Data Processing Agreements
If you handle personal data on behalf of customers, or use vendors who handle your users' data, DPAs aren't optional—they're legally required under GDPR and many other privacy laws.
Key takeaways
- →Sign DPAs with customers before processing their data
- →Vet subprocessors and maintain an updated list
- →Define data retention and deletion procedures
- →Include SCCs for international data transfers
Know your role: controller vs. processor
A data controller decides why and how personal data is processed. A data processor processes data on behalf of the controller. As a SaaS provider, you're typically a processor for customer data, but a controller for your own user analytics, marketing, and employee data.
Essential DPA provisions
Your DPA should cover: processing instructions and scope, security measures, subprocessor requirements, audit rights, breach notification timelines (typically 24-72 hours), data deletion/return upon termination, and liability allocation. Use Article 28 GDPR as your checklist.
Managing your subprocessors
If you use AWS, Google Cloud, analytics tools, or any service that touches customer data, those are subprocessors. You need: prior authorization (general or specific) from customers, binding agreements with each subprocessor, and a maintained list available to customers. Update customers before adding new subprocessors.
International data transfers
Moving data outside the EEA or UK requires additional safeguards. Standard Contractual Clauses (SCCs) are the most common mechanism. Conduct Transfer Impact Assessments (TIAs) for transfers to countries without adequacy decisions. Keep documentation current as regulations evolve.
Got questions?
Every business is different. Let's discuss how these principles apply to your specific situation.