What Is a DPA (Data Processing Agreement)?

A Data Processing Agreement (DPA) is the contract GDPR requires between a controller (you, deciding why data is processed) and a processor (the vendor processing it for you — your analytics, email, or hosting provider). Article 28 makes it mandatory, not optional: using a processor without a DPA is itself a violation, before any data mishap occurs.

What a DPA must contain

• Subject matter, duration, nature and purpose of processing — what the vendor does with what data.
• Processing only on documented instructions — the vendor cannot repurpose your data (the clause that separates processors from data brokers).
• Confidentiality commitments and security measures (Article 32).
• Sub-processor rules: who the vendor passes data to, with your right to object — read this list; it is where the surprises live.
• Assistance with data-subject rights and breach notification duties.
• Deletion or return of data at contract end.
• International transfer mechanisms if data leaves the EU — the Schrems II pressure point.

Reading a vendor DPA in ten minutes

1. Sub-processor list: short and European is simple; long and global means every entry inherits your compliance review.
2. Data location: EU processing with no third-country transfers removes the hardest chapter (data residency explained).
3. What data is actually processed: here cookieless analytics pays its compliance dividend — a processor handling no persistent identifiers and minimal personal data makes the whole agreement lighter, because there is less to govern.

Practical notes

Serious vendors offer a standard, pre-signed DPA you accept online — needing to ask is itself a signal (Clycyo's is at /dpa). And remember the direction of duty: the DPA protects you, the controller, because regulators come to you first when a processor misbehaves. It is the one legal document in the analytics stack worth actually reading — start with the sub-processor annex.