PolicyKitGet started
All templates

Data Processing Agreement (DPA) template

Binding contract between a data controller and data processor (e.g. a supplier, SaaS vendor, or cloud provider). Required under GDPR Article 28. Especially powerful when sent to suppliers via the acknowledgment flow.

gdpruk-gdprccpadpa-2018

Generate your data processing agreement (dpa) in minutes

Answer a few questions about your business and PolicyKit produces a tailored, professionally structured document — ready to export as PDF or Word.

Generate free

About this document

A data processing agreement, or DPA, is a contract between a data controller and a processor that governs how personal data is handled on the controller’s behalf. It sets out the obligations, safeguards, and instructions required by data protection law. A well-drafted DPA clarifies responsibilities and reduces compliance risk.

Who needs one: Organisations that engage processors, or processors that handle personal data for clients.

What a strong data processing agreement (dpa) covers

  • Subject matter, duration, nature, and purpose of processing
  • Categories of data and individuals covered
  • Processor obligations and processing only on instructions
  • Confidentiality and security measures required
  • Use of sub-processors and authorisation arrangements
  • Data breach assistance, audits, and return or deletion of data

Regulations and frameworks this aligns to

PolicyKit references the standards relevant to your jurisdiction when it generates your data processing agreement (dpa).

GDPR
The EU General Data Protection Regulation, governing how organisations collect, use, and protect personal data of people in the EU.
UK GDPR
The retained UK version of the General Data Protection Regulation, governing how organisations process the personal data of people in the UK.
CCPA
The California Consumer Privacy Act, granting California residents rights over how businesses collect, share, and use their personal information.
Data Protection Act 2018
The UK statute that supplements and implements data protection law alongside the UK GDPR, including law-enforcement and intelligence-service processing.

Frequently asked questions

What should a data processing agreement (dpa) include?

A robust data processing agreement (dpa) sets out scope, roles and responsibilities, the specific controls or procedures involved, and how compliance is monitored and reviewed, mapped to frameworks like gdpr, uk-gdpr, ccpa. PolicyKit structures all of this automatically based on your business.

Is this legal advice?

No. PolicyKit generates AI-assisted professional templates and starting points, not legal advice. Every document should be reviewed with qualified legal and compliance counsel before use.

Can I tailor it to my country?

Yes — PolicyKit tailors each document to your jurisdiction, including UK, EU, United States, Australia, Singapore, Hong Kong and more.

Ready to create your data processing agreement (dpa)?

Start free

PolicyKit provides AI-assisted templates and starting points, not legal advice.