Any time a business shares personal data with a vendor — a cloud storage provider, a marketing platform, a payroll processor — a data processing agreement should typically govern that relationship, yet many businesses operate without one.

Why DPAs Matter

A data processing agreement (DPA) is a contract between a data controller (the business that determines why and how data is used) and a data processor (a vendor that processes that data on the controller's behalf), clarifying each party's responsibilities and liability.

Several privacy laws, including GDPR and a growing number of U.S. state laws, specifically require these agreements to be in place before personal data is shared with a service provider.

Key Provisions a DPA Should Include

A solid DPA specifies exactly what data the processor can access, what it can be used for, security requirements the processor must maintain, breach notification obligations, and what happens to the data when the relationship ends.

It should also address whether and how the processor can use subprocessors, and require the same data protection obligations to flow down to any subprocessor they engage.

Common Gaps in Vendor Relationships

Businesses often sign a vendor's standard terms of service without realizing those terms don't include adequate data processing provisions, or without confirming the vendor's own security and compliance practices.

Reviewing existing vendor relationships to identify which ones involve personal data, and ensuring a proper DPA is in place for each, is a common and often overdue compliance exercise.

Frequently Asked Questions

Do I need a DPA with every vendor I use?

Only vendors that process personal data on your behalf — but this covers a broad range of common services, from email marketing platforms to cloud storage providers.

Is a vendor's standard terms of service enough instead of a separate DPA?

It depends on what those terms actually include — many standard terms lack the specific provisions required by privacy law, so review is important rather than assuming they're sufficient.

Data processing agreements are a foundational but often overlooked compliance document. An attorney can help you review vendor relationships and put proper agreements in place.

Was this guide helpful?

Explore more topics or get in touch with a question.

Contact us →