A Data Processing Agreement is the contract that governs how a contractor processes personal data on your behalf. It is required under GDPR Article 28, the India Digital Personal Data Protection Act 2023, the California Consumer Privacy Act, and most modern privacy laws. This guide walks through a free DPA template for contractor engagements, with sample clause language for each section and primary-source citations.
When you need a DPA
A DPA is required whenever a contractor processes personal data on your behalf. The trigger is not the volume of data or the sensitivity. It is the fact that the contractor sees any personal data attributable to an identified or identifiable individual.
| Scenario | DPA needed |
|---|---|
| Contractor builds a feature with access to your database | Yes |
| Contractor handles customer support tickets containing user data | Yes |
| Contractor runs analytics on user events | Yes |
| Contractor reviews resumes (HR data) | Yes |
| Contractor designs a logo with no data access | No |
| Contractor writes blog content with no data access | No |
| Contractor accesses aggregated, anonymized data only | No (but document anonymization) |
The “no data access” path requires the engagement to be structured so the contractor never sees personal data. In practice, this often requires a sandbox environment with synthetic data or aggregated data only.
The legal basis across jurisdictions
EU and UK: GDPR Article 28
Under Article 28 of the GDPR (Regulation 2016/679, https://eur-lex.europa.eu/eli/reg/2016/679/oj), processing by a processor on behalf of a controller must be governed by a contract that sets out:
- The subject-matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
- Processor’s obligations on confidentiality, security, sub-processors, data subject rights, breach notification, audit, and deletion or return
The UK GDPR (post-Brexit) has equivalent requirements under the same article number.
India: Digital Personal Data Protection Act 2023
Under Section 8(5) of the DPDP Act 2023, a data fiduciary may engage a data processor only under a valid contract. The Act does not prescribe specific terms, but processor obligations on security and breach notification flow through from Section 8 and Section 8(6).
US: State privacy laws
The California Consumer Privacy Act as amended by CPRA requires a service-provider contract under Cal Civ Code 1798.140(ag) that prohibits the service provider from selling personal information, retaining or using it outside the business purpose, or combining it with other data. Similar requirements exist under Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and a growing list of state laws.
Sectoral US laws
HIPAA requires a Business Associate Agreement (BAA) for health data, which is functionally a DPA tailored to PHI. GLBA has separate service-provider requirements for financial institutions. These are sectoral additions on top of a general DPA.
The ten sections every DPA needs
1. Definitions
"Applicable Data Protection Laws" means all laws and regulations applicable
to the processing of Personal Data under this DPA, including the EU
General Data Protection Regulation (Regulation 2016/679), the UK GDPR,
the California Consumer Privacy Act as amended by CPRA, the India Digital
Personal Data Protection Act 2023, and any other applicable privacy law.
"Controller", "Processor", "Personal Data", "Processing", "Data Subject",
"Personal Data Breach", and "Sub-processor" have the meanings given in
the Applicable Data Protection Laws.
"Standard Contractual Clauses" or "SCCs" means the standard contractual
clauses for the transfer of personal data to third countries adopted by
the European Commission in Commission Decision 2021/914.
"Services" means the services provided by Processor to Controller under
the Master Services Agreement dated [Date].
"Subject Matter, Duration, Nature, Purpose, Types of Data, and Categories
of Data Subjects" are set forth in Annex A to this DPA.Annex A is the GDPR Article 28(3) required content. Without it, the DPA does not satisfy GDPR.
2. Roles of the parties
The parties acknowledge and agree that, in respect of the Personal Data
processed under the Services, Controller is the Controller and Processor
is the Processor. Processor shall process Personal Data only on
documented instructions from Controller, as set forth in this DPA, the
MSA, the relevant SOW, or as required by Applicable Data Protection
Laws (in which case Processor shall inform Controller of that legal
requirement before processing unless prohibited by law).3. Processor obligations
Processor shall:
(a) process Personal Data only on documented instructions from Controller;
(b) ensure that persons authorized to process Personal Data are subject
to confidentiality obligations;
(c) implement appropriate technical and organizational security measures
as described in Annex B;
(d) assist Controller in responding to requests from Data Subjects
exercising their rights under Applicable Data Protection Laws;
(e) assist Controller in ensuring compliance with security, breach
notification, data protection impact assessment, and prior
consultation obligations;
(f) at Controller's choice, delete or return all Personal Data after the
end of the provision of Services, unless retention is required by
Applicable Data Protection Laws;
(g) make available to Controller all information necessary to demonstrate
compliance with this DPA and allow for audits as described in
Section 8.This mirrors GDPR Article 28(3)(a) through (h). The phrasing is intentional because regulators look for it.
4. Sub-processors
Controller authorizes Processor to engage the sub-processors listed in
Annex C as of the Effective Date. Processor shall notify Controller of
any intended addition or replacement of sub-processors at least 30 days
in advance. Controller may object to any new sub-processor on reasonable
grounds related to data protection. If the parties cannot resolve the
objection within 30 days, Controller may terminate the affected Services
without penalty.
Processor shall impose on each sub-processor data protection obligations
that are no less protective than those in this DPA. Processor remains
fully liable to Controller for the acts and omissions of its
sub-processors.The 30-day notice and right-to-object structure is from the EU SCCs (Commission Decision 2021/914, Clause 9). A specific-approval model is allowed but impractical for most engagements.
5. Security measures
Processor shall implement and maintain appropriate technical and
organizational measures to ensure a level of security appropriate to the
risk, including:
- Encryption of Personal Data in transit and at rest
- Ability to ensure ongoing confidentiality, integrity, availability, and
resilience of processing systems
- Ability to restore availability and access to Personal Data in the
event of a physical or technical incident
- Regular testing, assessing, and evaluating of the effectiveness of
technical and organizational measures
- Access controls, including role-based access and multi-factor
authentication for administrative access
- Logging and monitoring of access to Personal Data
- Personnel training on data protection
- Documented incident response procedures
Detailed security measures are set forth in Annex B and may be updated by
Processor from time to time, provided that the level of security shall
not decrease.GDPR Article 32 requires “appropriate” security measures. The specific list above is what most DPAs include. SOC 2, ISO 27001, or HITRUST certifications are commonly referenced in Annex B as evidence.
6. Breach notification
Processor shall notify Controller of any Personal Data Breach without
undue delay and in any event within 48 hours of becoming aware of the
breach. The notification shall include, to the extent known:
(a) the nature of the breach, including the categories and approximate
number of Data Subjects and Personal Data records concerned;
(b) the likely consequences of the breach;
(c) the measures taken or proposed to address the breach and mitigate
its adverse effects;
(d) a contact point for further information.
Processor shall cooperate with Controller in investigating, mitigating,
and remediating the breach, and shall provide all reasonable assistance
to enable Controller to meet its notification obligations to supervisory
authorities and Data Subjects.GDPR Article 33 requires controller notification to the supervisory authority within 72 hours of awareness. The 48-hour processor-to-controller deadline in the template gives the controller 24 hours to investigate. Some DPAs use 24 hours to give the controller more buffer.
7. Data subject rights
Processor shall, taking into account the nature of the processing,
assist Controller by appropriate technical and organizational measures,
insofar as possible, to respond to requests from Data Subjects to
exercise their rights under Applicable Data Protection Laws, including
rights of access, rectification, erasure, restriction of processing, data
portability, and objection.
If Processor receives a request directly from a Data Subject, Processor
shall promptly forward the request to Controller and shall not respond
directly except on Controller's instructions or as required by law.GDPR Article 28(3)(e) and similar provisions in other laws.
8. International transfers
Where the Services involve the transfer of Personal Data from the EEA,
UK, or Switzerland to a country that has not been deemed adequate by the
European Commission (or the equivalent UK or Swiss authority), the
parties agree that the EU Standard Contractual Clauses (Commission
Decision 2021/914) Module 2 (Controller to Processor) are incorporated by
reference into this DPA, with the following selections:
- Clause 7 (Docking clause): not applicable
- Clause 9(a) (Sub-processor approval): General authorization, with the
notice period in Section 4 of this DPA
- Clause 11(a) (Independent dispute resolution): not selected
- Clause 17 (Governing law): law of [EU Member State]
- Clause 18 (Forum): courts of [EU Member State]
The information required by Annex I and Annex III of the SCCs is set
forth in Annex A and Annex C of this DPA respectively.
Where the Services involve the transfer of Personal Data from the UK,
the UK International Data Transfer Addendum (IDTA) issued by the ICO is
incorporated by reference and supplements the SCCs as required by UK law.The EU SCCs (Commission Decision 2021/914, https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) are the standard transfer mechanism. If the processor is in the US and certified under the EU-US Data Privacy Framework, the SCCs may not be required (the DPF provides the adequacy mechanism), but most DPAs include the SCCs as a backstop.
9. Audit and inspection
Processor shall make available to Controller all information necessary
to demonstrate compliance with this DPA. Controller may, no more than
once per year (except in case of a Personal Data Breach), conduct an
audit by reasonable means, including reviewing certifications (SOC 2,
ISO 27001, ISO 27018, or equivalent) and submitting reasonable written
questionnaires.
On-site audits require 30 days advance written notice and shall be
conducted during business hours in a manner that does not unreasonably
disrupt Processor's operations. Costs of on-site audits are borne by
Controller unless the audit reveals material non-compliance.
A regulator's audit conducted under Applicable Data Protection Laws is
permitted at any time without the foregoing restrictions.The audit right is required by GDPR Article 28(3)(h). Most DPAs cap audits at once per year with reasonable advance notice. Surprise audits trigger by breach or regulator action.
10. Term, deletion, and survival
This DPA commences on the Effective Date and continues for the duration
of the Services. On termination, Processor shall, at Controller's choice,
delete or return all Personal Data and delete existing copies, unless
retention is required by Applicable Data Protection Laws. Processor
shall certify deletion in writing if requested.
Sections related to confidentiality, audit rights for the duration of any
record retention, and liability survive termination.Annexes
A complete DPA has three annexes:
Annex A: Subject matter, nature, purpose, types of data, categories of data subjects, duration. This is the GDPR Article 28(3) required content. For a contractor building a customer support tool, this would describe processing customer email addresses, support ticket content, and account metadata for the purpose of providing the support tool, for the duration of the engagement.
Annex B: Technical and organizational security measures. Detailed list of encryption, access controls, monitoring, certifications, and incident response procedures.
Annex C: Approved sub-processors. List of pre-approved sub-processors as of the Effective Date with the right to add new ones on 30 days notice.
Country-specific considerations
India DPDP Act 2023
The DPDP Act does not require SCC-equivalent transfer mechanisms but does authorize the Indian government to restrict transfers to specific countries. As of 2026, no restrictions are in force. India processors of EU data still need SCCs because of GDPR’s extraterritorial reach.
China PIPL
The Personal Information Protection Law requires either CAC-approved SCCs (China’s version), security assessment certification, or personal information protection certification for cross-border transfers of personal data out of China. If your contractor is in China and processes data subject to PIPL, get separate legal review.
US state laws
CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and others impose service-provider contract requirements. A GDPR-compliant DPA generally satisfies these, but specific terms (no sale of personal information, no combining with other data) should be expressly stated for California compliance.
Common DPA failure modes
- No DPA at all. The most common failure. Engagement is not lawful under GDPR.
- No Annex A. GDPR Article 28(3) requires the subject matter, purpose, types of data, and data subject categories to be described. A DPA without Annex A does not satisfy the regulation.
- Generic security measures. “Industry-standard security” is not a measure. List specific controls (encryption, MFA, logging, certifications).
- No SCCs for non-adequate transfers. EU data going to a non-adequate country without SCCs (or another lawful transfer mechanism) is a regulatory violation.
- No breach notification timing. Without a specific deadline, the processor’s notice could come after the controller’s 72-hour clock has expired.
- Specific sub-processor approval. Impractical for ongoing engagements. Use general approval with right to object.
- No audit rights. Article 28(3)(h) requires audit access. A DPA without it does not satisfy GDPR.
Get a country-aware version
This template covers GDPR Article 28 plus US state law and India DPDP basics. The right DPA for a specific engagement depends on the data categories (sensitive data triggers additional requirements), the transfer geography (SCCs for EU-to-US, UK IDTA for UK-to-US, China SCCs for outbound from China), and the sector (HIPAA BAA additions for health data, GLBA additions for financial data).
Omnivoo Contract Management generates a country-aware DPA in minutes alongside the MSA and SOW. You answer a short set of questions about the data flow and the platform produces a DPA with the right transfer mechanism for the contractor’s jurisdiction, the right security annexes, e-signature under ESIGN and eIDAS, and KYC on the contractor. The product is flat USD 49 per contract bundle with payment fees passed through at cost.
For the related templates, see our free MSA template, free SOW template, and free NDA template. To skip the manual drafting entirely, Omnivoo Contract Management handles the full bundle.
If you remember three things
- A DPA is required under GDPR Article 28 whenever a contractor processes personal data on your behalf. Without it, the engagement is not lawful.
- Annex A (subject matter, purpose, types of data, data subject categories) is mandatory. A DPA without Annex A does not satisfy GDPR.
- International transfers from the EU to non-adequate countries require SCCs (Commission Decision 2021/914) or another lawful transfer mechanism. Without it, the transfer is a regulatory violation.
Use Omnivoo Contract Management at /solutions/contract-management to generate a country-aware DPA in minutes, with e-sign, KYC, and payment all included for USD 49 flat.