Skip to main content
Glossary

Data Processing Agreement (DPA)

A legally binding contract between a data controller and a data processor that governs how personal data is handled. Required under GDPR whenever you share personal data with a third party that processes it on your behalf.

Why it matters

Without a DPA, transferring personal data to a vendor is a GDPR violation, full stop. A DPA defines processing purposes, security measures, sub-processor rules, data subject rights obligations, and breach notification timelines. It is the legal mechanism that extends your data protection obligations to every party in your processing chain. Regulators check for DPAs during investigations, and their absence is a common finding in enforcement actions.

In practice

Every vendor that touches personal data on your behalf needs a signed DPA. This includes cloud providers, analytics tools, email services, and payroll processors. Managing DPAs means tracking which vendors have them, when they expire, whether sub-processor lists are current, and whether the agreed security measures match reality. In vucavoid, third-party records track DPA status alongside risk and reliability scores, ensuring contractual coverage stays visible across your entire vendor portfolio.

Related terms

Third-Party Risk Management

Identifying, assessing, and controlling risks introduced by external vendors and service providers.

Regulatory Compliance

Adhering to laws and government-mandated requirements. Unlike voluntary frameworks, this is not optional.

Cookie Use on Our Site

To ensure the smooth functioning of our website, we use a limited number of cookies. These cookies are essential for providing you with the services available on our website and to use some of its features. Here is a brief overview:
  • vucavoid_session: This cookie is essential for user authentication. It ensures that your session is secure and recognizes you as you navigate through our site.
  • XSRF-TOKEN: This cookie is critical for website security. It helps protect against cross-site request forgery attacks.
  • latest_marketing_banner_visible_{MARKETING_BANNER_ID}: This cookie simply remembers if you have seen our latest site banner, enhancing your browsing experience without tracking your personal data.

These cookies are strictly necessary to deliver the website, and therefore, we do not require your consent to place these cookies. For more information, please visit our Privacy Policy.