Data processing addendum

A DPA formalizes GDPR-style obligations between controllers and processors: instructions, subprocessors, security measures, and breach notification. Use this outline as a starting point for legal review—not as executed terms.

Roles

You may act as a controller and the provider as a processor for certain processing activities.

Sub-processing

Specify whether prior approval is required for new subprocessors and how objections are handled.

Instructions

Processing follows your documented instructions and applicable law.

Change control

Define how processing instructions change over time—ticket references, email approvals, or signed addenda.

Subprocessors

Review the subprocessors page for infrastructure providers and their purposes.

Audits

Enterprise agreements often include audit rights, questionnaires, and evidence timelines—negotiate frequency and scope explicitly.

​Roles

​Sub-processing

​Instructions

​Change control

​Subprocessors