A Data Processing Agreement (DPA) is a legally binding contract mandated by Article 28 of the GDPR that delineates the responsibilities, liabilities, and operational boundaries between a data controller (who determines the purpose of processing) and a data processor (who acts on the controller's instructions). It strictly defines the subject-matter, duration, nature, and purpose of the processing, as well as the categories of personal data and data subjects involved, ensuring no processing occurs outside the documented instructions.
Glossary
Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)?
A Data Processing Agreement (DPA) is a legally binding contract that governs the relationship between a data controller and a data processor, detailing the technical and organizational security measures for protecting personal data.
Beyond defining scope, the DPA mandates that the processor implements appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including pseudonymization and encryption. It governs the use of sub-processors, requiring specific prior authorization, and obligates the processor to assist the controller in fulfilling data subject access requests (DSARs) and breach notifications, thereby creating a binding chain of accountability across the entire data supply chain.
Core Components of a DPA
A Data Processing Agreement is not a monolithic block of text but a structured instrument composed of specific, mandatory clauses. Each component serves a distinct legal and operational function, defining the boundaries of liability, security, and authority between the controller and the processor.
Subject-Matter and Duration
The scope of processing clause explicitly defines what data is being handled and for how long. It must specify the exact categories of personal data (e.g., name, IP address, health records) and the categories of data subjects (e.g., employees, patients, visitors). The duration is typically tied to the commercial service agreement, with a strict mandate for deletion or return of data upon contract termination. Vague descriptions like 'any data necessary for the service' are legally invalid under GDPR Article 28(3).
Nature and Purpose of Processing
This section strictly prohibits the processor from using data for any secondary purpose not explicitly authorized by the controller. It details the permissible operations, such as storage, retrieval, consultation, erasure, or analysis. If a cloud provider wants to use anonymized data to improve its models, this must be explicitly stated here; otherwise, such use constitutes a breach of contract and a violation of the purpose limitation principle.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about the legal and operational mechanics of Data Processing Agreements in AI and cloud infrastructure.
A Data Processing Agreement (DPA) is a legally binding contract that governs the relationship between a data controller (the entity determining the purpose and means of processing) and a data processor (the entity processing data on behalf of the controller). The DPA operationalizes Article 28 of the GDPR by delineating the specific subject-matter, duration, nature, and purpose of the processing. It works by contractually obligating the processor to implement appropriate technical and organizational measures (TOMs) , process data only on documented instructions, and assist the controller in fulfilling data subject rights. Without a signed DPA, any transfer or processing of personal data by a third-party AI vendor is non-compliant, exposing both parties to administrative fines of up to 4% of annual global turnover.
Related Terms
A Data Processing Agreement (DPA) sits at the intersection of legal obligation and technical architecture. These related terms define the mechanisms that make DPA compliance technically enforceable.
Transfer Impact Assessment (TIA)
A mandatory risk assessment required by GDPR before transferring personal data to a third country. The data exporter must evaluate whether the destination's local laws and surveillance practices impinge on the effectiveness of the SCCs. If gaps exist, supplementary technical measures must be implemented. These often include:
Binding Corporate Rules (BCR)
Internal, legally binding data protection policies adhered to by a multinational corporate group for intra-organizational transfers. Unlike SCCs, which are contractual, BCRs are a code of conduct approved by a lead supervisory authority. They are complex to draft and approve but provide a holistic governance framework for global data domiciling. BCRs explicitly define the roles of controller and processor across all subsidiaries, making them a corporate-level DPA equivalent.
Data Protection Impact Assessment (DPIA)
A mandatory risk assessment process required by GDPR for processing activities likely to result in high risk to individuals. A DPA often triggers the need for a DPIA, particularly when engaging a new processor. The DPIA must describe the processing operations, assess necessity and proportionality, and identify specific technical controls to mitigate risk. It is a living document that validates the security measures listed in the DPA's Appendix II.
Geofencing & Jurisdictional Controls
The technical enforcement layer of a DPA. While the DPA is a legal promise, geofencing is the architectural proof. This includes:
Data Classification & Tagging
The foundational prerequisite for DPA compliance. Before a processor can apply residency controls, data must be classified by sensitivity and jurisdiction. Automated jurisdiction tagging attaches metadata labels to data objects at creation, declaring their legal origin. This allows residency-aware routing policies to automatically direct processing workloads to approved compliance zones without manual intervention, ensuring the processor never accidentally violates the DPA's geographic scope.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us