Our Blog

What Should Be in a Data Processing Agreement

In today`s digital age, companies are increasingly relying on third-party vendors to process, handle and store their data. While outsourcing data processing can bring many benefits, including cost savings and specialized expertise, it also carries significant risks. To mitigate these risks, companies need to enter into a data processing agreement (DPA) with their vendors. A DPA is a legally-binding document that outlines the terms and conditions under which the vendor will process the company`s data. In this article, we`ll explore what should be included in a DPA.

1. Data Processing Purpose

The DPA should clearly define the purpose for which the vendor is processing the company`s data. The vendor should only be allowed to process the data for the specific purposes set out in the agreement. The purpose should be limited to what is necessary to achieve the business objectives of the company.

2. Data Security Measures

Data security is a critical concern when outsourcing data processing. Vendors must implement appropriate organizational and technical measures to protect the confidentiality, integrity, and availability of the company`s data. The DPA should describe the measures that the vendor will take to ensure data security, including the use of encryption, access controls, and regular security testing.

3. Data Breach Notification Requirements

Even with the best data security measures in place, data breaches can still occur. The DPA should include provisions that require the vendor to notify the company in the event of a data breach. The notification should describe the nature of the breach, the types of data affected, and the steps the vendor is taking to mitigate the breach.

4. Subcontracting

Vendors may sometimes subcontract their processing to a third party. The DPA should require the vendor to obtain the company`s prior written consent before subcontracting any processing. The subcontractor should be subject to the same data protection requirements as the vendor.

5. Data Retention

The DPA should specify the data retention period, after which the vendor must delete or return all of the company`s data. The retention period should be based on the purpose for which the data was collected and any legal or regulatory requirements.

6. Data Subject Rights

The DPA should set out the data subject rights that the company`s customers or employees have under applicable data protection laws. The vendor should be required to respond to data subject requests, including requests for access, rectification, erasure, or portability of their data.

7. Governing Law and Jurisdiction

The DPA should specify the governing law and jurisdiction in the event of a dispute between the company and the vendor. This is important because data protection laws may vary from country to country, and there may be different legal requirements in each jurisdiction.


A well-drafted DPA is essential for managing the risks associated with outsourcing data processing. Companies should work with experienced legal and technical professionals to ensure that all key issues are addressed in the agreement. By including the elements discussed above, companies can ensure that their data is processed in a safe, secure, and compliant manner.