Jurisdiction guide · EU · EN

GDPR Article 28 DPA — compliant template in 60 seconds

When an EU customer asks a SaaS vendor "send your DPA," they're asking for a GDPR Article 28-compliant Data Processing Agreement covering 9 mandatory elements. Our generator produces all 9 elements aligned to EDPB guidance + the European Commission's SCC Module 2 (controller-to-processor) for international transfers.

The 9 mandatory elements of GDPR Art. 28

A controller-to-processor DPA must specify (per Art. 28(3)): (1) subject matter and duration of processing; (2) nature and purpose of processing; (3) type of personal data; (4) categories of data subjects; (5) obligations and rights of the controller; (6) processor instructions only on documented instructions; (7) confidentiality; (8) security measures; (9) sub-processors with controller authorization. Our generator captures each element in a dedicated section.

Why the SCCs matter (Module 2 specifically)

Post-Schrems II, transfers of EU personal data outside the EEA require a transfer mechanism. The European Commission published modular Standard Contractual Clauses in 2021. Module 2 covers controller-to-processor (the SaaS vendor case). Our generator references the SCCs by their decision number 2021/914 and incorporates Module 2 for international transfers — including a flag for Schrems II supplementary measures (encryption + access controls beyond standard).

Sub-processor disclosure expectations

Enterprise EU customers will expect a list of sub-processors (AWS, Stripe, Anthropic, etc.) with their data location + DPA URL. Our generator captures this as a free-text field that flows into the DPA. The list should be maintained as a customer-facing page (we recommend hosting it via DG-401 at /hosted/[customer]/sub-processors).

Common questions

Is a separate DPA required for every customer?

Either a separately-signed DPA per customer, or a single DPA that the customer accepts as part of your master service agreement. Most B2B SaaS vendors take the latter approach with a self-service "Sign our DPA" link.

What about the UK after Brexit?

The UK has its own International Data Transfer Agreement (IDTA) and an Addendum that piggy-backs on the EU SCCs. Our generator supports a UK governing-law variant; for cross-border (UK + EU) deals, you may need both the EU SCCs and the UK Addendum.

Does CCPA require a DPA?

Functionally similar — CCPA/CPRA requires a "service provider" agreement with specific contractual provisions. Most US-California SaaS vendors offer a Data Processing Addendum that covers GDPR + CCPA in one document.

Generate a Data Processing Agreement (DPA) now — free

Free PDF, watermarked. Pro $9.99/mo unlimited + DOCX. 30-day money-back.