What is a Data Processing Agreement (DPA) and Does Your Site Need One?

What a DPA Is

A Data Processing Agreement is a contract between a data controller (you) and a data processor (the third-party service) that governs how the processor handles personal data on your behalf. GDPR Article 28 makes these mandatory — not optional best practice, but required.

The purpose is to create accountability: the processor commits to only processing data as you instruct, maintaining appropriate security, not engaging sub-processors without your knowledge, assisting you in fulfilling data subject rights, and deleting or returning data when the contract ends.

When You Need One

You need a DPA whenever a third party processes personal data "on your behalf." The test is: do they handle your users' data as a service to you, rather than for their own purposes?

Processors that almost every website needs DPAs with:

• →Cloud hosting (AWS, GCP, Azure, Vercel, Heroku): Your server infrastructure hosts all your user data. Every one of these providers has a DPA — usually available in your account settings or under their legal documentation.
• →Email service providers (Mailgun, SendGrid, Postmark): They process your users' email addresses to deliver transactional emails on your behalf.
• →Customer support tools (Intercom, Zendesk, Freshdesk): They store and process your users' support conversations and contact information.
• →Payment processors (Stripe): Processes billing data on your behalf. Stripe's DPA is in their Dashboard under Settings → Legal.
• →Analytics tools (Mixpanel, Amplitude, Segment): Process user behaviour data on your behalf.
• →Error monitoring (Sentry, Datadog): May capture personal data in error traces (user IDs, emails in error messages).

The 8 Things an Article 28 DPA Must Contain

Article 28(3) specifies what the contract must cover. A compliant DPA must state that the processor will:

• 1.Only process data on documented instructions from the controller
• 2.Ensure persons authorised to process data are bound by confidentiality
• 3.Implement appropriate technical and organisational security measures (Article 32)
• 4.Not engage sub-processors without prior written authorisation
• 5.Assist with data subject rights requests (access, erasure, portability)
• 6.Assist with security obligations, breach notification, and DPIAs
• 7.Delete or return all personal data at the end of the service
• 8.Provide all information necessary to demonstrate compliance

Where to Find DPAs for Common Services

Standard DPA vs Custom DPA

For large established services (AWS, Stripe, Mailchimp), their standard DPA is almost always sufficient. These have been reviewed by data protection lawyers and DPAs across Europe. You don't need to negotiate or customise them.

Custom DPAs become relevant when: you're contracting with a small/bespoke service that doesn't have a standard DPA, you're a processor being asked to sign a DPA by your enterprise SaaS customers (you need your own DPA template to offer), or you have specific requirements (custom retention periods, specific security standards like ISO 27001).

Free starting points: the ICO publishes a DPA template at ico.org.uk. The European Commission's standard contractual clauses (SCCs) are available for international data transfers. IAPP has a DPA template library for members. You can also generate a DPA using our free tool.