Signbeesignb.ee
Templates
All templates

Technology Template

Free Data Processing Agreement (DPA) Template

A DPA is required under GDPR when a company shares personal data with a service provider.

Template

Copy this markdown, replace the {{variables}}, and send via API.

Markdown
# Data Processing Agreement

**Controller:** {{controllerName}}
**Processor:** {{processorName}}
**Date:** {{date}}

## 1. Subject Matter

{{processingDescription}}

## 2. Data Categories

{{dataCategories}}

## 3. Data Subjects

{{dataSubjects}}

## 4. Processor Obligations

- Process data only on documented instructions
- Ensure confidentiality
- Implement appropriate security measures
- Assist with data subject rights requests
- Delete data upon termination

## 5. Sub-Processors

{{subProcessorTerms}}

## 6. International Transfers

{{transferMechanisms}}

## 7. Breach Notification

Notify Controller within 72 hours of becoming aware of a data breach.

Send for e-signature

curl
curl -X POST https://signb.ee/api/send \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "YOUR_RENDERED_MARKDOWN",
    "senderName": "Your Name",
    "senderEmail": "you@company.com",
    "recipientName": "Recipient",
    "recipientEmail": "recipient@email.com"
  }'

What happens next

  1. Signbee converts the markdown to a professional PDF
  2. Recipient gets an email with a signing link
  3. Both parties sign with an animated handwriting signature
  4. Both receive the signed PDF with a SHA-256 certificate

All signatures are legally binding under the ESIGN Act, eIDAS, and ECA.

More details

A Data Processing Agreement (DPA) is a legally mandated contract under GDPR (and similar regulations worldwide) between a data controller (the company that determines why and how personal data is processed) and a data processor (the service provider that processes data on the controller's behalf).

When is a DPA required? Every time you share personal data with a third-party service that processes it for you. Common scenarios: cloud hosting providers, email marketing platforms, payment processors, HR software, analytics tools, CRM systems, and customer support platforms. If the service touches personal data of EU residents, a DPA is mandatory regardless of where the service provider is located.

GDPR Article 28 requirements — what the DPA must contain: 1. Subject matter and duration — What data is being processed, why, and for how long. 2. Nature and purpose — The specific processing activities (storage, analysis, transmission, etc.). 3. Data categories — Types of personal data: names, email addresses, payment information, health data, biometric data, etc. Special categories (health, race, political opinions) trigger additional protections. 4. Data subjects — Whose data is being processed: customers, employees, website visitors, patients, students, etc. 5. Processor obligations — Process only on documented instructions, ensure staff confidentiality, implement appropriate technical and organisational measures, assist with data subject rights, notify breaches, delete data on termination. 6. Sub-processor management — Can the processor use sub-processors? If yes, what approval process is required (specific or general authorisation)? The processor must impose equivalent obligations on sub-processors. 7. International transfers — If data is transferred outside the EEA, what legal mechanism applies? Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules. 8. Breach notification — The processor must notify the controller without undue delay (and within 72 hours under GDPR) upon becoming aware of a personal data breach.

Penalties for non-compliance: Under GDPR, failing to have appropriate DPAs in place can result in fines up to €10 million or 2% of global annual turnover. The controller is ultimately responsible for ensuring all processors comply.

Beyond GDPR: Similar requirements exist under CCPA (California), LGPD (Brazil), POPIA (South Africa), PDPA (Singapore), and the UK Data Protection Act 2018. If you process data globally, your DPA should address multiple regulatory frameworks.

Frequently asked questions

Is a Data Processing Agreement legally required?

Yes, under GDPR (and similar regulations globally). Any company that shares personal data with a third-party service provider must have a DPA in place. Failure to comply can result in fines up to €10 million or 2% of global annual turnover under GDPR.

Who is responsible for the DPA — the controller or the processor?

The data controller is ultimately responsible for ensuring a DPA is in place and that processors comply with its terms. However, processors also have direct obligations under GDPR and can be fined independently for non-compliance.

Can a DPA be signed electronically?

Yes. Data Processing Agreements are valid with electronic signatures under ESIGN (US), eIDAS (EU), and ECA (UK). E-signing a DPA creates a timestamped, tamper-proof record of when both parties agreed to the data protection terms — useful evidence for regulatory audits.

Related resources

Guide

How to Sign a Service Agreement Online

Guide

How to Sign a Partnership Agreement Online

Glossary

Click-Wrap Agreement

Use Case

SaaS Terms of Service

Use Case

Agency Agreements

Blog

Clickwrap Agreement Guide

Send this template for signing — free, no credit card.

Read the docsGet started free