← Glossary·Privacy

Data Processing Agreement (DPA)

GDPR

Contract between a controller and processor codifying GDPR Art. 28 obligations.

A Data Processing Agreement (also Data Processing Addendum) is a binding contract between a controller and processor that documents the subject matter, duration, nature and purpose of processing, types of data, categories of data subjects, and processor obligations enumerated in GDPR Art. 28(3).

Why it matters
Processing personal data without a DPA in place is itself a GDPR violation, separate from any downstream security incident.

Related terms

Data Controller
The entity that determines the purposes and means of personal data processing (GDPR Art. 4(7)).
Data Processor
An entity processing personal data on behalf of a controller, governed by a written DPA (GDPR Art. 28).
Standard Contractual Clauses (SCCs)
EU Commission-approved clauses providing a lawful basis for personal-data transfers outside the EEA.

Does your program actually cover Data Processing Agreement (DPA)?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary