A Vendor Just Asked for Our DPA

A customer or vendor has just asked you to sign a Data Processing Agreement, often abbreviated DPA. You may not have one ready, or you may have one but they want changes, or they sent theirs and you do not know what to push back on.

This page is the practical playbook for handling DPA requests fast and well.

What a DPA actually is

A Data Processing Agreement is a contract required under GDPR Article 28 between a controller and a processor (or between a processor and a sub-processor). It governs how personal data is processed in the relationship.

Article 28(3) requires the DPA to address:

  • The subject matter, duration, nature, and purpose of the processing

  • The type of personal data and categories of data subjects

  • The obligations and rights of the controller

  • The processor's commitments on confidentiality, security, sub-processors, data subject rights assistance, processor support for controller obligations, return or deletion of data, and audit cooperation

Some jurisdictions and regulatory frameworks add their own DPA-equivalent requirements. CCPA requires service provider contracts. HIPAA requires Business Associate Agreements. UK GDPR has its own variant.

Are you controller or processor

The first question is whether you are the controller or the processor in this relationship.

Controller. You determine the purposes and means of processing. If you collected the data and are using it for your own purposes, you are typically the controller.

Processor. You process personal data on behalf of a controller, following their instructions. SaaS vendors are typically processors for their customers' data, even though they may be controllers for other data.

Joint controller. Two parties jointly determine purposes and means. Less common but real (often in advertising and analytics contexts).

The DPA terms differ based on which role you are in. A processor signing as processor accepts certain obligations. A controller signing as controller accepts different obligations.

What to do when a customer sends you their DPA

If you are the processor and a customer has sent you their DPA:

  • Read the whole document. Most DPAs follow a similar pattern but variations matter. Look for unusual terms in sections on liability, sub-processors, audit, data return, and breach notification.

  • Identify problematic clauses. Common issues:

    • Unlimited audit rights. Customers sometimes demand the right to audit the processor at any time. Counter with reasonable audit frequency (typically annual or in response to specific incidents) and reasonable scope.

    • Aggressive sub-processor approval. Customers sometimes demand prior written approval for every sub-processor change. Counter with notice-and-objection model (30 days notice, customer can object, you can decline to use that customer if they reject sub-processors you need).

    • Unreasonable breach notification timing. Customers sometimes demand notification within 24 hours of any incident. Counter with notification without undue delay consistent with GDPR Article 33.

    • Broad indemnification. Customers sometimes demand indemnification for any privacy issue. Counter with indemnification tied to your processor obligations specifically, capped at reasonable amounts.

    • Unrealistic data return timing. Customers sometimes demand data return within 24 hours of contract termination. Counter with reasonable timing (typically 30 days) and clear data destruction obligations after that.

    • Decide what to push back on. Not every customer DPA term is worth fighting. Focus on terms that materially affect your operations, your liability, or your ability to serve other customers.

    • Propose your standard DPA or red-line theirs. The strongest position is having your own DPA template that you propose. The second-strongest is red-lining theirs with rationale for each change.

What to do when a vendor sends you their DPA

If you are the controller and your vendor sent you their DPA:

  • Verify it covers Article 28 requirements. The vendor's DPA must address the Article 28(3) topics. If it does not, request additions.

  • Verify sub-processor disclosure. The vendor should disclose their sub-processors or commit to a process for disclosing them.

  • Verify breach notification commitments. The vendor should commit to notifying you of breaches affecting your data without undue delay with specific commitments about information provided.

  • Verify audit rights. You should have audit rights, either direct or via third-party attestations like SOC 2 reports.

  • Verify data return and deletion. The vendor should commit to data return or deletion at end of contract, with specific timing.

  • Identify red flags. Vendors sometimes try to add terms unfavorable to controllers including limitations on data subject rights assistance, broad processor discretion on sub-processors, or weak breach notification commitments.

When to engage your DPO

Most DPA negotiations can be handled by procurement or legal teams with a DPO providing review and guidance. Engage your DPO directly when:

  • The customer or vendor is large and the DPA terms will set precedent for future agreements.

  • The data involved is special category data (health, biometric, financial), increasing the stakes.

  • The other party is being aggressive on terms in a way that suggests they may not be operating in good faith.

  • The DPA includes specific terms you do not understand the implications of (Transfer Impact Assessment commitments, model clauses incorporation, jurisdiction-specific carve-outs).

How to be ready

Build a DPA template. Have your own template ready that you propose to customers. This puts you in the strongest negotiation position.

Have a sub-processor list ready. Publish your sub-processor list at a known URL so you can reference it in DPA discussions.

Standardize breach notification commitments. Have a standard breach notification SLA that you commit to consistently.

Document your security measures. Have a security overview document you can attach as a DPA exhibit.

How Engage Compliance helps

DPA review, drafting, and negotiation is a core part of fractional DPO services. We provide:

  • DPA template drafting for clients without one.

  • DPA review when customers send theirs, with red-line recommendations.

  • DPA negotiation support during deal discussions.

  • Sub-processor list management.

For non-clients with a single stuck DPA negotiation, we engage on focused project basis.

Get started

If you have a DPA negotiation underway and need help, book a consultation. We can typically engage within a few days.