Inferensys

Glossary

Data Processing Agreement (DPA)

A legally binding contract between a data controller and a data processor that defines the scope, purpose, and security obligations for processing personal data.
Legal team reviewing AI contract compliance agent on laptop, contract documents visible, modern WeWork meeting room.
LEGAL CONTRACT

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that defines the scope, purpose, and security obligations for processing personal data.

A Data Processing Agreement (DPA) is a legally binding contract mandated by Article 28 of the GDPR that governs the relationship between a data controller (who determines the purpose of processing) and a data processor (who acts on the controller's instructions). The DPA must stipulate the subject-matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects.

The agreement obligates the processor to implement appropriate technical and organizational measures to ensure data security, assist the controller in fulfilling data subject rights, and delete or return all personal data upon service completion. It also governs the use of sub-processors, requiring prior specific or general written authorization from the controller, and mandates that the processor immediately inform the controller if an instruction infringes on data protection law.

CONTRACTUAL ANATOMY

Core Components of a DPA

A Data Processing Agreement (DPA) is not a monolithic block of text but a structured instrument composed of distinct, mandatory clauses. Each component serves a specific legal and technical function to define the boundaries of a processor's authority and liability.

01

Subject Matter & Duration

This clause strictly defines the scope of processing. It specifies the exact categories of personal data and the types of data subjects involved. The duration must be finite, typically tied to the term of the master service agreement, and mandates automatic deletion or return of data upon termination.

Art. 28(3)
GDPR Mandate
02

Nature & Purpose

This section prohibits general-purpose processing. It articulates the specific business objective for which the processor is engaged, such as 'cloud storage' or 'email distribution.' Any secondary purpose, including product improvement or analytics, requires separate, explicit authorization to avoid violating the principle of purpose limitation.

03

Sub-Processor Engagement

Governs the processor's ability to outsource obligations. The standard mechanism is either general written authorization with a right to object, or specific pre-approved lists. The DPA must impose a flow-down requirement, ensuring the sub-processor is bound by materially identical data protection obligations via a written contract.

04

Security of Processing

Moves beyond vague promises to mandate technical and organizational measures (TOMs). This often references a detailed Annex II that specifies encryption standards (e.g., AES-256 at rest, TLS 1.3 in transit), pseudonymization techniques, and business continuity certifications like ISO 27001.

05

Assistance with Data Subject Rights

The processor must contractually commit to assisting the controller in fulfilling DSARs. This includes implementing technical mechanisms for rectification, erasure, and portability. The processor must immediately forward any request received directly from a data subject to the controller without responding independently.

06

Audit & Inspection Rights

This clause operationalizes accountability by granting the controller the right to verify compliance. It typically allows for on-site inspections or mandates the provision of a third-party SOC 2 Type II report. The processor is obligated to contribute to audits and disclose all information necessary to demonstrate compliance.

LEGAL INSTRUMENT COMPARISON

DPA vs. Standard Contractual Clauses (SCCs)

Distinguishing the contractual relationship between controller and processor (DPA) from the cross-border data transfer mechanism (SCCs) under GDPR.

FeatureData Processing Agreement (DPA)Standard Contractual Clauses (SCCs)

Primary Legal Purpose

Defines the scope, obligations, and liabilities between a data controller and a data processor under GDPR Article 28.

Provides a legal safeguard mechanism for transferring personal data from the EU/EEA to a third country lacking an adequacy decision.

Parties Involved

Data Controller and Data Processor (or sub-processor).

Data Exporter (in EU/EEA) and Data Importer (in a third country). Can be controller-to-controller or controller-to-processor.

Mandatory Under GDPR

Required for Cross-Border Transfers

Core Content Requirements

Subject matter, duration, nature, purpose of processing; type of personal data; data subject categories; controller obligations and processor technical/organizational measures.

Standardized modules with clauses on data protection safeguards, data subject rights, redress, liability, and supervision by competent supervisory authorities.

Regulatory Template

No single fixed template; content is mandated by GDPR Article 28(3) but drafted by parties.

Fixed, non-negotiable template adopted by the European Commission (Implementing Decision 2021/914).

Liability Regime

Processor liable for damages caused by non-compliance with GDPR or DPA instructions; controller liable for damages caused by non-compliant processing.

Joint and several liability between data exporter and data importer for any material or non-material damages resulting from a breach of the clauses.

DATA PROCESSING AGREEMENTS

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the structure, obligations, and regulatory context of Data Processing Agreements.

A Data Processing Agreement (DPA) is a legally binding contract between a data controller (who determines the purposes and means of processing) and a data processor (who processes data on behalf of the controller). It operationalizes Article 28 of the GDPR by defining the subject-matter, duration, nature, and purpose of processing, the type of personal data, and the categories of data subjects. The DPA functions as a shield and a set of instructions: it strictly limits the processor to act only on the documented instructions of the controller, prohibits the use of sub-processors without prior specific authorization, and mandates a duty of confidentiality for all personnel authorized to process the data. It is not merely a policy document but a contractual mechanism that allocates liability and establishes a direct chain of accountability between the parties.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.