What is a DPA (Data Processing Agreement)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A Data Processing Agreement (DPA) is a contract between you (the data controller) and your service providers (the processors) that says: here's exactly how you're allowed to handle our subscriber data. Without it, you're technically violating GDPR even if everything else about your email program looks compliant.

Here's why you need it: You're storing subscriber data somewhere (your ESP, your CRM, your analytics platform). Those vendors touch that data on your behalf. GDPR says you must have a written agreement that spells out what they can and can't do with it. No agreement? No protection. You're personally liable if they mess up.

A compliant DPA covers specific things. It describes what data they're processing, how long they're processing it, and what they're doing with it. It locks in their obligations around security, confidentiality, and how they handle data breaches. It spells out your right to audit them and verify they're following the rules. It covers what happens if they want to use subprocessors (vendors working below them). And it says what happens to your data when the contract ends. Most major ESPs and SaaS providers now offer standardized DPAs you can execute online, though you should glance through them to make sure they fit your actual setup.

DPAs aren't just legal theater. They're practical. When (not if) something goes wrong with a vendor, the DPA tells you who's responsible for notifying affected subscribers, who pays for remediation, and where the liability sits. It's your contractual safety net.

Start here: Ask your ESP, CRM, and any other vendor touching subscriber data for their DPA. If they don't have one, that's a red flag. If they do, skim it for three things. One, confirm it covers all the data you're actually sending them. Two, check that it mentions GDPR compliance specifically (not just "applicable laws"). Three, verify it spells out your right to audit. Once you've got signed DPAs in place with all your vendors, you can confidently move to the next item on your compliance checklist.

Related reading: what GDPR requires of you and the key GDPR requirements for email.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit your vendor DPAs for gaps.

I want to audit my DPAs with my vendors to make sure I'm compliant. Here's my situation: [Share: What vendors touch my subscriber data? Do I already have DPAs with them? Am I EU-based or do I have EU subscribers? What data do they actually access?] Based on my answers, help me: (1) Identify which vendors actually need DPAs, (2) Spot any vendors I'm missing, (3) Tell me what to check in existing DPAs, (4) Walk me through how to ask for one if a vendor doesn't have it.

Edit the yellow boxes, then send to the AI of your choice.