The Data Processing Addendum (DPA): Your Contractual Obligation Under GDPR and CCPA

Takeaway: A DPA is a mandatory contract between a data "controller" and a "processor" required by the GDPR; your startup needs one with every vendor that handles your users' personal data on your behalf.

As your startup grows, you will inevitably rely on a host of third-party cloud services to run your business. You will use a cloud provider like AWS to host your application, a payment processor like Stripe to handle transactions, and an analytics service like Mixpanel to understand user behavior. When you use these services, you are sharing your users' personal data with them. Under modern privacy laws, this data sharing triggers a specific and mandatory contractual requirement: the Data Processing Addendum (DPA).

A DPA is a legally binding contract that governs the relationship between a "data controller" and a "data processor." It is a required document under Europe's GDPR and is considered a best practice under other privacy regimes like California's CCPA.

Controller vs. Processor: Understanding Your Role

To understand when you need a DPA, you must first understand these two key roles:

  • The Data Controller: This is the organization that determines the "purposes and means" of the data processing. In short, the controller is the one who decides why and how personal data is collected and used. As a startup offering a service to your users, you are the data controller.

  • The Data Processor: This is the organization that processes the data on behalf of the controller. Your vendors—AWS, Stripe, Mixpanel—are your data processors. They are only authorized to use the data according to your specific instructions.

The Purpose of a DPA

The GDPR requires that any time a controller shares personal data with a processor, there must be a written contract in place that governs the processing. The DPA is that contract. Its purpose is to ensure that your vendors handle your users' data with the same high level of care and security that you do, and that they only use the data for the specific purpose of providing their service to you.

A DPA will contain specific contractual clauses that obligate your vendor to:

  • Implement appropriate technical and organizational security measures.

  • Only process data according to your documented instructions.

  • Notify you in the event of a data breach.

  • Assist you in responding to data subject rights requests (like a request for deletion).

Your Obligation: Signing DPAs with All Your Vendors

As the data controller, the legal obligation is on you to ensure that you have a DPA in place with every single one of your vendors who processes personal data on your behalf.

  • Standard DPAs: Fortunately, most major SaaS vendors and cloud providers have a standard, pre-signed DPA that you can easily sign and execute as part of their terms of service.

  • The Vetting Process: When you are evaluating a new vendor, part of your security and compliance diligence must be to confirm that they offer a robust, GDPR-compliant DPA. If a vendor cannot or will not sign a DPA, you should not entrust them with your users' data.

The DPA is a fundamental building block of a modern privacy compliance program. It is the contractual tool that allows you to extend your own privacy and security obligations down through your entire supply chain.

Disclaimer: This post is for general informational purposes only and does not constitute legal, tax, or financial advice. Reading or relying on this content does not create an attorney–client relationship. Every startup’s situation is unique, and you should consult qualified legal or tax professionals before making decisions that may affect your business.