Vendor Data Processing Agreements: What SMBs Need to Know

Modern businesses rely on a network of third-party vendors and service providers to operate: cloud storage platforms, payroll processors, customer relationship management tools, email marketing services, analytics platforms, e-commerce infrastructure, and many others. In nearly every case, these vendors have access to your business’s data — including data about your customers. Most business owners understand at some level that this creates legal obligations, but the specifics of those obligations — and the documents required to satisfy them — are less well understood. The data processing agreement, or DPA, is one of those documents.

What Is a Data Processing Agreement?

A data processing agreement is a written contract that governs the relationship between a business and a vendor when the vendor processes personal data on the business’s behalf. In the privacy law framework, the business is the controller — the entity that determines the purposes and means of processing the personal data. The vendor is the processor — an entity that processes personal data on behalf of and under the instructions of the controller. The DPA establishes the terms under which the processor may handle the controller’s data.

DPAs are required by law in multiple regulatory frameworks. Article 28 of the GDPR is perhaps the most well-known: it requires that processing by a processor be governed by a binding contract that imposes specified obligations on the processor and sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects involved, and the obligations and rights of the controller. Similar requirements exist under California’s CCPA and CPRA, which require service provider agreements, and under Virginia’s Consumer Data Protection Act, Colorado’s Privacy Act, and other state privacy laws, each of which requires contracts with processors that include specified terms.

Which Vendor Relationships Require a DPA?

The DPA requirement applies when a vendor is processing personal data on your behalf. The practical test is whether the vendor accesses, stores, or uses your customers’ or employees’ personal data in the course of providing services to you. If the answer is yes, the relationship likely requires a DPA.

Common vendor relationships that require DPAs include cloud storage providers that host customer data, payroll processors that handle employee personal and financial information, customer relationship management systems that store customer contact information and transaction history, email marketing platforms that process subscriber lists and engagement data, customer support software that stores communications and account information, analytics and tracking tools that process user behavior data, background check providers that process applicant personal information, and HR software platforms that handle employee records.

Not every vendor relationship requires a DPA. If a vendor provides services that do not involve accessing personal data — a janitorial service, an office supply vendor, a courier service — a DPA is not required. The analysis depends on whether the specific service involves the vendor processing personal data on your behalf.

Core Requirements of a GDPR-Compliant DPA

The GDPR’s Article 28 requirements are specific. The DPA must specify that the processor processes personal data only on documented instructions from the controller. It must require that all persons authorized to process the data are bound by a duty of confidentiality. It must require the processor to implement appropriate technical and organizational security measures. It must require the processor to assist the controller in meeting its obligations regarding data subject rights — access, correction, deletion, portability, and objection. It must require the processor to assist the controller with security, breach notification, impact assessments, and prior consultation obligations. It must require the processor to delete or return all personal data at the end of the services, at the controller’s choice. And it must provide the controller with the ability to audit and inspect the processor’s compliance.

The DPA must also address subprocessing. The GDPR requires that processors obtain specific or general prior written authorization from the controller before engaging a subprocessor. If the processor uses a subprocessor, it must impose on that subprocessor the same data protection obligations as those imposed on the processor by the DPA. Major cloud platforms typically operate with general authorization for subprocessing, providing the controller with notice of any new subprocessors and an opportunity to object.

CCPA and State Privacy Law Requirements

California’s CCPA and CPRA require businesses to have a written service provider agreement with any vendor that processes personal information on their behalf. The agreement must prohibit the service provider from selling the personal information, using or disclosing it outside the direct business relationship, or retaining, using, or disclosing it for any purpose other than the specific purpose of performing the services specified in the agreement. The agreement must also prohibit the service provider from combining the personal information it receives with personal information it receives from other sources.

Critically, a business cannot simply label a vendor a service provider — the vendor must actually be contractually bound to use the data only for the specified purposes. If a vendor uses your customers’ data for its own commercial purposes, analytics, or marketing, it may be a third party rather than a service provider under California law, and sharing data with a third party for commercial purposes may constitute a sale of personal information, triggering consumer opt-out rights. Auditing vendor data use practices and ensuring they are accurately reflected in your agreements is an important part of CCPA compliance.

Evaluating Vendor DPA Practices

Major cloud vendors and software-as-a-service providers typically offer standard DPAs that customers can accept online or execute as part of the onboarding process. These standard DPAs are generally designed to satisfy the legal requirements of major privacy frameworks, but they are written to protect the vendor’s operational flexibility rather than to maximize the customer’s protection. Before accepting a standard DPA, businesses should review it to understand what security measures the vendor commits to implement, whether the DPA includes a commitment to assist with breach notification within the required timeframe, how subprocessors are managed and what notice the vendor provides, what happens to data at the end of the relationship, and whether the audit rights are meaningful or largely illusory.

For high-stakes vendor relationships — vendors that process large volumes of sensitive personal data, vendors with access to financial or health information, vendors whose systems are deeply integrated with your core operations — it may be worth negotiating a customized DPA rather than accepting the vendor’s standard terms. Larger vendors with enterprise sales teams are often willing to negotiate DPA terms for significant customers.

International Data Transfers

For businesses subject to the GDPR — either because they are established in the EU or because they process the personal data of EU residents — data transfers to vendors outside the European Economic Area require additional protections. The standard mechanism for transfers to vendors in the United States is the use of Standard Contractual Clauses, which are contractual terms approved by the European Commission that provide adequate data protection safeguards. The SCCs are incorporated into or attached to the DPA.

For transfers to vendors in the United States specifically, the EU-US Data Privacy Framework provides an alternative mechanism for businesses that certify their compliance with the Framework’s requirements. Many major US cloud providers have self-certified under the Framework, which allows EU businesses to transfer data to them without separate SCCs. US businesses receiving EU personal data from EU customers or partners should understand which transfer mechanism covers their situation and ensure their DPAs reflect the applicable framework.

Building a Vendor Management Program

For small and medium-sized businesses, managing DPAs across a large vendor portfolio can feel overwhelming, but a basic vendor management program does not need to be complex. Start by inventorying your vendors and identifying which ones process personal data on your behalf. For each vendor in that category, verify whether a DPA is in place and whether it meets the requirements of the privacy laws applicable to your business. For vendors without a compliant DPA, either execute the vendor’s standard DPA or negotiate one. Document the results and update the inventory when new vendors are added or when existing vendor relationships change in ways that affect data processing.

The absence of a DPA with a vendor that is processing personal data on your behalf is itself a privacy law violation under the GDPR and most state privacy laws. Beyond the regulatory risk, operating without a DPA leaves your business without contractual protections that are important if a vendor has a data breach, misuses your customers’ data, or fails to honor deletion or access requests from your customers. Getting DPAs in place across your vendor relationships is a foundational step in any privacy compliance program.