A Data Processing Agreement (DPA) is a contract between your business and a vendor who handles personal data on your behalf. Several US state privacy laws require them. Here is what they cover, when you need one, and how to get them in place.
The Basic Concept
When you use a third-party service — an email platform, a CRM, a cloud storage provider, a payment processor — and that service handles personal data about your customers or employees, your business is the "controller" and the vendor is the "processor." A Data Processing Agreement governs that relationship.
The DPA defines what data the vendor can access, what they can do with it, how they must protect it, and what happens if something goes wrong. Without one, you have a business relationship but no privacy guardrails.
Key distinction: A DPA is not the same as a vendor's general Terms of Service or Privacy Policy. Those govern their relationship with their own customers. A DPA governs their relationship with your data specifically.
When Do You Need One?
You need a DPA when all three of these are true:
- You share personal data with a vendor
- The vendor processes that data on your behalf (not for their own purposes)
- A privacy law that applies to you requires it
CCPA/CPRA, Virginia's VCDPA, Colorado's CPA, and most other active state privacy laws require DPAs with service providers. If you are subject to any of these laws, assume you need DPAs with vendors who touch your customer or employee data.
What a DPA Must Include
Under most US state privacy laws, a DPA between a controller (you) and a processor (your vendor) must require the processor to:
- Process personal data only on your documented instructions
- Ensure that people with access to the data are bound by confidentiality obligations
- Delete or return personal data at the end of the contract
- Make available information necessary to demonstrate compliance
- Assist you in meeting your consumer rights obligations — deletion requests, access requests, etc.
- Notify you promptly of any data breach
- Not engage sub-processors without your authorization
How to Get DPAs With Your Vendors
Most major vendors already have standard DPAs available. Here is how to find them:
- Google Workspace / Google Analytics: Available in your account settings under Privacy & Security
- HubSpot: Available in their Data Processing Agreement page, executed through your account
- Mailchimp / Intuit: Available in their legal documentation, executed on request
- Salesforce: Available through their trust portal
- Stripe: Included in standard terms for businesses in applicable regions
For smaller or custom vendors, you may need to provide your own DPA template for them to sign. A privacy professional can provide a standard template appropriate for your situation.
What About Sub-Processors?
Your vendors use vendors too. These are called sub-processors. Reputable vendors maintain a public list of their sub-processors and notify you when those change. Under most state privacy laws, your vendor cannot engage new sub-processors that handle your data without giving you an opportunity to object.
When reviewing a vendor DPA, check their sub-processor list. If any of those sub-processors are in countries with weaker data protection laws, make sure the DPA addresses how that data is protected.
Need DPA templates or help reviewing vendor agreements?
We review your vendor relationships and ensure your DPAs are in place and legally sufficient.
Book a Free Consultation