DPA (Data Processing Agreement) – Definition

Data Processing Agreement - A contract between a data controller and a data processor that governs the processing of personal data.

DPAs are legally required under GDPR and other privacy regulations when personal data is processed by third parties. They specify how data should be handled, security measures, and responsibilities of each party. In the context of a CMS or content platform, a DPA becomes relevant the moment the system processes any personal data — which happens more often than teams initially expect, since content platforms frequently store editor account details, customer testimonials with names and photos, form submissions, or personalization data tied to individual visitors. A DPA typically covers the scope and purpose of processing, the categories of data involved, security obligations (encryption, access controls, breach notification timelines), sub-processor disclosure, and data deletion or return obligations when the contract ends. For international retailers, DPAs also need to address cross-border data transfer mechanisms, particularly when a vendor's infrastructure or support team operates outside the EU. Reviewing a vendor's DPA before signing a contract is a standard part of vendor due diligence for any system that will touch customer or employee data.