What is DPA (Data Processing Agreement)?

Updated

A contract under GDPR Article 28 between a data controller (your customer) and a data processor (you) defining how customer personal data is processed, stored, and protected. Typically required by EU customers before signing a SaaS contract.

Full explanation

Under GDPR, any company that processes EU residents' personal data on behalf of another company must sign a DPA. The DPA spells out: data categories processed, processing purposes, sub-processors used, security controls, data-breach notification timelines, and data-deletion procedures. SaaS vendors typically publish a standard DPA on their website + sign it for any EU customer who requests it. Most US-only SaaS encounters DPA requests for the first time when an EU prospect's procurement team requests one as part of due diligence.

Example

A French enterprise prospect requests your DPA before signing. Your DPA should cover: which Securie sub-processors handle their data (Vercel, Supabase, Stripe, OpenAI — each with their own GDPR posture), what categories of data you process (typically: source code, scan results, attestations), retention periods, data-breach notification within 72 hours per GDPR Article 33, and the customer's right to audit. Standard DPA templates from compliance-automation platforms (Vanta, Drata, Secureframe) cover most of this; customize for your specific stack.

Related

Guide
GDPR for indie SaaS — the minimum viable compliance playbook

FAQ

Do I need a DPA at pre-seed scale?

Only if you have EU customers asking for one. Pre-EU-customer, draft a generic DPA template (most compliance platforms have one) so you can sign quickly when the first request comes in. Post-EU-customer, the DPA is operationally required before the contract closes.

Does a DPA require Standard Contractual Clauses?

If your data flows from EU to non-EU jurisdictions (e.g., your servers are US-based), yes — Standard Contractual Clauses (SCCs) under GDPR Chapter V are required, and post-Schrems II additional safeguards may apply (Transfer Impact Assessment). For EU-resident data on EU-hosted infrastructure, SCCs are not required.