Data Processing Agreement (DPA) Template

GDPR-compliant DPA template for vendor contracts. Essential for any company processing EU personal data. This free, professionally written template from Proveably is ready to download in multiple formats and customise for your organisation. No account required.

Standard DPA template covering processing scope, security measures, sub-processor obligations, data transfer mechanisms, and breach notification.

soc2 iso27001 hipaa
550 words ~12 min read 0 downloads Free
Link copied!
Free

No account required

Browse All Templates
Categorypolicy
Formatmarkdown
Downloads0

Why You Need This Data Processing Agreement (DPA) Template

A well-documented Data Processing Agreement (DPA) Template is essential for organisations pursuing compliance certifications and building trust with customers, partners, and auditors. Without formal documentation, your organisation faces several risks:

  • Audit failures — Auditors specifically check for documented policies. A missing or incomplete policy is one of the most common reasons organisations fail SOC 2, ISO 27001, or other compliance audits.
  • Security gaps — Without clear guidelines, employees and contractors may follow inconsistent security practices, creating vulnerabilities.
  • Regulatory exposure — Many regulations (GDPR, HIPAA, PCI DSS) require documented policies. Non-compliance can result in fines and legal liability.
  • Lost business opportunities — Enterprise customers increasingly require vendors to demonstrate formal security policies before signing contracts.

This Proveably template gives you a professional starting point that covers industry best practices and maps directly to compliance framework requirements.

Compliance Framework Requirements

This template is designed to satisfy requirements from the following frameworks:

soc2

This template addresses key soc2 control requirements with pre-mapped sections and audit-ready language.

iso27001

This template addresses key iso27001 control requirements with pre-mapped sections and audit-ready language.

hipaa

This template addresses key hipaa control requirements with pre-mapped sections and audit-ready language.

Specifically mapped control codes: CC2.3, CC9.2, A.15.1, A.18.1

Template Preview

# Data Processing Agreement **Between**: **Data Controller**: [Your Company Name] ("Controller") **Data Processor**: [Vendor Name] ("Processor") **Effective Date**: [Date] --- ## 1. Definitions - **Personal Data**: Any information relating to an identified or identifiable natural person - **Processing**: Any operation performed on personal data - **Sub-processor**: Any third party engaged by the Processor to process personal data ## 2. Scope of Processing | Element | Details | |---------|---------| | **Subject matter** | [Description of service] | | **Duration** | Duration of the service agreement | | **Nature of processing** | [Storage, analysis, transmission] | | **Purpose** | [Provide the contracted service] | | **Categories of data subjects** | [Customers, employees, end users] | | **Types of personal data** | [Name, email, IP address, usage data] | ## 3. Processor Obligations The Processor shall: a) Process personal data only on documented instructions from the Controller b) Ensure that persons authorized to process personal data are bound by confidentiality obligations c) Implement appropriate technical and organizational security measures, including: - Encryption of personal data at rest and in transit - Access controls with multi-factor authentication - Regular security testing and vulnerability assessments - Incident response procedures - Data backup and recovery capabilities d) Not engage sub-processors without prior written consent of the Controller e) Notify the Controller of any personal data breach without undue delay (within **72 hours**) f) Assist the Controller in responding to data subject requests g) Delete or return all personal data upon termination of the agreement h) Make available all information necessary to demonstrate compliance and allow audits ## 4. Sub-Processors Current approved sub-processors: | Sub-processor | Purpose | Location | |--------------|---------|----------| | [Name] | [Purpose] | [Country] | | [Name] | [Purpose] | [Country] | The Processor shall notify the Controller at least **30 days** before adding or replacing a sub-processor. ## 5. International Transfers Personal data shall not be transferred outside of [EU/EEA] unless: - An adequacy decision exists for the destination country - Standard Contractual Clauses (SCCs) are in place - Other appropriate safeguards per GDPR Article 46 are implemented ## 6. Data Subject Rights The Processor shall assist the Controller in fulfilling data subject requests including: - Right of access - Right to rectification - Right to erasure - Right to data portability - Right to restriction of processing - Right to object Response time: within **10 business days** of receiving the request. ## 7. Security Breach Notification The Processor shall notify the Controller of any confirmed or suspected personal data breach within **72 hours**, including: - Description of the breach - Categories and approximate number of data subjects affected - Likely consequences - Measures taken to address the breach ## 8. Audit Rights The Controller may audit the Processor's compliance with this DPA: - Upon **30 days** written notice - Maximum **once per year** (unless a breach has occurred) - At the Controller's expense - Processor may satisfy audit requirements by providing current SOC 2 Type II report ## 9. Term and Termination - This DPA is effective for the duration of the underlying service agreement - Upon termination, the Processor shall delete all personal data within **30 days** and provide written confirmation - The Processor may retain data where required by applicable law, with notice to the Controller --- **Controller Signature**: ________________________ **Name & Title**: ________________________ **Date**: ________________________ **Processor Signature**: ________________________ **Name & Title**: ________________________ **Date**: ________________________

Frequently Asked Questions

A Data Processing Agreement (DPA) Template is a formal policy that gdpr-compliant dpa template for vendor contracts. essential for any company processing eu personal data. It provides a structured framework for organisations to document and enforce security and compliance requirements.
Yes. Proveably provides this Data Processing Agreement (DPA) Template template completely free of charge. You can download it in Markdown, PDF, Word, Excel, or plain text format — no account required.
This policy is mapped to soc2, iso27001, hipaa. It includes the specific control references and requirements needed to satisfy auditor expectations for these frameworks.
Download the template in your preferred format, then customise the bracketed placeholder sections with your organisation's specific details. Review with your security team or compliance officer, get management approval, and distribute to relevant staff. Proveably recommends reviewing and updating this policy at least annually.
Absolutely. This template is designed as a starting point. All sections should be tailored to your organisation's size, industry, and specific compliance requirements. The placeholder text indicates sections that require customisation.

Tags

dpa gdpr privacy legal contract

Automate Your Compliance

Go beyond templates. Proveably automates evidence collection, continuous monitoring, and audit preparation for SOC 2, ISO 27001, and more.

Start Free Trial

Report a Bug

Help us improve by reporting issues

Screenshot
Page:
Browser:
Time:

Bug Report Submitted

Thank you! We'll investigate this issue.