10 Must-Have Clauses in Your Data Processing Agreement

When two businesses collaborate to process personal data, accountability is what prevents regulatory friction. A Data Processing Agreement (DPA) is a mandatory contract that ensures both parties remain compliant and protected under global privacy laws like the GDPR and CCPA. But what exactly should your DPA include? This guide breaks down the DPA essential clauses that protect your business and your users.

A Data Processing Agreement (DPA), also known as a Data Processing Addendum, is a legally binding contract that defines the terms under which a third-party (processor/contractor/service provider) handles personal data on behalf of a business (controller). Whether you’re using a cloud service or an analytics tool, a DPA ensures that data processing remains within the bounds of global privacy laws like the GDPR and CCPA.

The DPA provides clarity on the nature and categories of data processed, purposes of processing, responsibilities of the controller and processors, sub-processing, audit rights, breach notifications, deletion and transfer of the data, data subject rights and more. 

It guarantees that the data processor implements sufficient data protection measures while handling the personal data handed over by the controller and that it complies with the applicable laws.

A Data Protection Agreement is an essential component for compliance with several privacy laws such as the California CCPA, EU GDPR, UK GDPR, and the Data Protection Act 2018 (DPA).

In summary, it establishes a clear and mutual understanding between both parties about what is and is not allowed in terms of personal data processing, eliminating any confusion.

A DPA between a data controller and processor is crucial for data processing and here is why.

Legal requirement

The European Union’s privacy law, the General Data Protection Regulation (GDPR), requires businesses to have a Data Processing Agreement (DPA). Think of it as a rulebook that keeps data handling clear, controlled, and compliant.

GDPR also stipulates some essential elements that the contract should discuss, including a confirmation that personal data will only be processed as per the controller’s instructions, security implementation, and demonstration of compliance.

Similarly, global privacy laws like Brazil LGPD and US state privacy laws like the California Consumer Privacy Act (CCPA), Colorado Privacy Act, and Virginia Consumer Data Protection Act also have similar contractual obligations.

Risk management

The DPA clearly outlines the rights and responsibilities of each party involved in the agreement. This clarity helps to avoid confusion, manage risks effectively, and places a strong obligation on processors to safeguard personal data against unauthorised access and misuse.

Accountability

By having signed a detailed DPA, organisations prove that they have taken sufficient measures to regulate the processing activities of service providers or other data processors. This ensures that the processing of personal data is carried out in a responsible manner.

Operational control

The Data Processing Agreement (DPA) maintains oversight of data handling, even when it is delegated to a service provider. It clearly outlines the responsibilities and rights of both parties, sets limits on data retention and processing, and mandates the implementation of necessary technical and organisational measures to safeguard the data.

Avoid fines

The absence of a DPA between the controller and processor can cause a huge financial loss for businesses since GDPR necessitates it. The fines can be as high as 20 million Euros or 4% of your global turnover in the previous year. CCPA fines can reach up to $7500 per incident.

A robust DPA contains specific clauses to regulate processing by third parties and minimise risks associated with it. Though you can customise your agreement according to your needs, try not to miss the ones given below.

#1 Introduction and definitions

An introduction definitely sets a face to anything, even for a DPA. Lawyers typically call it a preamble, but let us keep it simple. The introduction clause of your DPA calls out the parties to which the agreement is binding like in this example from Flank AI.

The definition clause serves as the foundation for clarifying the meaning of key terms used throughout the DPA. The definitions most often align with the GDPR standards. 

Here are some of the commonly defined terms found in a Data Processing Agreement:

• DPA
• GDPR
• CCPA
• Personal data
• Data subject
• Personal data breach
• Standard Contractual Clauses
• Subprocessor
• Security

Note that, the components of your definition clause depend on your DPA’s content. The best take is to define any specific term that can be unfamiliar, confusing or can have more than one interpretation.

LinkedIn defines some common terms while also explaining separately what it means by personal data and customer personal data in the DPA. This clarifies what it means when these terms are used in the agreement.

#2 General information/ Data processing details

Several topics can come under this category and can be given as separate clauses or as subclauses.

The general information commonly includes the details of the data processing activities.

• Purposes of processing
• Subject matter/nature/types of data processed
• Scope of the agreement
• Duration of processing
• Categories of data subjects 

Happy to break down each specific point for a closer look.

#2.1 Purpose clause

This section covers the nature of the processing and why there is a need to process personal data. For example to use a processor’s service such as for payroll processing, payment transactions, or email services. 

#2.2 Subject matter clause

Include the categories of personal data that the service provider collects from the controller. The example below from Infosys DPA contains specific details rather than a general description.

#2.3 Duration clause

How long will the data remain in the processor’s hands? This clause defines the lifecycle of the processing activities. It doesn’t always need a specific date; it can be tied to the duration of the Principal Agreement (e.g., your Terms of Service) or until the data is no longer necessary for the specified service.

#2.4 Data subject category

This section specifies whose personal data is getting collected, stored and processed under the Data Processing Agreement as in this example from Flank AI’s DPA.

#3 Obligations of the processors

You can use this section to bind data processors to comply with data protection obligations. 

Restricting the processors from processing data without documented instruction from the data controller, and that it should comply with the data protection laws are some of the important points you should add here.

Here are a few more important points.

• Processor shall inform any breaches without undue delay and take necessary efforts to contain the breach
• They must also comply with GDPR provisions such as providing reasonable assistance during Data Protection Impact Assessments or consultations with the supervisory authority
• The processor, employees and other individuals working for the processor should have a duty of confidentiality
• There should be a contact person from the processor’s side for the controller to communicate with
• The processor must fulfil any correction or deletion requests by the controller
• All personal data processed on behalf of the controller must be deleted upon the termination of the agreement or at the controller’s request
• Processor should implement appropriate data security measures
• Any personal data given to the processor shall only be used for the specified purpose
• Processors cannot retain, sell or share the personal data provided under this agreement without authorisation from the controller

#4 Obligations and rights of the controller 

This section should neatly point out the obligations of a data controller and the rights reserved to them. Even if the DPA is for data processors, the controller obligations are relevant.

 Here are a few points to consider.

• The controller complies with all data protection laws applicable to them
• Instructions from the controller comply with the legal requirements
• The controller is authorised to allow the processors to perform their obligations and exercise their rights
• Any additional instructions or changes to the DPA would require a separate and prior written agreement
• The controller has implemented adequate, necessary and reasonable data security measures such as encryption, access controls and pseudonymisation
• Any irregularities or incorrect personal data will be promptly communicated to the processor

#5 Technical and organisational security measures

The security obligations of the processor can also be given as a separate clause in the Data Processing Agreement.

#6 Data subject requests

This section is to clarify the data processor’s duty to cooperate with the direct request of a data subject /controller’s request to exercise the GDPR rights such as the right to know, access, rectification, deletion, portability, objection or restriction. See this example from our DPA.

#7 Audit rights

This clause reserves the right to conduct audits and to receive demonstrations proving the processor’s compliance. The processor is allowed to set any reasonable limitations regarding the audit such as the duty of confidentiality or time restrictions.

This example from Flank AI lays down that the inspections/audits should be carried out during working hours and after giving prior notice to the processor. Moreover, if the controller decides to appoint an auditor who is a competitor of the processor, they can object to such auditing.

#8 Subprocessors

This is another important clause in a DPA that acknowledges whether or not a subprocessor can be appointed. It also specifies that all subprocessors will have the same responsibilities as those of the processor including the implementation of security measures. 

#9 Data transfer

Specify in your DPA that data transfers outside EU or European Economic Area (EEA) member states should be in accordance with the adequacy decision or with standard contractual clauses (SCCs) between the data exporter and data importer.

This ensures that the customer’s data will be properly secured even if transferred to third countries.

#10 Deletion or return

This clause agrees with what happens to the controller’s personal data after the expiration or termination of the DPA.

This example clearly assures that they will only store the necessary data and specifies when they will return or delete the data as per the customer’s request or upon the termination of the DPA. 

Here are some important points to consider when drafting a Data Processing Agreement (DPA):

Use the DPA templates wisely

When using a DPA template, make sure to address the specific needs of your business and the nature of its relationships with the involved parties.

Instead of relying on a generic template, consider adding elements that reflect your unique circumstances. For instance, many templates might lack a section for instructions relevant to joint controllers—something that could be crucial for your situation. If that is the case, make sure to include it in your DPA or choose a template that already has provisions for joint controllers.

Provide accurate instructions

Prioritise clear documentation of the instructions and agreements in the DPA so that all the parties will have a mutual understanding among each other without any confusion.

Review and update 

Don’t consider the job done once you have written and signed a DPA. You also need to review and make necessary amendments that account for new regulations, technological advancements and subprocessor changes.

Monitor compliance

Two things are irreplaceable when engaging a processor. The first is to choose compliant processors and the second is to monitor and conduct inspections to confirm that they handle personal data responsibly and within the privacy framework.

Signing a Data Processing Agreement (DPA) defines how a processor handles your data. It sets legal boundaries, assigns responsibility, and preserves your control. Start with clarity on processing. So, before reading, read the DPA clearly. Verify what data is used, why it is needed, and how long it will be processed. This keeps the relationship focused and avoids misuse.

Next, review how the data is protected. Look for clear security measures such as encryption and restricted access. Also, look at how visibility and control are set. You should be able to check compliance through audits or reports. The processor should follow your instructions, not make independent decisions about your data.

If the processor uses others to help, check the subprocessor terms. You should know who they are and ensure they follow the same standards. This ensures that your data does not move through unknown or unchecked parties. Also, pay attention to data transfers. If data is sent across borders, the DPA should include safeguards to keep it protected.

Finally, confirm what happens when the agreement ends. Your data should be returned or deleted securely. There should be no uncertainty here.

Negotiation of DPA terms

A DPA is often presented as a standard document, but it is still open to discussion. Small changes can make a meaningful difference. If something feels unclear, ask for clarification. If a clause feels too broad, request more specific wording. For example, instead of general promises about security, you can ask for a brief description of actual measures in place.

You can also review timelines, such as how quickly a breach will be reported, or how subprocessors are approved. These are practical details that shape how the agreement works in real life.

Think of negotiation as refinement, not resistance. The goal is simple: make sure the agreement reflects how data should be handled in practice, not just in theory.

CookieYes’s Data Protection Agreement

As a consent management platform, CookieYes’s DPA covers a wide regulatory scope in one place — EU GDPR, UK GDPR, Swiss FDPA, and CCPA. The processor obligations clause explicitly prohibits selling or commercially exploiting personal data. It specifies the security measures that include AES-256 encryption, TLS, and annual third-party penetration testing. It also clearly mentions that the breach notification is within 72 hours, and the deletion clause specifies that all data must be cleared within 60 days of termination, with backups following within one year.

HubSpot’s Data Processing Agreement

HubSpot’s DPA is notable for how accessible it is — the language is clear enough for businesses without a dedicated legal team. Their breach notification clause commits to a 72-hour window, matching GDPR’s own requirement. It also clarifies when HubSpot acts as a processor versus a controller. Both GDPR and CCPA obligations are addressed within the same document, and sub-processor changes come with 30 days’ advance notice.

LinkedIn’s Data Processing Agreement

LinkedIn’s DPA is a solid example of how a large platform handles the essentials. Their definitions clause stands out with the separate definition of “personal data” and “customer personal data,” removing any room for misinterpretation. They clearly establish the controller-processor relationship and maintain a publicly accessible sub-processor list, which handles the sub-processor clause transparently. Security obligations, breach notification, and data deletion are all covered. That said, LinkedIn’s 2024 €310 million fine for misusing personal data for advertising is a reminder that even a well-drafted DPA means little if other privacy requirements are not fulfilled.