Skip to content
Intro
8 min

Data Processing Agreements: What They Mean in Practice

Every SaaS tool that touches customer data should have a DPA with you. Most don't—until you ask.

Last updated: March 20, 2026

You signed up for Mailchimp to send newsletters. You clicked "I agree" on the terms of service. You uploaded your customer list.

You just processed personal data through a third party. Under GDPR, CCPA, and most state privacy laws, that third party is now a "data processor" and you are the "data controller"—and you need a written agreement governing that relationship.

You almost certainly don't have one.

What this solves (in real business terms)

A Data Processing Agreement (DPA) is the contract that says:

  • What data the processor can access
  • What they can do with it
  • How they must protect it
  • What happens if they get breached
  • Who is liable when things go wrong

Without a DPA, you're trusting vendors with your customers' data on a click-through terms of service that lawyers wrote to protect the vendor, not you.

What can go wrong

The Mailchimp incident. In 2022, Mailchimp had a breach. Customers whose data was processed through Mailchimp were exposed. Some of those customers' businesses were then spear-phished using information from the breach. The businesses affected had no recourse because they had no DPA establishing Mailchimp's security obligations or liability.

GDPR enforcement. Ireland's Data Protection Commission fined Meta $1.2 billion for transferring European user data to the US without adequate legal safeguards. Smaller businesses get fined too—the average GDPR fine for small businesses is $35,000–$350,000 depending on the violation.

Liability without a paper trail. If a vendor mishandles your customer data and you end up in litigation, your lawyer will ask: "Did you have a DPA with them?" If the answer is no, you have additional liability exposure because you failed to exercise basic due diligence over vendors who handled sensitive data.

CCPA contractual requirements. California's privacy law requires businesses to have written contracts with vendors who sell or share consumer data. No contract = no legal defense.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | GDPR-era DPA template (iubenda, Termly) | $100–$500/year | | Lawyer-drafted DPA template | $1,000–$3,000 (one-time) | | Custom DPA for complex vendor relationships | $3,000–$10,000 | | Full vendor DPA audit + negotiation | $5,000–$20,000 |

For most SMBs: start with templates, get legal review for high-risk vendors.

Minimum viable implementation

  1. Audit your vendors. List every tool that touches customer data: email service providers, payment processors, CRM systems, analytics tools, cloud storage, support software.

  2. Check if they have a DPA. Go to any reputable SaaS vendor's website and search for "DPA" or "data processing agreement." Enterprise vendors have them. Most SMB-focused vendors have them too, but buried.

  3. Sign it. If they have a DPA, sign it. Many vendors have DPAs that are automatically effective when you accept their terms, but some require a separate signature.

  4. Request it if they don't offer one. Email their support: "We require a Data Processing Agreement before uploading customer data to your platform. Can you provide one?" If they say no, find a different vendor.

  5. Negotiate the key terms. Focus on:

    • Security obligations (what standard must they meet?)
    • Breach notification (how quickly must they tell you?)
    • Liability caps (what's their maximum exposure?)
    • Data deletion (what happens when you leave?)

  6. Maintain the paper trail. Store signed DPAs with your vendor contracts.

Vendor questions (copy/paste)

Ask every vendor before you upload customer data:

  1. "Do you have a standard DPA, or does this fall under your terms of service?"

  2. "What security standards do you meet? SOC 2 Type II? ISO 27001? Can you provide your audit report?"

  3. "In the event of a breach involving our data, what's your notification timeline and what information will you provide?"

  4. "What happens to our data if we close our account? Do you delete it, and within what timeframe?"

  5. "Are you subprocessing our data? If so, can we get a list of your subprocessors and their security certifications?"

  6. "What happens if your company is acquired? Does our data transfer to the acquirer, and what notice will we get?"

When to hire help

Hire a lawyer if:

  • You have vendors in multiple countries (GDPR跨境 transfers require specific legal mechanisms)
  • You're processing health data (HIPAA adds specific requirements to DPAs)
  • You're a government contractor (FAR/DFARS clauses required)
  • You're sharing data with vendors in countries without adequate data protection laws (China, Russia, etc.)
  • You've had a breach and are now trying to prove your vendor was negligent

Related Reading

7 min · Intro

Accessibility Basics: Why It Matters for Your Business

Your website probably isn't accessible. Here's what that actually costs you—and how to fix it.

6 min · Intro

Data Classification for Small Business

You can't protect everything the same way. Here's how to sort your data so you know what's actually at risk.

7 min · Intro

Data Retention: What to Keep and Why

Holding onto data you don't need is a liability, not a safety net. Here's how to decide what stays and what goes.

8 min · Intro

Handling Customer Data Safely in SMB Apps

Your Shopify store and Mailchimp account have customer data right now. Here's how to not lose it.

8 min · Intro

Breach Notification: Who Needs to Know and When

Most SMBs find out about a breach from their customers—not their tools. Here's how to flip that equation.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch