Data Processing Agreement (DPA)
GDPR-compliant Data Processing Agreement template for data processors and controllers.
No credit card required • Download link via email
Legal Notice
This template is a starting point, not legal or compliance advice. Have your legal team review and customize it before implementation. Generated with AI assistance.
Used by managers at
2,700+ professionals use this template
⭐ 4.6/5 rating from verified users
How This Template Works
Under GDPR Article 28, any organization that engages a third party to process personal data on its behalf must have a written Data Processing Agreement in place. Without a compliant DPA, both the controller and processor face regulatory exposure under GDPR's enforcement regime. This Data Processing Agreement template covers all Article 28 mandatory clauses: subject matter and duration, nature and purpose of processing, type of personal data and data subjects, controller obligations and processor obligations, sub-processor authorization requirements, data subject rights assistance, security measures, and audit rights.
The template is structured as a standalone agreement or as an addendum to an existing services contract. Processor security obligations reference the Article 32 standard — appropriate technical and organizational measures — with a schedule for documenting specific controls. Sub-processing provisions include the required notification and objection mechanism. For complete GDPR compliance, use this alongside the [GDPR Compliance Checklist](/templates/gdpr-checklist) and [Data Processing Inventory](/templates/data-processing-inventory).
Complete Your Toolkit
Bundle these templates and save 20%
Acceptable Use Policy Template
Complete 16-section Acceptable Use Policy template ready to customize for your organization.
API Documentation Template
API documentation template with endpoint references, authentication guides, and code examples for developers.
Banking Operations Templates
Comprehensive banking operations toolkit for financial institutions. Risk manage...
Learn More About IT Management
Comprehensive guides and best practices to help you implement this template effectively
5 Essential IT Policies Every Business Needs: Complete Implementation Guide
Protect your business with these critical IT policies. From acceptable use to incident response, get detailed implementation guidance, compliance mapping, and templates for the five policies every organization needs.
Read guide →Acceptable Encryption Policy Template [2026] — PCI-DSS, HIPAA & SOC 2 Ready
Free encryption policy template with compliance mapping for PCI-DSS, HIPAA, and SOC 2. Covers data at rest, in transit, and key management. Download and customize.
Read guide →Agile Project Charter Template: Lightweight Authorization for Scrum Teams
How to write an agile project charter for Scrum and Kanban teams. Includes a template with filled-in example, comparison to traditional charters, and guidance on when to use each approach.
Read guide →Complete Resource Collection
Access our comprehensive collection of it management templates, guides, and tools all in one place.
Explore IT Management Resource CollectionExplore More Resources
Discover comprehensive guides and templates in our resource hub
Browse all it management resources, guides, and templates
Frequently Asked Questions
When is a Data Processing Agreement required?
A DPA is required whenever you engage a third-party processor to handle personal data on your behalf under GDPR. Common examples: cloud service providers storing customer data, payroll processors handling employee data, email marketing platforms, analytics providers, and IT support vendors with access to systems containing personal data.
What is the difference between a data controller and a data processor?
A data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of the controller, following the controller's instructions. Your SaaS vendor processing your customer data is typically a processor; your organization is the controller. The DPA governs this relationship.
Does this DPA template cover CCPA/CPRA as well?
The template is GDPR Article 28 focused. CCPA/CPRA uses different terminology (business/service provider) and has somewhat different requirements. For organizations needing dual GDPR/CCPA compliance, the template can be supplemented with CCPA-specific service provider language. See our CCPA Privacy Policy Template for the consumer-facing requirements.
Ready to Get Started?
⚡ 23 professionals downloaded this template today
Join thousands of professionals who trust our Data Processing Agreement (DPA) to streamline their workflow. Download now and start using it immediately.
This template is a starting point, not legal or compliance advice. Have your legal team review and customize it before implementation.