Data Processing Agreement (DPA) template

Binding contract between a data controller and data processor (e.g. a supplier, SaaS vendor, or cloud provider). Required under GDPR Article 28. Especially powerful when sent to suppliers via the acknowledgment flow.

gdpruk-gdprccpadpa-2018

Generate your data processing agreement (dpa) in minutes

Answer a few questions about your business and PolicyKit produces a tailored, professionally structured document — ready to export as PDF or Word.

Generate free

About this document

A data processing agreement, or DPA, is a contract between a data controller and a processor that governs how personal data is handled on the controller’s behalf. It sets out the obligations, safeguards, and instructions required by data protection law. A well-drafted DPA clarifies responsibilities and reduces compliance risk.

Who needs one: Organisations that engage processors, or processors that handle personal data for clients.

What a strong data processing agreement (dpa) covers

Subject matter, duration, nature, and purpose of processing
Categories of data and individuals covered
Processor obligations and processing only on instructions
Confidentiality and security measures required
Use of sub-processors and authorisation arrangements
Data breach assistance, audits, and return or deletion of data

Regulations and frameworks this aligns to

PolicyKit references the standards relevant to your jurisdiction when it generates your data processing agreement (dpa).

GDPR: The EU General Data Protection Regulation, governing how organisations collect, use, and protect personal data of people in the EU.
UK GDPR: The retained UK version of the General Data Protection Regulation, governing how organisations process the personal data of people in the UK.
CCPA: The California Consumer Privacy Act, granting California residents rights over how businesses collect, share, and use their personal information.
Data Protection Act 2018: The UK statute that supplements and implements data protection law alongside the UK GDPR, including law-enforcement and intelligence-service processing.

Frequently asked questions

What should a data processing agreement (dpa) include?

A robust data processing agreement (dpa) sets out scope, roles and responsibilities, the specific controls or procedures involved, and how compliance is monitored and reviewed, mapped to frameworks like gdpr, uk-gdpr, ccpa. PolicyKit structures all of this automatically based on your business.

Is this legal advice?

No. PolicyKit generates AI-assisted professional templates and starting points, not legal advice. Every document should be reviewed with qualified legal and compliance counsel before use.

Can I tailor it to my country?

Yes — PolicyKit tailors each document to your jurisdiction, including UK, EU, United States, Australia, Singapore, Hong Kong and more.

You may also need

Cybersecurity & Information Security

Protect your systems, networks, and data from cyber threats. Aligned with NIST Cybersecurity Framework and Cyber Essentials.

Data Protection & Privacy

Manage personal data lawfully and transparently. Covers GDPR, UK GDPR, and US privacy law (CCPA/CPRA) requirements.

Acceptable Use & Access Control

Define how employees and contractors may use company systems, devices, and data — and who can access what.

Incident Response

Prepare for, detect, contain, and recover from security incidents and personal data breaches. Includes breach notification obligations.

Ready to create your data processing agreement (dpa)?

Start free

PolicyKit provides AI-assisted templates and starting points, not legal advice.