Data Processing Addendum (DPA) — What to Include
If your business handles personal data on behalf of customers — processing it, storing it, or transferring it — a Data Processing Addendum (DPA) is how you define those responsibilities in writing. It's required under major privacy laws, expected by enterprise customers, and increasingly a baseline expectation across the B2B market.
What Is a Data Processing Addendum?
A Data Processing Addendum is a contract between a data controller (your customer, who determines the purpose and means of processing) and a data processor (your business, which processes data on their behalf). It defines what data is being processed, for what purpose, under what security requirements, and how each party's legal obligations are satisfied.
DPAs are required by law under the GDPR, the CCPA/CPRA, and an increasing number of U.S. state privacy laws — and are standard commercial practice for any SaaS or technology business that touches customer data.
When Do You Need One?
You need a DPA when:
- Enterprise or institutional customers ask for one before signing your main contract (increasingly standard for any B2B software deal)
- You process personal data on behalf of customers under GDPR, CCPA/CPRA, or other applicable privacy laws
- You operate in a regulated industry — healthcare, financial services, education — where data handling obligations are heightened
- You want to formalize privacy commitments with any customer or vendor who handles personal data for your business
A DPA is not just a compliance checkbox — it's a signal of operational maturity that customers use to evaluate vendors.
What Should a Data Processing Addendum Include?
1. Definitions
Define key terms: personal data, processing, data subject, controller, processor, and applicable law. Alignment on definitions prevents disputes about scope.
2. Subject Matter and Purpose of Processing
Describe the categories of personal data being processed and the specific business purpose for which processing occurs. This should be consistent with your main service agreement.
3. Nature of Processing
Specify what types of processing you perform — collection, storage, analysis, transfer, deletion — and the categories of data subjects affected.
4. Processor Obligations
Define your obligations as a data processor: processing only on documented instructions from the controller, implementing appropriate security measures, assisting with data subject requests, and notifying the controller of data breaches.
5. Security Measures
Describe the technical and organizational security measures you have in place — encryption standards, access controls, audit logging, incident response procedures. Be specific enough to be meaningful, not so specific that you're locked in by operational changes.
6. Sub-Processors
Identify any third-party sub-processors you engage to help process customer data (cloud infrastructure providers, analytics tools, etc.) and your obligations for ensuring their compliance.
7. Data Subject Rights
Address how you will assist customers in responding to data subject requests — access, deletion, portability, correction — within the timeframes required by applicable law.
8. Data Breach Notification
Define your obligation to notify the customer of a data breach — typically within 72 hours under GDPR — and the minimum content of that notification.
9. Data Retention and Deletion
Specify how long you retain customer data and your obligations to delete or return it at the end of the contract.
10. International Data Transfers
If data transfers cross international borders, address the legal mechanism for those transfers — Standard Contractual Clauses (SCCs), adequacy decisions, or other approved frameworks.
11. Audit Rights
Grant the customer the right to audit your compliance with the DPA, or to review third-party audit reports as a proxy.
Common Mistakes Founders Make
Using a DPA that doesn't reflect actual data flows. If your DPA says you process only certain categories of data but your product actually processes more, you're out of compliance on the face of the document.
Ignoring sub-processor requirements. Under GDPR, you need customer consent or a mechanism for notifying customers when you change sub-processors. Many businesses skip this and face issues during enterprise diligence.
Generic security language. Vague security commitments ("industry standard encryption") are harder to defend than specific ones. Know what you're committing to.
Not updating the DPA when the product changes. DPAs should evolve with your product. If you add a new data processing feature, review whether your DPA still accurately reflects your obligations.
Why This Matters for Founders
Privacy compliance is no longer a large-company problem. Small and mid-size B2B software companies are routinely asked to sign DPAs before enterprise deals close. Having a well-drafted DPA ready — one you've actually read and can stand behind — moves deals faster and signals that your company takes customer data seriously.
Get a Lawyer-Drafted Document Without the Lawyer Bill
Data Processing Addendums drafted by attorneys typically cost $1,500–$3,500 depending on complexity and applicable jurisdictions. TalkingTree gives you the same quality without the invoice.
TalkingTree's Data Processing Addendum template was built by experienced business attorneys and is available through the Contract Studio. Customize it to your data flows, fill it out, and send it for signature — all in one platform.
- Business membership ($59.99/mo): Full access to the Contract Studio and a library of 100+ attorney-drafted templates, plus limited e-signature included. One document alone covers the cost of your first month.
- Enterprise membership ($149.99/mo): Everything in Business, plus unlimited e-signature — built for founders and teams managing a high volume of documents.
TalkingTree is a 501(c)(3) nonprofit. Your membership is tax-deductible, and every dollar supports making professional legal tools accessible to entrepreneurs who need them most.
Get started with TalkingTree and get access to attorney-drafted contracts, a built-in signing workflow, and legal tools designed to help your business operate with confidence.
This page is for informational purposes only and does not constitute legal advice. For advice specific to your situation, consult a licensed attorney.