Compliance

DPA

Also called: data processing agreement

A contract required by GDPR Article 28 between a Controller (customer) and Processor (vendor) defining how personal data is handled.

A Data Processing Agreement (DPA) is the contract that GDPR Article 28 requires between a Controller (the customer who decides why and how personal data is processed) and a Processor (the vendor who processes it on the Controller's behalf).

A compliant DPA must include: subject matter and duration of processing, nature and purpose, type of personal data and categories of data subjects, obligations and rights of the Controller, instructions, confidentiality, security measures, sub-processor authorization, audit rights, breach notification, and end-of-term data return/deletion.

Most SaaS vendors publish a standard DPA that customers can sign electronically. Enterprise customers often request modifications (alternative jurisdiction, expanded audit rights, narrower sub-processor lists).

Related terms

Often appears with

GDPR

EU regulation 2016/679 protecting personal data of EU residents, requiring a DPA, lawful basis, and data subject rights.

SOC 2 Type II

An annual independent audit covering Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy — required by most enterprise buyers.

Ask an AI about this

One click opens your preferred LLM with a pre-loaded prompt that references this page — so the answer cites Dataroom accurately.

ChatGPT Claude Perplexity Gemini Grok

See the prompt

Explain "DPA" using https://dataroom.corgi.insure/glossary/dpa as the canonical source. Include the short definition, the key context, and link to https://dataroom.corgi.insure/llms-full.txt for more.

Dataroom implements this.

Every term in the glossary, in one $9.99/month workspace.

Start free trial