applicable Law and subject to appropriate safeguards (e.g., SCCs, adequacy decisions).
8. Return or Deletion of Data
Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data unless legal obligations require retention.
9. Liability and Indemnification
Each party shall be liable for breaches of this Agreement and shall indemnify the other party against claims resulting from non-compliance.
10. Governing Law
This Agreement shall be governed by the laws of [State/Country], and any disputes shall be resolved in the competent courts of that jurisdiction.
IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the date first written above.
Controller (Company)
Name:
Title:
Date:
Processor (Service Provider)
Name:
Title:
Date:
Details
Learn more about
Data Processing Agreement (DPA)
DATA PROCESSING AGREEMENT (DPA) FAQ
What is a Data Processing Agreement (DPA)?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that sets out how personal data will be collected, stored, processed, and protected. It ensures that all handling of personal information complies with applicable privacy regulations.
Why do you need a DPA?
A DPA is required under GDPR and many other privacy laws when one organization processes personal data on behalf of another. It clearly defines the responsibilities of each party, establishes safeguards for data protection, and ensures legal compliance to avoid fines or enforcement actions.
When should you use a DPA?
You should use a DPA whenever your company processes personal data for another organization—whether as part of providing services, managing cloud infrastructure, or handling customer information. This applies to both domestic and international data transfers.
How to write a DPA?
Clearly outline the nature and purpose of the data processing, the types of personal data involved, security measures to be implemented, the obligations of each party, applicable compliance standards, and consequences for breaches. Ensure the agreement is tailored to the specific services and legal requirements relevant to your industry.
Need a compliant DPA for your business?
Use our AI-powered contract generator to create a GDPR- and CCPA-compliant Data Processing Agreement in minutes—customized to your services, jurisdiction, and security requirements.
Similar templates