🔐 Data Processing Agreement (DPA) Builder — GDPR-Compliant B2B DPA

DPA Framework: B2B SaaS Customer Support Platform, Processor Role, EU Customers

A DPA structure produces GDPR Article 28-compliant processor agreement for B2B SaaS with EU customers. NOT legal advice. Your situation — processor role with EU data, US-based operations, AI sub-processor (OpenAI), enterprise customer base — requires comprehensive DPA with post-Schrems II considerations. This framework covers: processor obligations, sub-processor transparency, SCCs for transfers, breach notification, audit rights, AI-specific provisions.

Article 28 Required Provisions

GDPR Article 28 mandates DPA include:

1. Subject matter + duration of processing

2. Nature + purpose of processing

3. Type of personal data + categories of data subjects

4. Controller's obligations + rights

5. Processor acts only on documented instructions

6. Confidentiality obligations for processor employees

7. Security measures (Article 32)

8. Sub-processor rules (Article 28(2) + 28(4))

9. Assist controller with data subject rights + compliance

10. Breach notification to controller

11. Data deletion/return upon termination

12. Audit rights for controller

All 12 required. Missing any = non-compliant DPA.

Processor Obligations

Processing Only On Instructions

'Processor shall process Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required by law to do otherwise.'

Confidentiality

'Processor ensures that persons authorized to process Personal Data are committed to confidentiality or under appropriate statutory obligation.'

Security Measures (Article 32)

'Processor implements appropriate technical and organizational measures to ensure security appropriate to the risk, including:

• Encryption of Personal Data in transit + at rest
• Ability to ensure ongoing confidentiality, integrity, availability, resilience
• Regular testing + evaluation of effectiveness
• Access controls + authentication
• Employee security training
• SOC 2 Type II certification (annually audited)
• ISO 27001 (in progress)'

Data Protection Impact Assessment (DPIA) Support

'Upon Controller's reasonable request, Processor shall provide information necessary for DPIA + consult with supervisory authorities as required under GDPR.'

Sub-Processor Management

Current sub-processors (from your input):

Sub-Processor Clause:

'Processor may engage sub-processors to provide services on Processor's behalf. Controller hereby grants general authorization for the sub-processors listed in Annex I, subject to the conditions below.'

Change Notification:

'Processor shall notify Controller at least thirty (30) days in advance of any intended changes concerning addition or replacement of sub-processors. Controller has the right to object on reasonable grounds. If objection is reasonable + unable to resolve, Controller may terminate affected services.'

Sub-Processor Due Diligence:

'Processor enters into written agreement with each sub-processor imposing same data protection obligations as in this DPA.'

AI Sub-Processor (OpenAI) — Specific Attention:

Given Schrems II + data sent to OpenAI in US:

• Additional specific provisions for AI processing
• Customer data not used to train OpenAI models (confirm + document)
• Data processing agreement with OpenAI in place
• Specific data flow documentation
• Right to opt out of AI features (for customers concerned)

Data Subject Rights

Supporting Controller with data subject requests:

Response Support:

'Processor shall assist Controller in responding to data subject requests (access, rectification, erasure, portability, objection, restriction) within timelines required by GDPR.'

Technical Assistance:

'Processor provides technical means for Controller to locate + export Personal Data in structured, commonly-used format (CSV, JSON).'

Data Subject Direct Requests:

'If Processor receives direct request from data subject, Processor shall promptly notify Controller without responding substantively (unless legally required).'

Response Timelines:

• Processor response to Controller: within 10 business days
• Complex requests: with written justification for additional time

International Transfers + SCCs (Critical Post-Schrems II)

EU customer data transferred to US servers = International Transfer.

Standard Contractual Clauses (2021 Commission Decision 2021/914):

'Where Processor transfers Personal Data outside European Economic Area (EEA), Processor implements Standard Contractual Clauses (SCCs) per EU Commission Implementing Decision (EU) 2021/914, Module [Two — Controller to Processor] / [Three — Processor to Sub-Processor].'

Supplementary Measures (post-Schrems II):

'In addition to SCCs, Processor implements:

• End-to-end encryption in transit + at rest
• Access restrictions (Processor employees only access on need-to-know basis)
• Transparency reports (government requests received)
• Legal challenge of government access requests where appropriate
• Technical measures preventing access to encryption keys by unauthorized parties'

UK International Data Transfer Agreement (IDTA):

'For UK customer data, Processor shall execute UK International Data Transfer Agreement or International Data Transfer Addendum to the EU SCCs.'

Transfer Risk Assessment:

'Processor has conducted Transfer Risk Assessment (TRA) and determined legal framework of destination country + Processor's measures provide essentially equivalent protection. TRA documentation available to Controller upon request.'

Breach Notification

GDPR Article 33 (to supervisory authority): within 72 hours.

Article 33 + 34 (to data subjects if high risk): without undue delay.

Processor to Controller Notification:

'Processor shall notify Controller without undue delay upon becoming aware of Personal Data Breach, and in any case within forty-eight (48) hours.'

Notification Contents:

'Notification shall include (insofar as information is available):

• Nature of the breach
• Categories + approximate number of data subjects + records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Name + contact details of Data Protection Officer or other contact point'

Investigation Support:

'Processor shall cooperate with Controller's investigation, provide evidence + documentation, and take mitigation steps as requested.'

Internal breach response:

• 24/7 security operations center
• Incident response plan tested quarterly
• Legal counsel engagement
• Regulatory notification support

Audit Rights

Balance: customer's audit rights vs. processor's operational reality.

Annual Audit Right:

'Controller, or independent auditor mandated by Controller, shall have right to audit Processor's compliance with this DPA and applicable data protection law, subject to reasonable written notice (minimum thirty (30) days) and during business hours.'

Frequency:

• Once per year routine
• Additionally after security incidents
• At Controller's expense (unless breach discovered)

Scope Limitations:

'Audits shall:

• Not disrupt Processor's business operations unreasonably
• Exclude other customers' data
• Require confidentiality obligations from auditor'

Alternative: Compliance Evidence

'In lieu of physical audit, Processor may provide:

• SOC 2 Type II audit report (annually)
• ISO 27001 certification evidence
• Penetration testing reports (sanitized)
• Policies + procedures documentation'

Most enterprise customers accept SOC 2 reports in lieu of physical audits.

Termination + Data Return

On Termination:

'Upon termination of services, Processor shall at Controller's choice:

(a) Return all Personal Data to Controller in commonly-used format within thirty (30) days

(b) Delete all Personal Data including backups within ninety (90) days

Processor shall certify deletion in writing.'

Transition Assistance:

'Processor provides reasonable transition assistance at standard service rates for up to 90 days post-termination.'

Exception — Legal Retention:

'Processor may retain Personal Data to extent + duration required by law, in which case Processor shall protect + maintain confidentiality of such data + destroy when legal retention period expires.'

Attorney Review Triggers

Mandatory review:

1. First customer-facing DPA — set foundation

2. Changes to sub-processors (e.g., adding OpenAI)

3. SCC updates when EU Commission updates standard clauses

4. Enterprise customer-specific negotiations — large customers negotiate heavily

5. Multi-jurisdiction considerations — EU + UK + US + potentially APAC

6. Breach response — immediate attorney engagement required

Estimated cost: $3,000-8,000 for comprehensive DPA drafting + initial attorney review.

Annual review: $1,000-2,000 for ongoing compliance check.

Worth it given: GDPR fines up to 4% of global revenue. Enterprise deals often gated on DPA quality.

Key Takeaways

• Article 28 requires 12 specific provisions in DPA. Your DPA must cover all 12 — subject matter, duration, nature, purpose, data types, instructions, confidentiality, security, sub-processors, data subject rights, breaches, deletion/return.
• Sub-processor transparency is non-negotiable. List all sub-processors (AWS, Stripe, Sendgrid, OpenAI, Slack) with purposes + locations. 30-day advance notice for changes. Controller objection rights.
• AI processing via OpenAI needs specific provisions post-Schrems II. Data not used for training, SCCs in place, supplementary technical measures, transparency on government requests. Customers will scrutinize.
• SCCs for EU→US transfers mandatory. 2021 Commission Decision 2021/914. Supplementary measures (encryption, access controls, transparency) required post-Schrems II. Document Transfer Risk Assessment.
• Attorney review mandatory. $3-8K for initial DPA + $1-2K annual review. Alternative: use well-respected DPA template from privacy attorney, customize for your situation. NOT DIY from templates without review.