Data Processing Agreement (DPA) Review Guide

Disclaimer: This is operational guidance, not legal advice. Consult qualified legal counsel before signing any DPA.

You're about to sign a contract with a new practice management platform, e-discovery vendor, or cloud storage provider. Buried in the contract package is a Data Processing Agreement (DPA). Your IT director forwards it to you with "Looks fine?" in the subject line.

Stop. Read it. This document determines whether you're liable when that vendor gets breached and your clients' data ends up on the dark web.

This guide shows you exactly what to check, what to reject, and what questions to ask before you sign.

A DPA is a contract addendum that defines who's responsible when a vendor processes personal data on your behalf. Under GDPR, CCPA, and similar laws, you're the "data controller" (you decide what happens to the data) and the vendor is the "data processor" (they handle it per your instructions).

If the vendor screws up, you're still on the hook with regulators and clients. The DPA is your only protection.

A complete DPA specifies:

• Exact data types the vendor can access (client names, matter details, financial records, health information)
• Permitted processing activities (storage only, analysis, transmission to third parties)
• Security standards the vendor must maintain
• Your audit rights
• Breach notification timelines
• Data deletion procedures when the contract ends
• Subprocessor approval requirements

Work through these sections in order. Flag anything unclear for your attorney.

1. Scope of Processing

What to check:

The DPA must list specific data categories. Reject vague terms like "business information" or "customer data."

Acceptable language:

• Client names and contact information
• Matter descriptions and case numbers
• Billing records and payment information
• Email content and attachments related to client matters

Unacceptable language:

• "Any data uploaded to the platform"
• "Information necessary to provide services"
• "Data as determined by Customer from time to time"

Red flag: The vendor reserves the right to use your data for "service improvement" or "analytics." This means they're building their product roadmap from your confidential client information. Demand this language be struck entirely.

2. Processing Instructions

What to check:

The vendor must agree to process data only according to your written instructions. No exceptions for "legitimate business purposes" or "legal requirements" without notification.

Required clause: "Processor shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to third countries. Processor shall immediately inform Controller if, in its opinion, an instruction infringes applicable data protection law."

Red flag: The DPA allows the vendor to process data "as necessary to provide the Services." This circular definition lets them do anything they claim is service-related.

3. Security Measures

What to check:

Generic promises like "industry-standard security" mean nothing. Demand specific controls.

Minimum acceptable standards:

• Encryption at rest (AES-256) and in transit (TLS 1.2 or higher)
• Multi-factor authentication for all vendor employee access
• Annual third-party penetration testing
• SOC 2 Type II certification (request the report)
• Quarterly vulnerability scanning
• Dedicated security team with 24/7 monitoring

Questions to ask:

• "Where exactly is our data stored? Which data centers, which countries?"
• "Who at your company can access our data? What's the approval process?"
• "When was your last penetration test? Can we see the executive summary?"
• "Do you encrypt data at the field level or just the disk level?"

Red flag: The vendor refuses to specify security measures, citing "proprietary methods." No transparency equals no contract.

4. Subprocessors

What to check:

Vendors rarely handle everything in-house. They use subprocessors for hosting (AWS, Azure), email delivery (SendGrid), analytics (Mixpanel), and support (Zendesk).

Required terms:

• Complete list of current subprocessors with names and functions
• 30-day advance notice before adding new subprocessors
• Your right to object to any subprocessor for reasonable cause
• Vendor remains fully liable for subprocessor failures

Get the subprocessor list now. Review it for:

• Offshore data processing (especially if you handle EU data)
• Vendors with poor security track records (check haveibeenpwned.com)
• Unnecessary services (why does your document management system need a marketing automation subprocessor?)

Red flag: The DPA says "Processor may update the subprocessor list at any time by posting changes to its website." You have no practical way to monitor this. Reject it.

5. Data Subject Rights

What to check:

When a client requests access to their data, correction, or deletion, the vendor must help you respond within tight deadlines (typically 30 days under GDPR, 45 days under CCPA).

Required clause: "Processor shall, within 5 business days of Controller's request, provide all information and assistance necessary to enable Controller to respond to data subject requests, including access, rectification, erasure, and data portability."

Questions to ask:

• "What's your process for handling data subject access requests?"
• "Can you export data in machine-readable format (CSV, JSON)?"
• "How do you verify the identity of the person making the request?"
• "What's your average response time?"

Red flag: The vendor charges fees for assisting with data subject requests. This is your legal obligation, not an upsell opportunity.

6. Breach Notification

What to check:

Speed matters. Every hour of delay increases your regulatory exposure and client notification costs.

Required timeline: "Processor shall notify Controller within 24 hours of becoming aware of a Personal Data breach, and shall provide: (a) description of the breach, (b) categories and approximate number of affected data subjects, (c) likely consequences, (d) measures taken or proposed to address the breach."

Unacceptable timeline: "Processor shall notify Controller without undue delay" (meaningless) "Processor shall notify Controller within 72 hours" (too slow; you need time to investigate and notify regulators within the 72-hour GDPR window)

Questions to ask:

• "Walk me through your last data breach. What happened, how did you respond, how long until you notified customers?"
• "Do you have cyber insurance? What are the coverage limits?"
• "Who's the point of contact for breach notifications? Can we have their direct number?"

7. Audit Rights

What to check:

You need the right to verify the vendor's security claims. Many DPAs grant theoretical audit rights with impossible conditions.

Required terms:

• Right to audit annually, or more frequently if you have reasonable security concerns
• Right to use an independent third-party auditor
• Vendor provides audit results within 30 days
• Reasonable advance notice (10 business days)
• No charge for one audit per year

Unacceptable limitations:

• "Audits limited to review of SOC 2 reports" (you can't verify current controls)
• "Audits subject to vendor approval" (defeats the purpose)
• "Customer must pay vendor's costs for audit support" (creates financial barrier)

Practical alternative: If the vendor balks at on-site audits, negotiate for quarterly security questionnaires with evidence (screenshots, configuration exports, access logs).

8. Data Deletion

What to check:

When you terminate the contract, the vendor must delete all your data. "Delete" means cryptographically wiped, not just marked inactive.

Required clause: "Within 30 days of termination, Processor shall delete or return all Personal Data and delete existing copies, except where storage is required by law. Processor shall certify in writing that deletion is complete."

Questions to ask:

• "What's your data deletion process? Do you use NIST 800-88 standards?"
• "How do you handle backups? When are those purged?"
• "Can you provide a certificate of destruction?"
• "What happens to data on decommissioned hard drives?"

Red flag: The DPA allows the vendor to retain data "for legitimate business purposes" or "as required by our data retention policy." Demand specific retention periods and legal justifications.

Send these to your vendor contact. Vague answers mean walk away.

Security & Compliance:

1. "Provide your most recent SOC 2 Type II report and penetration test summary."
2. "List every country where our data might be processed or stored."
3. "What's your employee background check policy for staff with data access?"
4. "Do you have a bug bounty program? What's the URL?"

Operational: 5. "What's your average system uptime over the last 12 months?" 6. "Describe your backup procedures. How often? Where stored? How tested?" 7. "If we need to export all our data, what format and how long does it take?"

Incident Response: 8. "Provide your incident response plan executive summary." 9. "What's your cyber insurance coverage limit?" 10. "Have you had any data breaches in the last 3 years? Describe them."

Contractual: 11. "Will you sign our DPA template instead of yours?" (Many vendors will, especially for enterprise deals) 12. "Can we add a right-to-terminate clause if you suffer a material data breach?"

Real consequences from inadequate DPAs:

A mid-sized law firm used a legal research platform with a weak DPA. The vendor suffered a breach exposing client matter descriptions. The firm faced regulatory investigation, spent $180,000 on breach response, and lost two major clients. The DPA's liability cap was $50,000.

An accounting firm's tax software vendor used an unapproved subprocessor in a non-GDPR-compliant country. A client filed a complaint with the Irish Data Protection Commission. The firm paid €75,000 in fines. The DPA had no subprocessor approval requirement.

1. Initial review (30 minutes): Read the DPA against this checklist. Flag unclear sections.

2. Vendor questions (1 week turnaround): Send your questions. Set a deadline. No response means no deal.

3. Legal review (budget $1,500-$3,000): Have your attorney review flagged sections and vendor responses. This is not optional for any vendor touching client data.

4. Negotiate (2-3 rounds): Push back on unacceptable terms. Most vendors have "enterprise" DPA versions with better protections.

5. Document (before signing): Create a vendor risk register entry with: vendor name, data types processed, DPA review date, next review date, key risks accepted.

6. Monitor (quarterly): Check for subprocessor changes, review security questionnaires, verify certifications haven't lapsed.

The DPA protects your firm when the vendor fails. Read it like your malpractice insurance depends on it. Because it does.