Compliance & AI Governance

What is Data Processing Agreement (DPA)?

The contract that binds a vendor processing personal data on your behalf - required under GDPR.

Talk to usFree to start - no card required.

Data Processing Agreement (DPA): definition

When you use a vendor that processes personal data for you - a payroll provider, an email tool, a cloud service - GDPR requires a DPA governing that relationship. The DPA defines the scope and purpose of processing, the obligations of the processor, security requirements, the use of sub-processors, data-subject rights support, breach notification, and what happens to data at the end of the contract. It allocates responsibility and is a key artifact in vendor due diligence.

  • Required under GDPR between controller and processor
  • Defines scope, purpose, and duration of processing
  • Sets security obligations, sub-processor rules, and breach notification
  • Covers data-subject rights support and data return or deletion at end

How Fintra handles it

Fintra AI governance can track your vendors, their DPAs, and the sub-processors they rely on, so the data-processing relationships behind your business are documented rather than scattered across signed PDFs. DPA status and renewal are visible as part of vendor risk management, supporting GDPR accountability. The DPA itself is a legal contract to be reviewed with counsel.

  • Vendors, their DPAs, and sub-processors tracked in one place
  • DPA status and renewals visible in vendor risk management
  • Supports GDPR accountability and due-diligence evidence

Worked example

Frequently asked questions

When is a DPA required?

Under GDPR, whenever a processor handles personal data on behalf of a controller. In practice this means most vendor relationships involving personal data - payroll, CRM, email, cloud hosting - need a DPA in place before processing begins.

What is the difference between a controller and a processor?

The controller determines why and how personal data is processed; the processor handles the data on the controller instructions. A business is usually the controller of its employee and customer data, and its vendors are processors. The DPA governs the processor obligations.

What must a DPA include?

Under GDPR, it must cover the scope, nature, and purpose of processing, the types of data and data subjects, security measures, sub-processor rules, assistance with data-subject rights and breach notification, and the return or deletion of data at the end of the contract.

Who signs the DPA?

Both the controller and the processor, as a binding contract. It is often provided as a standard addendum by the vendor and reviewed by the customer legal team. Tracking which vendors have executed DPAs is part of vendor risk management, which Fintra supports.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

See how Fintra handles the numbers behind this term

Fintra is the AI Finance Operating System for SMBs - accounting, planning, payroll, equity, and AI governance on one shared data model, with a named human approving anything consequential. Free to start, no card required.

Talk to us