Start your 7-day free trial - Full platform access
Data Processing Agreement Review

DPA review.
Article 28 compliance before you sign.

GDPR Article 28 mandates a DPA with every processor that handles EU personal data. Most vendor DPAs are designed to protect the vendor, not you. Kontractually reviews DPAs against Article 28 requirements and flags gaps before you agree to them.

Review a DPAGDPR compliance

No credit card required. First 3 reviews free.

Before vs. after

What changes when you review DPAs before signing.

Before

You sign a SaaS vendor's standard DPA without review. Months later, you discover the vendor engages 14 sub-processors across 6 countries - and the DPA only requires 'general authorisation' with no obligation to notify you of changes. A sub-processor in a non-adequate jurisdiction suffers a breach involving your customer data.

With Kontractually

Kontractually flags the sub-processor clause as non-compliant with GDPR Article 28(2). The DPA allows general authorisation but lacks the required notification mechanism for sub-processor changes. You negotiate specific authorisation or, at minimum, a 30-day prior notification right before signing.

Sub-processor risk identified before contract execution
Before

Your vendor's DPA says data will be 'deleted in accordance with our standard retention policy' on termination. You ask for the retention policy and learn they keep data for 3 years after contract end 'for legal compliance purposes.' Your customers expected deletion within 30 days.

With Kontractually

Kontractually flags the vague deletion clause and the absence of a specific deletion timeframe as Article 28(3)(g) gaps. You negotiate a 30-day deletion window with written certification, matching what you promised your own customers in your privacy policy.

Data deletion obligations aligned with customer promises
Before

A vendor's DPA describes security measures as 'industry-standard encryption and access controls.' Under GDPR Article 32, this level of specificity is insufficient. When a breach occurs, you can't demonstrate that appropriate technical measures were contractually required because the DPA was too vague.

With Kontractually

Kontractually flags the generic security language and recommends that the DPA specify encryption standards (AES-256 at rest, TLS 1.2+ in transit), access control mechanisms, vulnerability management cadence, and incident response procedures - meeting GDPR Article 32 requirements.

Security obligations made specific and enforceable
DPA checklist

6 Article 28 requirements to check in every DPA.

1
GDPR Article 28 mandatory terms
GDPR Article 28 specifies what a DPA must contain: processing only on documented instructions, confidentiality obligations, security measures, sub-processor authorisation requirements, data subject rights assistance, deletion or return of data, and audit rights. A DPA missing any of these is non-compliant.
2
Processing purpose and instructions
The DPA must specify the subject matter, duration, nature, and purpose of processing, and the type of personal data and categories of data subjects. Processing outside the documented instructions is a breach. Broad, vague purpose descriptions are a red flag.
3
Sub-processor authorisation
The processor must not engage sub-processors without prior written authorisation. The DPA must specify whether authorisation is specific (named sub-processors) or general (category approval with notification rights). The controller must be notified of any changes to sub-processors.
4
Security measures specification
The DPA must include 'appropriate technical and organisational measures' under GDPR Article 32. Vague language ('industry standard security') is insufficient. Specific measures should be listed: encryption at rest and in transit, access controls, vulnerability management, and incident response procedures.
5
Breach notification timeframe
The processor must notify the controller of a data breach 'without undue delay' and no later than 72 hours (to allow the controller to meet its own 72-hour notification obligation to supervisory authorities). The DPA must specify the notification timeframe and minimum information to be included.
6
Data return and deletion
On termination, the processor must either return or delete all personal data as instructed. The DPA must specify the process, timeframe, and confirmation mechanism. Many DPAs are silent on deletion timeframes or allow the processor to retain data for their own purposes after termination.
FAQ

DPA questions.

More questions? Email us.

Under GDPR Article 28, a DPA is required whenever you share personal data with a third-party processor - any company that processes personal data on your behalf. This includes: cloud storage providers (AWS, Azure, Google Cloud), SaaS tools that access your data (CRM, email marketing, analytics), HR systems that hold employee data, and professional services that process client data. If you have EU customers or EU employees, your vendor relationships likely require DPAs. Kontractually reviews DPAs against Article 28 requirements.

A data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of the controller. Example: your business (controller) uses a payroll software provider (processor) to process employee data. The processor must only process data as instructed by the controller, and must have a DPA in place. Many SaaS vendors operate as processors for your data and should provide a standard DPA. Kontractually checks that the DPA covers Article 28 requirements before you agree to it.

If you are an Australian business processing EU personal data, both frameworks apply. GDPR Article 28 mandates specific contractual terms for processor relationships. The Australian Privacy Act does not require a formal DPA, but APP 8 (cross-border disclosure) requires you to take reasonable steps to ensure overseas recipients handle personal information consistently with the APPs. In practice, a GDPR-compliant DPA satisfies most APP 8 requirements because GDPR imposes stricter obligations. However, you should also ensure the DPA addresses Australian-specific data categories (such as tax file numbers, which have separate protections under the Privacy Act) if relevant.

GDPR Article 28(3)(h) requires the processor to make available all information necessary to demonstrate compliance and allow for audits conducted by the controller or a mandated auditor. A compliant DPA should specify: the controller's right to conduct audits (or appoint a third-party auditor), reasonable notice periods for audits, the processor's obligation to cooperate and provide access, and how audit costs are allocated. Many vendor DPAs limit audit rights to reviewing SOC 2 reports or certifications, which may not fully satisfy Article 28. Kontractually flags DPAs where audit rights are restricted or absent.

Using a processor without a compliant DPA is itself a GDPR violation. Under Article 83(4), this can result in administrative fines of up to 10 million EUR or 2% of annual worldwide turnover. Beyond fines, a non-compliant DPA creates practical risk: if the processor suffers a data breach, you may lack the contractual mechanisms to compel timely notification, access audit records, or enforce deletion. The OAIC similarly expects that Australian organisations have adequate contractual protections with data handlers under APP 11. Kontractually identifies specific Article 28 gaps so you can negotiate fixes before signing.

Also useful

Privacy policy review
Privacy policies reviewed against APP and GDPR requirements.
GDPR compliance check
GDPR compliance check for Australian businesses with EU customers.
MSP contract review
Data processing obligations reviewed for managed service providers.

Review every DPA against Article 28 before you sign.

Start free trial