A Data Processing Agreement (DPA) is a legally binding contract mandated by Article 28 of the GDPR that governs the relationship between a data controller (who determines the purpose of processing) and a data processor (who acts on the controller's instructions). The DPA must stipulate the subject-matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects.
Glossary
Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that defines the scope, purpose, and security obligations for processing personal data.
The agreement obligates the processor to implement appropriate technical and organizational measures to ensure data security, assist the controller in fulfilling data subject rights, and delete or return all personal data upon service completion. It also governs the use of sub-processors, requiring prior specific or general written authorization from the controller, and mandates that the processor immediately inform the controller if an instruction infringes on data protection law.
Core Components of a DPA
A Data Processing Agreement (DPA) is not a monolithic block of text but a structured instrument composed of distinct, mandatory clauses. Each component serves a specific legal and technical function to define the boundaries of a processor's authority and liability.
Subject Matter & Duration
This clause strictly defines the scope of processing. It specifies the exact categories of personal data and the types of data subjects involved. The duration must be finite, typically tied to the term of the master service agreement, and mandates automatic deletion or return of data upon termination.
Nature & Purpose
This section prohibits general-purpose processing. It articulates the specific business objective for which the processor is engaged, such as 'cloud storage' or 'email distribution.' Any secondary purpose, including product improvement or analytics, requires separate, explicit authorization to avoid violating the principle of purpose limitation.
Sub-Processor Engagement
Governs the processor's ability to outsource obligations. The standard mechanism is either general written authorization with a right to object, or specific pre-approved lists. The DPA must impose a flow-down requirement, ensuring the sub-processor is bound by materially identical data protection obligations via a written contract.
Security of Processing
Moves beyond vague promises to mandate technical and organizational measures (TOMs). This often references a detailed Annex II that specifies encryption standards (e.g., AES-256 at rest, TLS 1.3 in transit), pseudonymization techniques, and business continuity certifications like ISO 27001.
Assistance with Data Subject Rights
The processor must contractually commit to assisting the controller in fulfilling DSARs. This includes implementing technical mechanisms for rectification, erasure, and portability. The processor must immediately forward any request received directly from a data subject to the controller without responding independently.
Audit & Inspection Rights
This clause operationalizes accountability by granting the controller the right to verify compliance. It typically allows for on-site inspections or mandates the provision of a third-party SOC 2 Type II report. The processor is obligated to contribute to audits and disclose all information necessary to demonstrate compliance.
DPA vs. Standard Contractual Clauses (SCCs)
Distinguishing the contractual relationship between controller and processor (DPA) from the cross-border data transfer mechanism (SCCs) under GDPR.
| Feature | Data Processing Agreement (DPA) | Standard Contractual Clauses (SCCs) |
|---|---|---|
Primary Legal Purpose | Defines the scope, obligations, and liabilities between a data controller and a data processor under GDPR Article 28. | Provides a legal safeguard mechanism for transferring personal data from the EU/EEA to a third country lacking an adequacy decision. |
Parties Involved | Data Controller and Data Processor (or sub-processor). | Data Exporter (in EU/EEA) and Data Importer (in a third country). Can be controller-to-controller or controller-to-processor. |
Mandatory Under GDPR | ||
Required for Cross-Border Transfers | ||
Core Content Requirements | Subject matter, duration, nature, purpose of processing; type of personal data; data subject categories; controller obligations and processor technical/organizational measures. | Standardized modules with clauses on data protection safeguards, data subject rights, redress, liability, and supervision by competent supervisory authorities. |
Regulatory Template | No single fixed template; content is mandated by GDPR Article 28(3) but drafted by parties. | Fixed, non-negotiable template adopted by the European Commission (Implementing Decision 2021/914). |
Liability Regime | Processor liable for damages caused by non-compliance with GDPR or DPA instructions; controller liable for damages caused by non-compliant processing. | Joint and several liability between data exporter and data importer for any material or non-material damages resulting from a breach of the clauses. |
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the structure, obligations, and regulatory context of Data Processing Agreements.
A Data Processing Agreement (DPA) is a legally binding contract between a data controller (who determines the purposes and means of processing) and a data processor (who processes data on behalf of the controller). It operationalizes Article 28 of the GDPR by defining the subject-matter, duration, nature, and purpose of processing, the type of personal data, and the categories of data subjects. The DPA functions as a shield and a set of instructions: it strictly limits the processor to act only on the documented instructions of the controller, prohibits the use of sub-processors without prior specific authorization, and mandates a duty of confidentiality for all personnel authorized to process the data. It is not merely a policy document but a contractual mechanism that allocates liability and establishes a direct chain of accountability between the parties.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
A Data Processing Agreement (DPA) does not exist in isolation. It is the operational nexus connecting privacy law, technical security, and cross-border data flows. The following concepts define the boundaries and obligations of the modern DPA.
Data Protection Impact Assessment (DPIA)
A mandatory risk assessment process for identifying and minimizing the data protection risks of high-risk processing before it begins. The DPA serves as a key input to the DPIA, documenting the processor's security measures and obligations.
- Required under GDPR Article 35
- Must be completed when using new technologies or processing sensitive data at scale
- The DPA's technical and organizational measures (TOMs) annex directly feeds the DPIA's risk mitigation section
Record of Processing Activities (RoPA)
A mandatory internal documentation inventory required by GDPR Article 30 detailing the purposes, categories, and legal bases of all personal data processing. Every active DPA must be mapped to specific entries in the RoPA.
- Must include the name of the processor and controller
- Documents categories of data subjects and personal data types
- Serves as the auditable artifact proving the legal basis for each processor relationship
Sub-Processor Engagement
The mechanism within a DPA governing how a primary processor may engage downstream third parties to assist in data processing. Modern DPAs require prior specific or general written authorization from the controller.
- General authorization: Processor must inform controller of changes and allow objection
- Specific authorization: Controller must approve each sub-processor in advance
- The processor must flow down equivalent data protection obligations via contract
Data Residency Control
Technical governance measures that enforce the geographic location where data is physically stored or processed. DPAs increasingly specify data residency requirements to comply with sovereign data localization laws.
- Enforced through cloud region locking and geo-fencing
- Critical for sectors like public sector, defense, and healthcare
- Often requires contractual commitments to specific availability zones or sovereign cloud environments
Purpose Limitation Controls
Technical measures enforcing data minimization and preventing repurposing of data in AI training or secondary analytics. The DPA defines the specific, explicit, and legitimate purposes for which the processor may act.
- Implemented via Purpose-Based Access Control (PBAC)
- Prevents processor from using controller data to improve its own models without consent
- Violation of purpose limitation is a direct breach of the DPA and triggers Article 28 liability

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us