PUBLISHED ON 2026-04-01
What Is a Data Processing Agreement (DPA)? Complete Guide for 2026
If you use third-party tools to handle customer data — email marketing platforms, cloud hosting, analytics services, payment processors — you probably need a Data Processing Agreement. And no, your Terms of Service don't cover it.
A DPA is the contract that keeps you and your vendors GDPR-compliant when personal data changes hands. Skip it, and you're looking at fines up to €20 million. But here's the thing: most businesses don't even realize they need one.
Let's fix that.
## What Is a Data Processing Agreement (DPA)?
A Data Processing Agreement is a legally binding contract between two parties:
- **Data Controller** — the organization that decides *why* and *how* personal data gets processed (that's usually you)
- **Data Processor** — the third party that processes data *on your behalf* (your email provider, hosting company, analytics tool, etc.)
The DPA spells out exactly what the processor can and can't do with the data. Think of it as a rulebook — written into a contract — that ensures your vendor handles personal data the same way you would.
Under Article 28 of the GDPR, this agreement isn't optional. If you're a controller engaging a processor, you *must* have a DPA in place. No exceptions.
## Who Needs a DPA?
Short answer: almost every business operating online. Here are the most common scenarios:
| Scenario | Controller (You) | Processor (Vendor) | DPA Required? |
|----------|-------------------|---------------------|---------------|
| Email marketing | Your business | Mailchimp, SendGrid | ✅ Yes |
| Cloud hosting | Your business | AWS, Vercel, DigitalOcean | ✅ Yes |
| Analytics tracking | Your business | Google Analytics, Mixpanel | ✅ Yes |
| Payment processing | Your business | Stripe, PayPal | ✅ Yes |
| CRM | Your business | HubSpot, Salesforce | ✅ Yes |
| Customer support | Your business | Zendesk, Intercom | ✅ Yes |
Notice a pattern? If *any* third-party service touches your users' personal data, you need a DPA with that vendor.
**Pro tip:** Most big SaaS companies (Google, Stripe, AWS) already have standard DPAs available. You just need to sign them. Smaller vendors? That's where you'll need to provide your own.
## DPA vs. NDA: What's the Difference?
People confuse these constantly. They're not the same thing.
| | DPA | NDA |
|---|---|---|
| **Purpose** | Governs how personal data is processed | Protects confidential business information |
| **Legal basis** | Required by GDPR (Article 28) | Voluntary contract |
| **Scope** | Personal data of individuals (EU residents) | Trade secrets, business plans, proprietary info |
| **Penalties** | GDPR fines up to €20M or 4% of revenue | Civil damages per contract terms |
| **When needed** | When sharing personal data with a processor | When sharing sensitive business info |
You might need both — but they serve completely different purposes. An NDA doesn't protect you from GDPR enforcement. Only a DPA does.
Need an NDA too? Generate one free with our [NDA Generator](/nda).
## 9 Essential Clauses Every DPA Must Include
Under Article 28(3) of the GDPR, your DPA must contain specific provisions. Miss any of these, and your agreement isn't compliant:
### 1. Subject Matter and Duration
Define *what* data is being processed, *why*, and *for how long*. Be specific — "customer data" is too vague. Say "email addresses and purchase history of EU-based customers for email marketing purposes, for the duration of the service agreement."
### 2. Nature and Purpose of Processing
Describe the specific processing activities. Are they storing data? Analyzing it? Sending emails? The processor should only do what you've explicitly authorized.
### 3. Types of Personal Data
List the exact categories: names, email addresses, IP addresses, payment details, location data, etc. The more specific, the better.
### 4. Categories of Data Subjects
Who does the data belong to? Customers, employees, website visitors, newsletter subscribers? Specify each group.
### 5. Processor Obligations
The processor must:
- Act only on your documented written instructions
- Ensure staff handling data are bound by confidentiality
- Implement appropriate security measures (encryption, access controls, etc.)
- Not engage sub-processors without your prior authorization
- Assist you in responding to data subject requests (access, deletion, portability)
### 6. Sub-Processor Rules
If your processor uses sub-processors (and they almost certainly do — think cloud infrastructure), the DPA must require:
- Your prior written consent before engaging new sub-processors
- The same data protection obligations flow down to sub-processors
- Notification when new sub-processors are added
### 7. Data Breach Notification
The processor must notify you of any personal data breach "without undue delay" — GDPR Article 33 requires you to notify your supervisory authority within 72 hours. Your processor needs to tell you fast enough for you to meet that deadline.
### 8. Audit Rights
You must have the right to audit (or have a third party audit) the processor's compliance. This includes access to facilities, records, and security documentation.
### 9. End-of-Contract Obligations
When the relationship ends, the processor must either:
- Return all personal data to you, or
- Delete all personal data (and prove it)
Your choice. But the DPA needs to specify which.
## International Data Transfers
If your processor operates outside the European Economic Area (EEA), your DPA needs additional safeguards. Since the Schrems II ruling invalidated Privacy Shield, the primary mechanism is **Standard Contractual Clauses (SCCs)**.
Here's what to include:
- **Transfer Impact Assessment** — document the legal framework of the destination country
- **Supplementary measures** — encryption, pseudonymization, access controls
- **SCCs annexed to the DPA** — use the EU Commission's 2021 standard clauses
This applies to major U.S.-based processors like Google, AWS, and Stripe. Most have already incorporated SCCs into their standard DPAs — but verify this before signing.
## How to Create a DPA (Free)
You have three options:
| Method | Cost | Time | Quality |
|--------|------|------|---------|
| **Hire a lawyer** | $500–$2,000+ | Days to weeks | Customized |
| **Paid platforms** (Termly, iubenda) | $15–$50/month | Minutes | Template-based |
| **Free generator** (LegalPolicyGen) | $0 | Under 2 minutes | GDPR-compliant template |
For most small businesses and SaaS companies, a free generator covers the essentials. You can always have a lawyer review it later.
Use our [free DPA Generator](/dpa) to create a GDPR-compliant Data Processing Agreement in under two minutes. No signup required.
## Step-by-Step: Generate Your DPA
1. Open the [DPA Generator](/dpa)
2. Enter your organization name (data controller)
3. Enter the processor's name
4. Select the types of personal data involved
5. Describe the processing purpose
6. Choose applicable regulations (GDPR, CCPA, or both)
7. Click **Generate** — download your ready-to-sign DPA
Then send it to your vendor for signature. For large processors, check their website for their pre-made DPA first — you might just need to countersign.
## Common DPA Mistakes to Avoid
After reviewing hundreds of DPAs, these are the errors I see most often:
1. **Being too vague about data types.** "User data" isn't specific enough. List exact fields.
2. **Forgetting sub-processor clauses.** Your processor's sub-processors need the same protections.
3. **Ignoring international transfers.** If data crosses borders, you need SCCs.
4. **No breach notification timeline.** Specify hours, not "promptly" or "as soon as possible."
5. **Missing audit rights.** Without them, you can't verify compliance.
6. **Not updating when services change.** Added a new analytics tool? Your DPAs need updating.
## FAQ
**Q: Do I need a DPA for Google Analytics?**
A: Yes. Google processes visitor data on your behalf. Google provides a standard DPA — you need to accept it in your Google Analytics admin settings.
**Q: Is a DPA required under CCPA?**
A: CCPA uses different terminology ("service provider agreement") but the concept is similar. If you share California residents' personal information with a vendor, you need a written contract specifying data use limitations.
**Q: Can I use one DPA for all my vendors?**
A: You can use a template, but each DPA should be customized to reflect the specific data and processing activities for each vendor relationship.
**Q: What's the penalty for not having a DPA?**
A: Under GDPR, up to €20 million or 4% of annual global turnover — whichever is higher. In practice, regulators often issue lower fines tied to the specific violation, but they're still significant.
**Q: Do I need a DPA if I'm the processor?**
A: Both parties need to sign the DPA. If you're a processor receiving data from a controller, you're equally obligated to have one in place.
## Related Legal Documents
A DPA rarely stands alone. Here are the other legal documents your business likely needs:
- [Privacy Policy](/privacy-policy) — discloses how you collect and use personal data
- [Terms of Service](/terms-of-service) — governs how users interact with your platform
- [Cookie Policy](/cookie-policy) — explains cookie usage and consent mechanisms
- [EULA](/eula) — End User License Agreement for software products
- [NDA](/nda) — protects confidential business information during partnerships
Generate all of these [for free at LegalPolicyGen](/).
## The Bottom Line
If any third-party service touches your users' personal data, you need a DPA. That includes email providers, hosting platforms, analytics tools, CRMs, and payment processors — basically every SaaS tool your business relies on.
The good news? Creating one doesn't require a law degree or a big budget. Use our [free DPA Generator](/dpa) and have a GDPR-compliant agreement ready to sign in under two minutes.
*Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your jurisdiction and circumstances.*