Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Data processing agreements (DPAs) with vendors

processor-agreementsDomain: data-privacyType: policy

Description

Data processing agreements are the GDPR Article 28 contracts between a controller and a processor that allocate responsibility for the personal data the processor handles on the controller's behalf. Article 28(3) enumerates the eight required clauses: subject matter, duration, nature and purpose of the processing, type of personal data and categories of data subjects, the obligations and rights of the controller, the processor's obligations (including confidentiality, security, data-subject rights assistance, breach notification, and DPIA assistance), the sub-processor terms, and the end-of-engagement disposition of the data. The eight-clause list looks routine in the abstract and is operationally not, because the gap between a standard-form DPA on a vendor's website and an actually-Article-28-compliant DPA tends to be substantial. The complication that surprises operators is the posture question. Most platforms run as both a controller and a processor depending on the relationship, and the same vendor can sit on the controller side of one product line and the processor side of another. The standard DPA most vendors offer is built for the buyer's posture rather than the user's; a SaaS vendor's standard DPA is structured around the vendor being the processor (which is the case for that vendor's typical customer) and may not adequately reflect the cases where the platform's relationship to the vendor's data is more complicated. A second complication is the controller-to-controller distinction. Two parties that each independently determine the purposes and means of processing the same data are joint controllers under Article 26, not a controller-processor pair, and they need an Article 26 arrangement rather than an Article 28 DPA. Mischaracterizing the relationship is a recurring failure mode that surfaces during enforcement. CCPA and the California Privacy Protection Agency's regulations require analogous service-provider contracts with their own clause set, codified at California Civil Code 1798.140(ag) and operationalized in the CCPA regulations at 11 CCR 7050. The material difference from the GDPR list is the no-sale-no-share representation: the service provider warrants that it does not sell or share the personal information it receives, and the warranty has substantive effect on the service provider's ability to retain or repurpose the data. Colorado, Connecticut, Virginia, Tennessee, Montana, and the other US state privacy statutes carry analogous clause sets with material variations. LGPD Article 39 requires similar terms in Brazil. Saudi Arabia's PDPL imposes equivalent obligations. The operational decomposition is three pieces. The vendor inventory is keyed to the personal data the vendor processes, the controller-or-processor posture per relationship, and the executed DPA reference (with the executed DPA stored centrally rather than scattered across procurement records). The onboarding gate treats any new vendor as blocked from receiving data until the DPA is executed; the alternative pattern (data flows first, paperwork follows) is the one that produces Article 28(1) findings against the operator on the basis that personal data was transferred to a processor without a contract in place. The recurring-review cadence catches the cases where the vendor relationship has materially changed since the DPA was executed (new product line, new sub-processor, new geography of processing) and refreshes the DPA before the change becomes a finding. The piece that consistently slips is the sub-processor consent chain. Article 28(2) requires the processor to obtain the controller's prior specific or general written authorization before engaging a sub-processor, and to notify the controller of intended additions or replacements so that the controller can object. Most vendor DPAs grant a general written authorization for sub-processors with a notification-and-objection cadence, and the vendor's actual sub-processor list (which can be 50 to 200 entries for a typical SaaS provider) is supposed to be discoverable through a published trust page. The slip happens when the published list does not match the sub-processors the vendor is actually using, or when the notification process for additions does not actually reach the controller, with the result that the controller is technically in breach of its own Article 28 obligations through the vendor's omission. The cheapest defensive posture is to audit the published sub-processor list against the vendor's actual data flows on an annual cadence, and to maintain a documented record of any objections raised and how they were resolved.

Required by (9 regulations)

  • CCPA/CPRA

    CCPA §1798.140(ag) — service-provider contracts.

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • CPA

    Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

  • CTDPA

    Conn. Gen. Stat. §§42-515 to 42-525

  • GDPR

    Article 28(3) — required terms of controller-processor agreements.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • LGPD

    Article 39.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

  • MCDPA

    Mont. Code Ann. §§30-14-2801 to 30-14-2817

  • PDPL

    Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

  • Tennessee IPA
  • VCDPA

    Virginia Consumer Data Protection Act § 59.1-579 requires controller-processor contracts to address: data processing instructions, duration of processing, processing purpose, data types, controller-rights audit and inspection access, processor confidentiality, processor cooperation with controller-side data subject rights responses, secure return or deletion of personal data at contract end, and sub-processor consent + flow-down. Effective 2023-01-01; cure period is permanent (does not sunset, unlike Colorado CPA).

    Va. Code §§59.1-575 to 59.1-585

Fulfilled by (2)

  • onetrust · partial · low effort · $$
  • In-house build · medium effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • signed DPA library
  • vendor onboarding checklist
  • audit-clause register

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn