Free DPA template for GDPR and data protection compliance. Covers data categories, processing purposes, security measures, sub-processors, breach notification, and data subject rights.
This Data Processing Agreement ("DPA") supplements the [Master Service Agreement / Contract] dated [Date] between [Data Controller Name] ("Controller") and [Data Processor Name] ("Processor"). "Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. This DPA governs the Processor's processing of Personal Data on behalf of the Controller.
The Processor shall process the following categories of Personal Data: [names, email addresses, phone numbers, payment information, usage data, IP addresses, etc.]. Data subjects include: [customers, employees, website visitors, etc.]. The purpose of processing is: [providing the services under the main agreement, analytics, customer support, etc.]. The Processor shall not process Personal Data for any purpose other than those specified or as instructed by the Controller.
The Processor shall implement appropriate technical and organizational measures to protect Personal Data, including: (a) encryption of data in transit (TLS 1.2+) and at rest (AES-256); (b) access controls and authentication (role-based access, MFA); (c) regular security testing and vulnerability assessments; (d) employee security training; (e) physical security of data centers; (f) business continuity and disaster recovery procedures; (g) logging and monitoring of access to Personal Data.
The Processor shall not engage sub-processors without the Controller's prior written authorization. The Controller hereby authorizes the sub-processors listed in Annex B. The Processor shall notify the Controller at least [30] days before adding or replacing a sub-processor. The Controller may object within [14] days. The Processor shall ensure sub-processors are bound by data protection obligations no less protective than those in this DPA.
The Processor shall notify the Controller of any Personal Data breach without undue delay and in any event within [72] hours of becoming aware. The notification shall include: (a) nature of the breach; (b) categories and approximate number of affected data subjects; (c) likely consequences; (d) measures taken or proposed to mitigate. The Processor shall cooperate with the Controller in investigating the breach and fulfilling regulatory notification obligations.
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within [10] business days. Upon termination of the main agreement, the Processor shall, at the Controller's choice, return or securely delete all Personal Data within [30] days and certify deletion in writing. The Processor shall not retain Personal Data except as required by law.
Signature — Party A
Signature — Party B
Free confidentiality agreement template for protecting sensitive business information during negotiations, partnerships, or employment. Broader than a standard NDA.
View templateFree SLA template for defining service quality standards. Covers uptime guarantees, response times, performance metrics, penalties, and escalation procedures.
View templateFree service agreement template for businesses providing ongoing services. Covers service scope, SLAs, payment, liability limitations, and termination provisions.
View templateDisclaimer: This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction. Consult a qualified legal professional before using this document for any binding agreement. ContractClaw Sign is not a law firm and does not provide legal services.
Sign with OTP verification, QR codes, and RFC 3161 timestamps. Free for 5 documents per month.
Start Signing Free