Skip to content
← Glossary

DPA (Data Processing Agreement)

A contract under GDPR Article 28 between a controller (you) and a processor (your vendor) that defines how personal data may be handled. Legally required, not optional.

DPA stands for Data Processing Agreement. In Dutch, Verwerkersovereenkomst. It is the contract required by Article 28 of GDPR (and AVG) between a controller (the organisation deciding why personal data is collected) and a processor (the vendor doing the processing).

If you use any SaaS tool that touches your customers' personal data, you are the controller, the vendor is the processor, and you need a signed DPA. This is not a paperwork formality. It is legally required, and supervisory authorities ask for it during investigations.

What a DPA contains

A complete DPA covers nine things, mandated by Article 28. The subject matter and duration of the processing. The nature and purpose. The type of personal data and categories of data subjects. The obligations and rights of the controller. The processor's commitment to confidentiality, security measures, and engagement of sub-processors only with controller authorisation. The processor's obligation to assist with data subject rights and breach notifications. Return or deletion of data at end of contract. Auditing rights for the controller.

Most vendors offer a standard DPA. You sign it as part of accepting their terms or as a separate document. Larger customers sometimes negotiate clauses, especially around audit rights and sub-processor disclosure.

Why you should actually read it

A DPA is short by legal standards, usually four to eight pages. Skim for three things specifically. First, the security measures annex, sometimes called Annex II or TOMs (Technical and Organisational Measures), describing what the vendor actually does to keep data safe. Second, the sub-processor list, either embedded or referenced as a maintained webpage. Third, the data residency statement, telling you which countries data may be processed in.

If any of those three is vague, generic, or refers to a sub-processor list that does not exist, that is a problem.

DPA and AI

When the vendor uses AI, the DPA should be explicit about whether customer data is used for training. The clearest answer is "no", written into the contract. "We do not use customer data to train our models" should appear somewhere. If it does not, the absence is meaningful.

In Keloa

In Keloa, the DPA is published on our legal page in both English and Dutch (Verwerkersovereenkomst). It includes the security measures, the sub-processor list, the data residency commitment, and an explicit no-training clause. See security for context.

Related terms

Keep reading

See how this plays out in the product.

Free Starter plan, 50 AI replies, no credit card. Set up in ten minutes.

Get started Book a demo