DPA (Data Processing Agreement)

A data processing agreement (DPA) is the written contract between controller and processor required by Article 28 GDPR. It must cover subject matter, duration, nature, purpose of processing, types of personal data, controller's rights, processor's confidentiality, security measures, sub-processor authorization, assistance with data-subject rights and breach notification, deletion / return of data, and audit rights.

See GDPR for VDRs.

Last updated: May 2026.