DPA | Processor Obligations | Sub-Processors | Data Protection | GDPR Compliance
This Data Processing Agreement (DPA) dated [Date] between [Company/Controller] ("Controller") and [SaaS Provider] ("Processor") establishes data processing terms pursuant to GDPR Article 28, German BDSG (Data Protection Act), US GLBA 15 USC Β§6801 (if applicable). **This DPA is MANDATORY and overrides conflicting SaaS Terms.**
1.1 Data Definition: Per GDPR Art. 4:
β’ "Personal Data": Any information relating to identified/identifiable natural person (name, email, IP, cookies, behavioral data)
β’ "Processing": Collection, storage, use, analysis, deletion of personal data
β’ "Data Subject": Individual whose data is processed (end user, customer, employee)
1.2 Role Definitions:
β’ "Controller": [Company] (determines processing purposes/means) per Art. 4(7)
β’ "Processor": [SaaS Provider] (processes data on Controller's behalf per Art. 4(8))
β’ "Sub-Processor": Third-party contractor engaged by Processor per Art. 28(2)
1.3 Subject Data: Processor processes only: [customer data, user data, transaction data, other: ________]
β’ Volume: [approx. X GB/TB per month]
β’ Types: [names, emails, payment info, usage logs, other]
2.1 Limited Processing: Processor shall process data ONLY per Art. 28(3):
β Controller's written instructions (in writing, documented)
β Purpose: [provide SaaS service / customer analytics / billing / other]
β NO processing for Processor's own purposes (prohibited per Art. 28(3))
β NO selling/licensing data to third parties
β NO processing for marketing/advertising (unless instructed)
2.2 Confidentiality (NON-NEGOTIABLE): Processor ensures per Art. 28(3)(b):
β Staff under binding confidentiality (written agreements required)
β No unauthorized access to personal data
β Data retention: Only as long as service operates (then immediate deletion)
2.3 Security & Technical Measures: Processor implements per Art. 32 (Technical Measures):
β’ Encryption: Data encrypted in transit (TLS 1.2+) & at rest per [AES-256 / equivalent]
β’ Access controls: MFA, role-based access (RBAC), audit logs
β’ Monitoring: Intrusion detection, vulnerability scanning (quarterly minimum)
β’ Backup: Daily backups (tested for recovery monthly)
β’ Redundancy: [X geographically-diverse data centers]
β’ Physical security: Restricted access, surveillance, guards
2.4 Audit & Compliance: Processor provides per Art. 28(3)(h):
β’ SOC 2 Type II certification (annual, shared with Controller)
β’ GDPR compliance attestation (yearly audit by independent auditor)
β’ Right to audit: Controller may audit Processor's facilities (annually, minimum)
β’ Documentation: Processing records (Article 5(2) accountability)
3.1 Sub-Processor Authorization: Processor may engage sub-processors ONLY with per Art. 28(2) & (4):
β Prior written authorization from Controller
β Processor publishes list of current sub-processors: [https://company.com/subprocessors]
β Minimum 30 days notice before adding sub-processor
β Controller has right to object (within 15 days) per Art. 28(4)
3.2 Sub-Processor Agreement (MANDATORY): Processor ensures sub-processor bound by:
β’ Same data protection obligations (equivalent to this DPA) per Art. 28(4)
β’ Same confidentiality, security, audit requirements
β’ Sub-processor liable for breaches (Processor remains liable to Controller)
3.3 Current Sub-Processors (Example):
β [AWS / Google Cloud / Azure] (infrastructure hosting)
β [Stripe / PayPal] (payment processing)
β [SendGrid] (email delivery)
3.4 International Data Transfer (CRITICAL): If sub-processor in non-EU country per Art. 44-50 (International Transfer):
β’ β US (Standard Contractual Clauses per Commission Decision 2021/914)
β’ β UK (UK Standard Contractual Clauses)
β’ β Other: [Adequacy Decision / Binding Corporate Rules]
4.1 Data Subject Rights (NON-WAIVABLE): Processor supports Controller in responding to per Art. 12-23:
β Right of access: Processor provides all data Controller holds (within 5 days)
β Right to rectification: Processor corrects inaccurate data (within 5 days)
β Right to erasure ("right to be forgotten"): Processor deletes data within 10 days per Art. 17
β Right to data portability: Processor provides data in machine-readable format (within 10 days) per Art. 20
β Right to object: Processor stops processing per Controller's instruction (Art. 21)
4.2 Processor's Role in Subject Requests:
β’ Processor does NOT respond directly to data subjects (Controller does)
β’ Processor assists Controller by providing requested data immediately
β’ Processor acknowledges requests within 48 hours
β’ Processor completes requested action within [5 / 10 days]
4.3 Deletion Upon Termination: Upon DPA termination, Processor:
β’ Deletes ALL personal data (no copies retained) per Art. 17(1)
β’ OR returns all data to Controller (for Controller to manage)
β’ Certified deletion (written attestation provided within 30 days)
5.1 Breach Definition: Per Art. 4(12) & 33, unauthorized access/disclosure including:
β’ Unauthorized access to data server
β’ Ransomware attack (data encrypted/corrupted)
β’ Insider theft (employee data theft)
β’ Third-party hacking (SQL injection, phishing)
5.2 Notification Timeline (MANDATORY): Processor notifies Controller within per Art. 33(3):
β’ [24 / 48 hours] of becoming aware of breach (documented discovery time)
β’ Notification method: Email to [security contact]
β’ Information included: (a) type of breach, (b) approx. data subjects affected, (c) likely consequences, (d) remediation steps
5.3 Processor Liability for Breaches:
β’ Processor liable for all GDPR fines/penalties (up to EUR 20M or 4% revenue per Art. 83)
β’ Processor indemnifies Controller for costs of notification, credit monitoring, regulatory fines
β’ Exception: Breach caused solely by Controller's instructions (documented)
6.1 Data Storage Location: Data stored in:
β EU only (Germany: [X data center(s)])
β EU + international backup (specify: [X countries])
β US (with Standard Contractual Clauses per Schrems II ruling)
6.2 Compliance Certifications: Processor maintains:
β ISO 27001 (Information Security Management)
β SOC 2 Type II (Security, Availability, Processing Integrity)
β GDPR compliance audit (annual by qualified auditor)
β HIPAA (if health data handled)
6.3 Certification Verification: Processor provides current certifications upon request (within 5 days)
7.1 Term: DPA effective on SaaS agreement date and continues per SaaS agreement termination per Art. 28(3)(g)
7.2 Upon Termination: Processor within [30 days]:
β’ Deletes all personal data (per Section 5.3)
β’ Deletes all backups (certified deletion)
β’ OR returns all data to Controller in portable format
7.3 Return of Data (Alternative): If Controller requests return instead of deletion:
β’ Processor provides all data within 15 days (encrypted, portable format)
β’ Storage only for [90 days] post-termination (then automatic deletion)
β’ Controller responsible for retrieval costs (if>USD [X])
Law: German (GDPR + BDSG) if EU data; [US State] if US data | Disputes: GDPR Data Authority intervention β Court
Audit Rights: Controller (or independent auditor) may audit Processor's processing per Art. 28(3)(h):
β’ Annual audit minimum (can request more frequently for cause)
β’ On-site inspection allowed (48 hours notice)
β’ Processor provides full cooperation (no access restrictions)