Every SaaS company that handles customer data needs a Data Processing Agreement (DPA). Whether you’re the one providing SaaS services or using third-party tools, DPAs are legally required under GDPR Article 28. This guide provides a complete, free DPA template you can customize for your business, along with explanations of each clause and when you need one.
What is a Data Processing Agreement?
A Data Processing Agreement is a legally binding contract between a data controller (typically your customer) and a data processor (typically you, the SaaS provider). It defines how personal data will be handled, what security measures are in place, and what happens when things go wrong.
Under GDPR Article 28, whenever a controller engages a processor to handle personal data on their behalf, they must have a written contract in place. This isn’t optional—it’s a legal requirement with penalties up to €20 million or 4% of annual revenue.
Controller vs Processor: Which Are You?
You’re a Data Controller when:
- You decide why and how personal data is processed
- You determine what data to collect
- You’re directly accountable to data subjects (your users)
You’re a Data Processor when:
- You process data on behalf of another company
- You follow their instructions about data handling
- Your customers’ customers’ data flows through your system
Most SaaS companies are both:
- Controller for their own user/employee data
- Processor when handling their customers’ data
When Do You Need a DPA?
You need a DPA in place when:
| Scenario | Example | DPA Required? |
|---|---|---|
| Customer uses your SaaS | User uploads contacts to your CRM | Yes - you’re the processor |
| You use a third-party tool | You use Stripe for payments | Yes - they’re your processor |
| You use analytics | Google Analytics tracks your users | Yes - they’re your processor |
| You use email services | SendGrid sends transactional emails | Yes - they’re your processor |
| Internal employee data | Your own HR system | No - internal processing |
Free Data Processing Agreement Template
Below is a complete, GDPR-compliant DPA template. Copy it, customize the bracketed sections, and use it with your customers or vendors.
DATA PROCESSING AGREEMENT
Between:
[COMPANY NAME] (“Controller”) [Address] [Country]
And:
[YOUR COMPANY NAME] (“Processor”) [Address] [Country]
Effective Date: [DATE]
1. DEFINITIONS
1.1 “Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
1.2 “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
1.3 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.4 “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
1.5 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.6 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.7 “Services” means [DESCRIBE YOUR SAAS SERVICE].
2. SCOPE AND PURPOSE OF PROCESSING
2.1 Nature of Processing: The Processor shall process Personal Data solely for the purpose of providing the Services as described in the main service agreement between the parties.
2.2 Types of Personal Data: The Personal Data processed under this Agreement includes:
- [Contact information (name, email, phone)]
- [Account credentials]
- [Usage data and analytics]
- [Payment information]
- [Any other categories specific to your service]
2.3 Categories of Data Subjects: The Data Subjects include:
- [Controller’s customers]
- [Controller’s employees]
- [Controller’s business contacts]
- [Any other categories specific to your service]
2.4 Duration: Processing shall continue for the duration of the Services agreement, unless terminated earlier in accordance with this Agreement.
3. PROCESSOR OBLIGATIONS
3.1 Instructions: The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Immediately inform the Controller if an instruction infringes GDPR or other data protection law
- Not process Personal Data for any purpose other than providing the Services
3.2 Confidentiality: The Processor shall ensure that persons authorized to process Personal Data:
- Have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Process Personal Data only on instructions from the Controller
3.3 Security Measures: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit and at rest
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore availability and access to Personal Data in a timely manner following an incident
- Regular testing and evaluation of security measures
3.4 Sub-processing: The Processor shall:
- Not engage another processor without prior specific or general written authorization from the Controller
- Where general authorization is given, inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller opportunity to object
- Ensure any sub-processor is bound by the same data protection obligations as set out in this Agreement
- Remain fully liable for the performance of sub-processor obligations
3.5 Data Subject Rights: The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
3.6 Data Breach Notification: The Processor shall:
- Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach
- Provide sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 GDPR
- Assist the Controller in investigating, mitigating, and remediating the Data Breach
3.7 Data Protection Impact Assessments: The Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required.
3.8 Audit Rights: The Processor shall:
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR
- Allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller
- Provide audit reports from recognized third-party auditors (e.g., SOC 2, ISO 27001) as an alternative to on-site audits where appropriate
4. CONTROLLER OBLIGATIONS
4.1 The Controller warrants that:
- It has a lawful basis for processing the Personal Data
- It has provided appropriate notices to Data Subjects
- It has obtained any necessary consents
- Its instructions to the Processor comply with applicable data protection law
4.2 The Controller shall:
- Provide the Processor with all information necessary for the Processor to perform its obligations
- Respond promptly to any queries from the Processor regarding processing instructions
5. INTERNATIONAL DATA TRANSFERS
5.1 The Processor shall not transfer Personal Data to any country outside the European Economic Area (EEA) unless:
- The destination country has an adequacy decision from the European Commission; or
- Appropriate safeguards are in place as specified in Article 46 GDPR; or
- A derogation under Article 49 GDPR applies
5.2 Where transfers are made to sub-processors outside the EEA, the Processor shall ensure Standard Contractual Clauses (SCCs) or equivalent safeguards are in place.
5.3 Current transfer mechanisms in use: [List any non-EEA countries where data is processed and the safeguards in place]
6. SUB-PROCESSORS
6.1 The Controller provides [general/specific] authorization for the Processor to engage sub-processors.
6.2 Current sub-processors: The Processor currently uses the following sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| [AWS/GCP/Azure] | Cloud hosting | [Location] | [SCCs/Adequacy] |
| [Stripe] | Payment processing | [Location] | [SCCs/Adequacy] |
| [SendGrid] | Email delivery | [Location] | [SCCs/Adequacy] |
| [Add others] | [Purpose] | [Location] | [Safeguards] |
6.3 The Processor shall maintain an up-to-date list of sub-processors at [URL] and notify the Controller of any changes [30] days before engaging a new sub-processor.
6.4 The Controller may object to a new sub-processor within [15] days of notification. If a reasonable objection cannot be resolved, either party may terminate the affected Services.
7. DATA RETENTION AND DELETION
7.1 Upon termination of the Services or upon request from the Controller, the Processor shall:
- Return all Personal Data to the Controller in a commonly used, machine-readable format; or
- Delete all Personal Data and certify such deletion in writing
7.2 The Processor may retain Personal Data only where required by applicable law, and shall inform the Controller of such requirement.
7.3 Retention period: Personal Data shall be retained for the duration of the Services agreement plus [30/60/90] days, unless otherwise instructed by the Controller.
8. LIABILITY AND INDEMNIFICATION
8.1 Each party shall be liable for damages caused by processing that infringes GDPR or this Agreement, in accordance with Article 82 GDPR.
8.2 The Processor shall indemnify the Controller against any claims, damages, or losses arising from the Processor’s breach of this Agreement or GDPR.
8.3 The total liability of the Processor under this Agreement shall not exceed [amount or reference to main agreement limits].
9. TERM AND TERMINATION
9.1 This Agreement shall remain in effect for the duration of the Services agreement between the parties.
9.2 Either party may terminate this Agreement:
- Upon termination of the Services agreement
- Upon material breach by the other party that remains uncured for [30] days after written notice
- If required to do so by applicable law or regulatory order
9.3 Sections 7 (Data Retention and Deletion), 8 (Liability), and any provisions that by their nature should survive, shall survive termination.
10. GENERAL PROVISIONS
10.1 Governing Law: This Agreement shall be governed by the laws of [Country/State].
10.2 Dispute Resolution: Any disputes shall be resolved through [arbitration/courts of Country/State].
10.3 Amendments: This Agreement may only be amended in writing signed by both parties.
10.4 Entire Agreement: This Agreement constitutes the entire agreement between the parties regarding data processing and supersedes all prior agreements on this subject.
10.5 Severability: If any provision is found invalid, the remaining provisions shall continue in full force.
SIGNATURES
Controller:
Name: ________________________ Title: ________________________ Date: ________________________ Signature: ____________________
Processor:
Name: ________________________ Title: ________________________ Date: ________________________ Signature: ____________________
How to Customize This Template
Step 1: Identify Your Role
First, determine whether you’re the controller or processor in the relationship:
- If customers use your SaaS → You’re the processor, your customer signs as controller
- If you’re using a vendor → You’re the controller, the vendor signs as processor
Step 2: Define the Processing Details
Section 2 requires specific information about your processing:
Types of Personal Data: List exactly what data flows through your system:
- Contact info (name, email, phone)
- Account data (username, password hashes)
- Usage data (logs, analytics)
- Content data (files, messages, whatever users upload)
- Payment data (if applicable)
Categories of Data Subjects: Who does the data belong to?
- Your customer’s customers
- Your customer’s employees
- End users of your platform
Step 3: Document Your Sub-processors
Section 6 requires transparency about third-party services. Common SaaS sub-processors include:
| Category | Common Providers |
|---|---|
| Cloud hosting | AWS, Google Cloud, Azure, DigitalOcean |
| Database | MongoDB Atlas, Supabase, PlanetScale |
| SendGrid, Mailgun, Postmark, AWS SES | |
| Payments | Stripe, PayPal, Paddle |
| Analytics | Mixpanel, Amplitude, PostHog |
| Error tracking | Sentry, Bugsnag, LogRocket |
| Customer support | Intercom, Zendesk, Crisp |
Step 4: Set Transfer Safeguards
If any sub-processors are outside the EEA:
- US companies: Check if they have a Data Privacy Framework certification
- Other countries: You’ll need Standard Contractual Clauses (SCCs)
- UK: Covered by UK adequacy decision
Step 5: Customize Security Measures
Section 3.3 should reflect your actual security practices:
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access controls: Role-based access, MFA
- Monitoring: Logging, intrusion detection
- Backups: Frequency, retention, testing
Common DPA Mistakes to Avoid
Mistake 1: Using a Generic Template Without Customization
Problem: Copy-pasting a template without filling in specifics leaves gaps that regulators will notice.
Fix: Complete every bracketed section. If something doesn’t apply, explicitly state “Not applicable” rather than deleting it.
Mistake 2: Not Listing All Sub-processors
Problem: Forgetting about that analytics tool or error tracker you added months ago.
Fix: Audit every third-party service that touches user data:
- Check your package.json for SaaS SDKs
- Review your environment variables for API keys
- Scan your DNS for third-party scripts
Mistake 3: Promising Unrealistic Response Times
Problem: Committing to 24-hour breach notification when you don’t have 24/7 monitoring.
Fix: Set realistic timelines you can actually meet. 48-72 hours is standard for breach notification to the controller.
Mistake 4: Missing the Signature
Problem: Email agreements or unsigned PDFs may not meet the “written contract” requirement.
Fix: Use proper electronic signatures (DocuSign, PandaDoc) or physical signatures. Keep copies.
Mistake 5: Not Updating When Things Change
Problem: Your DPA lists 3 sub-processors but you now use 15.
Fix: Set a quarterly reminder to review and update sub-processor lists. Notify customers of changes.
When Your Customer Requests Their DPA
Enterprise customers will often send you their DPA instead of accepting yours. Here’s how to handle it:
Review Checklist
- Liability caps: Ensure they’re reasonable and match your insurance coverage
- Audit rights: On-site audits are expensive; offer SOC 2/ISO 27001 reports as alternatives
- Breach notification timing: Ensure you can meet the deadline
- Indemnification: Avoid unlimited indemnification; cap it
- Sub-processor approval: General authorization is easier than specific approval per vendor
Red Flags to Push Back On
- Unlimited liability: Your liability should be capped, typically to fees paid
- Immediate breach notification: 24 hours or less is often unrealistic
- Mandatory on-site audits: Offer third-party audit reports instead
- Prohibition on all sub-processors: This is impractical for any SaaS
Negotiation Template Response
“Thank you for sending your DPA. We’ve reviewed it and would like to discuss a few points:
Section X limits liability to [unlimited]. We propose capping this at [12 months of fees paid], consistent with our insurance coverage.
Section Y requires 24-hour breach notification. Our incident response process can reliably achieve 48-hour notification. We can commit to this timeline.
Section Z requires annual on-site audits. We maintain SOC 2 Type II certification and can provide the most recent report. We propose this as an equivalent alternative.
We’re happy to discuss these points at your convenience.”
Automate DPA Generation with GDPR.Direct
Creating and managing DPAs manually is time-consuming, especially as you scale. GDPR.Direct automates the entire process:
Instant DPA Generation
Answer a few questions about your data processing, and GDPR.Direct generates a complete, customized DPA ready for signature.
Sub-processor Registry
Maintain a single source of truth for all your sub-processors. GDPR.Direct automatically notifies customers when you add or change vendors.
Version Control
Track every version of your DPA and which customers have signed which version. Essential for compliance audits.
Customer Self-Service
Give enterprise customers a portal to view your DPA, sub-processor list, and security documentation without back-and-forth emails.
Get Started Free
Generate your first DPA in minutes at app.gdpr.direct. No credit card required.
Summary
A Data Processing Agreement is a legal requirement for any SaaS company handling customer data. Use the template above as a starting point, customize it for your specific processing activities, and keep it updated as your stack evolves.
Key takeaways:
- Every processor relationship needs a DPA—both when you’re the processor and when you use third-party services
- Be specific about data types, purposes, and sub-processors
- Set realistic commitments you can actually meet
- Keep it updated as your infrastructure changes
For growing SaaS companies, automating DPA management with a tool like GDPR.Direct saves time and reduces compliance risk. Focus on building your product while we handle the paperwork.