Data Processing Addendum (DPA)

What is a Data Processing Addendum (DPA)?

A data processing addendum (dpa) is a legal document used when a vendor, customer, or SaaS provider processes personal data on behalf of another company. This template is built for in-house legal, privacy, procurement, and SaaS teams that need a practical starting point rather than a blank page.

Use the template to align the commercial, operational, and legal terms before the document goes into negotiation. It is intentionally structured around the clauses teams usually review first, so it can support intake, first-pass drafting, and playbook-based redlining.

When to use this template

Use this privacy and data protection template when a vendor, customer, or SaaS provider processes personal data on behalf of another company. It is most useful when the deal is routine enough to start from standard language but important enough that the parties should document expectations clearly.

• Start from this template when the business terms are mostly known and the team needs a clean first draft.
• Attach it to a broader MSA, order form, policy, or exhibit when the relationship already has a master contract.
• Escalate to counsel when the counterparty asks for unusual liability, data, IP, exclusivity, regulated-industry, or termination terms.

How to customize it

Replace placeholders with the actual parties, dates, business terms, operational owners, notice contacts, and jurisdiction-specific terms. Then compare each clause against your contract playbook so the draft reflects your risk tolerance and fallback positions.

• Processing instructions. Confirm the clause matches the transaction facts, approval path, and internal operating model.
• Processor obligations. Confirm the clause matches the transaction facts, approval path, and internal operating model.
• Security measures. Confirm the clause matches the transaction facts, approval path, and internal operating model.
• Subprocessors. Confirm the clause matches the transaction facts, approval path, and internal operating model.
• Data subject requests. Confirm the clause matches the transaction facts, approval path, and internal operating model.
• Breach notice. Confirm the clause matches the transaction facts, approval path, and internal operating model.
• International transfers. Confirm the clause matches the transaction facts, approval path, and internal operating model.
• Return or deletion. Confirm the clause matches the transaction facts, approval path, and internal operating model.

Common negotiation points

Most negotiations turn on a small set of practical questions: who owns the output, who controls data, what happens if performance fails, which obligations survive, and how much liability each party accepts. Resolve those points before polishing definitions.

• Make sure the scope is narrow enough that business owners can operate it after signature.
• Check whether confidentiality, data protection, IP, audit, indemnity, and liability terms need higher scrutiny.
• Confirm the agreement has a clear path for renewal, termination, transition assistance, and post-termination obligations.