Inferensys

Glossary

Data Processing Agreement (DPA)

A legally binding contract between a data controller and a data processor that outlines the scope, purpose, and duration of data processing, as well as the technical and organizational security measures required to protect personal data.
Legal team reviewing AI contract compliance agent on laptop, contract documents visible, modern WeWork meeting room.
CONTRACTUAL COMPLIANCE

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is a legally binding contract that governs the relationship between a data controller and a data processor, detailing the technical and organizational security measures for protecting personal data.

A Data Processing Agreement (DPA) is a legally binding contract mandated by Article 28 of the GDPR that delineates the responsibilities, liabilities, and operational boundaries between a data controller (who determines the purpose of processing) and a data processor (who acts on the controller's instructions). It strictly defines the subject-matter, duration, nature, and purpose of the processing, as well as the categories of personal data and data subjects involved, ensuring no processing occurs outside the documented instructions.

Beyond defining scope, the DPA mandates that the processor implements appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including pseudonymization and encryption. It governs the use of sub-processors, requiring specific prior authorization, and obligates the processor to assist the controller in fulfilling data subject access requests (DSARs) and breach notifications, thereby creating a binding chain of accountability across the entire data supply chain.

CONTRACTUAL ANATOMY

Core Components of a DPA

A Data Processing Agreement is not a monolithic block of text but a structured instrument composed of specific, mandatory clauses. Each component serves a distinct legal and operational function, defining the boundaries of liability, security, and authority between the controller and the processor.

01

Subject-Matter and Duration

The scope of processing clause explicitly defines what data is being handled and for how long. It must specify the exact categories of personal data (e.g., name, IP address, health records) and the categories of data subjects (e.g., employees, patients, visitors). The duration is typically tied to the commercial service agreement, with a strict mandate for deletion or return of data upon contract termination. Vague descriptions like 'any data necessary for the service' are legally invalid under GDPR Article 28(3).

02

Nature and Purpose of Processing

This section strictly prohibits the processor from using data for any secondary purpose not explicitly authorized by the controller. It details the permissible operations, such as storage, retrieval, consultation, erasure, or analysis. If a cloud provider wants to use anonymized data to improve its models, this must be explicitly stated here; otherwise, such use constitutes a breach of contract and a violation of the purpose limitation principle.

DATA PROCESSING AGREEMENTS

Frequently Asked Questions

Clear, technical answers to the most common questions about the legal and operational mechanics of Data Processing Agreements in AI and cloud infrastructure.

A Data Processing Agreement (DPA) is a legally binding contract that governs the relationship between a data controller (the entity determining the purpose and means of processing) and a data processor (the entity processing data on behalf of the controller). The DPA operationalizes Article 28 of the GDPR by delineating the specific subject-matter, duration, nature, and purpose of the processing. It works by contractually obligating the processor to implement appropriate technical and organizational measures (TOMs) , process data only on documented instructions, and assist the controller in fulfilling data subject rights. Without a signed DPA, any transfer or processing of personal data by a third-party AI vendor is non-compliant, exposing both parties to administrative fines of up to 4% of annual global turnover.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.