Start for Free
DPA

What is a Data Processing Agreement (DPA)? 

Last Update: July 30, 2025

Understanding the Key Players: Data Controllers and Data Processors

Before we dive into the DPA itself, we need to understand who’s involved. Two main roles come up when discussing data protection: the data controller and the data processor.

What is Personal Data? A Quick Recap

First, let’s quickly define personal data. It’s any information that relates to an identifiable living person. This includes obvious things like:

  • Names
  • Email addresses
  • Phone numbers It also includes less obvious identifiers like:
  • IP addresses
  • Cookie identifiers
  • Location data

Essentially, if information can be linked back to an individual, it’s likely personal data.

The Data Controller: In the Driver’s Seat

The data controller is the organization or individual that determines the purposes and means of processing personal data. Think of them as being in the driver’s seat. They decide why personal data should be collected and how it should be processed.

Responsibilities of a data controller typically include:

  • Ensuring there’s a lawful basis for collecting and processing the data (e.g., consent, contractual necessity).
  • Being transparent with individuals (data subjects) about how their data is used.
  • Upholding data subject rights (like the right to access or delete their data).
  • Overall accountability for protecting the data.

For example, your client who owns an e-commerce store is usually the data controller for their customer data. They decide to collect customer emails for marketing and order fulfillment.

The Data Processor: Acting on Instructions

The data processor is an organization or individual that processes personal data on behalf of the data controller. They act based on the controller’s documented instructions. They don’t decide the purpose of the processing themselves.

Responsibilities of a data processor often include:

  • Processing data only as instructed by the controller.
  • Implementing appropriate security measures to protect the data.
  • Notifying the controller of any data breaches without undue delay.
  • Assisting the controller in meeting their data protection obligations.

An email marketing platform, like Send by Elementor, acts as a data processor when it handles a client’s contact lists to send out email campaigns. The client (the controller) directs Send by Elementor (the processor) on whose data to use and what emails to send. Similarly, a web hosting company is a processor for the website data it stores.

Can You Be Both?

Yes, it’s possible for an entity to be a data controller in one context and a data processor in another. For instance, as a web creator:

  • You might act as a data processor if you maintain a client’s website and handle their customer database as per their instructions.
  • You would be a data controller for your own business’s employee data or your own direct client contact information that you use for billing and communication.

The role depends on who determines the “why” and “how” of the data processing.

What Exactly is a Data Processing Agreement (DPA)?

Now that we know the key players, let’s focus on the Data Processing Agreement itself. It’s a critical document in the world of data privacy.

Core Definition and Purpose of a DPA

A Data Processing Agreement (DPA) is a legally binding contract entered into between a data controller and a data processor. This agreement clearly outlines the rights, responsibilities, and obligations of each party concerning the protection of personal data being processed.

The main purpose of a DPA is to ensure that personal data is:

  • Processed lawfully and fairly.
  • Processed securely, with appropriate safeguards.
  • Processed strictly in accordance with the data controller’s documented instructions.
  • Handled in a way that helps the controller meet their own legal obligations under data protection laws.

It essentially puts data protection requirements into a formal, enforceable contract.

When is a DPA Required? The GDPR Spotlight

The need for DPAs has been significantly highlighted by modern data protection laws, most notably the General Data Protection Regulation (GDPR) in Europe.

  • GDPR: Article 28 of the GDPR explicitly mandates that a DPA (or other legal act) must be in place whenever a data controller uses a data processor to handle personal data of individuals in the EU/EEA. This is a non-negotiable requirement under GDPR.
  • Other Privacy Laws: While GDPR is the most prominent, other data privacy laws around the world, like the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Brazil’s LGPD, and others, also emphasize the importance of contractual safeguards when third-party vendors process personal data. Having a DPA is increasingly seen as a best practice globally.

Generally, it’s wise to have a DPA in place anytime a third party processes personal data on your behalf, regardless of specific legal mandates, as it ensures clarity and protection.

Why DPAs Are Crucial for Trust and Compliance

DPAs are more than just legal paperwork. They play a vital role in:

  • Demonstrating Commitment to Data Protection: Having a DPA shows that both the controller and processor take data privacy seriously.
  • Providing Legal Clarity and Accountability: It clearly defines who is responsible for what, reducing ambiguity and potential disputes.
  • Helping Controllers Meet Compliance: The DPA ensures the processor assists the controller in fulfilling their own legal obligations under laws like GDPR (e.g., regarding data subject rights, security, and breach notifications).
  • Building Trust: When customers and clients know their data is governed by a strong DPA, it builds confidence in your services and data handling practices.

For web creators, advising clients on the necessity of DPAs with their vendors (or having one with clients if you process their data) showcases professionalism and a commitment to best practices.

Key Elements You’ll Find in a DPA: Anatomy of the Agreement

A well-drafted DPA will contain several specific clauses outlining the terms of the data processing arrangement. While the exact wording can vary, most DPAs include the following key elements:

  • Subject Matter, Duration, Nature, and Purpose of Processing:
    • This section clearly describes what data processing is about. It details the specific personal data involved, how long the processing will last, the methods or activities involved in the processing, and the overall reason or goal for processing the data.
  • Types of Personal Data and Categories of Data Subjects:
    • The DPA must specify the kinds of personal data being processed (e.g., names, email addresses, IP addresses, transaction history, health information if applicable).
    • It also identifies the categories of individuals whose data is being processed (e.g., customers, employees, website visitors, patients).
  • Obligations of the Data Processor: This is a cornerstone of the DPA. It typically includes commitments from the processor to:
    • Process personal data only on documented instructions from the data controller.
    • Ensure that any personnel authorized to process the personal data have committed themselves to confidentiality.
    • Implement appropriate technical and organizational security measures (TOMs) to protect the data against unauthorized access, loss, or destruction. This is a critical section.
    • Adhere to specific rules regarding the use of sub-processors (other vendors that the primary processor might use to deliver its services). Often, the controller’s prior written authorization is required for any new sub-processors. The DPA will also state that the primary processor must have a similar contract with its sub-processors.
    • Assist the data controller (e.g., by providing technical and organizational measures) in responding to requests from data subjects exercising their rights (such as the right to access, rectify, erase, or port their data).
    • Assist the data controller in meeting their obligations regarding data security and notifying relevant authorities or individuals in case of a data breach.
    • Either delete or return all personal data to the controller at the end of the service contract, as instructed by the controller, and delete existing copies unless legally required to store them.
    • Make available to the controller all information necessary to demonstrate compliance with their obligations, and allow for and contribute to audits, including inspections, conducted by the controller or an auditor mandated by the controller.
  • Obligations of the Data Controller: While the DPA focuses heavily on the processor, it may also reiterate the controller’s core responsibilities, such as:
    • Providing lawful and documented instructions for data processing.
    • Ensuring they have a legitimate and lawful basis for collecting and having the personal data processed.
  • Details on Data Transfers (Especially International Transfers):
    • If personal data is to be transferred outside of certain jurisdictions (like the European Economic Area), the DPA must outline the safeguards in place to ensure the data remains protected. This often involves incorporating Standard Contractual Clauses (SCCs) or other recognized transfer mechanisms.
  • Breach Notification Procedures:
    • The DPA will specify how and when the data processor must notify the data controller in the event of a personal data breach, usually “without undue delay.”
  • Liability and Indemnification:
    • These clauses address how liability is apportioned between the controller and processor in the event of breaches, damages, or non-compliance with the DPA or data protection laws.

Understanding these components helps you know what to look for when reviewing a DPA.

DPAs in Action: Scenarios for Web Creators and Their Clients

Data Processing Agreements are not just theoretical legal documents. They apply in many common situations that web creators and their clients encounter.

You (Web Creator) as a Data Processor

As a web creator, you might find yourself acting as a data processor for your clients. This could happen if:

  • You host your client’s website on your own servers or a dedicated server you manage.
  • You manage their customer database as part of website maintenance or e-commerce management.
  • You perform regular website backups that include personal data.
  • You have ongoing access to their website’s backend where personal data (e.g., form submissions, user accounts) is stored and you actively manage it.

In these scenarios, your client is the data controller, and you are the data processor. You would need to have a DPA in place with your client to govern how you handle their customer data according to their instructions and legal requirements.

Your Client (as Data Controller) Using Third-Party Services

More commonly, your clients will be data controllers who use various third-party online services to run their business. Each of these services that handles personal data on their behalf is a data processor. Your client needs a DPA with each of these vendors. Examples include:

  • Email Marketing Services: When your client uses a platform like Send by Elementor to manage their contact lists, design emails, and send marketing campaigns, Send by Elementor processes personal data (email addresses, names, campaign interaction data) on behalf of your client. Therefore, your client (the controller) must have a DPA with Send by Elementor (the processor).
  • Web Hosting Providers: The company hosting your client’s website processes all the data on that site, including any personal data collected through it.
  • Analytics Tools: Services like Google Analytics process website visitor data (IP addresses, Browse behavior) on behalf of the website owner.
  • Cloud Storage Providers: If your client uses Dropbox, Google Drive, or similar services to store business documents that include personal data.
  • CRM Systems: Platforms used to manage customer interactions and sales data.
  • Payment Processors: Companies like Stripe or PayPal process payment and customer data for e-commerce transactions.

As a web creator, you can provide immense value by advising your clients on the importance of ensuring these DPAs are in place and reviewing them.

Send by Elementor’s Role: A Processor Committed to Data Protection

When your clients choose an email and SMS marketing toolkit like Send by Elementor, they are entrusting it with valuable customer data. In this relationship:

  • Your client is the Data Controller. They own the contact lists and decide the marketing strategy.
  • Send by Elementor acts as the Data Processor. It provides the platform and tools to process that data according to the client’s campaigns and instructions.

To ensure compliance and build trust, Send by Elementor would provide a DPA to its users. This DPA would clearly outline:

  • Send by Elementor’s commitments to data security, including the technical and organizational measures taken to protect client data.
  • The assurance that data will only be processed based on the client’s instructions.
  • Transparency regarding the use of any sub-processors (e.g., infrastructure providers) and the contractual safeguards in place with them. Send by Elementor itself would have DPAs with these sub-processors, creating a chain of accountability.
  • How Send by Elementor will assist clients in meeting their GDPR obligations, such as responding to data subject rights requests related to the data processed by the platform.

This commitment to a clear DPA demonstrates Send by Elementor’s dedication to data protection and regulatory compliance, making it a trustworthy partner for your clients’ communication needs.

What to Look For in a DPA: A Practical Checklist

When you or your client are presented with a DPA, it’s important to know what to look for. Here’s a practical checklist:

  1. Clarity and Specificity:
    • Is the DPA easy to understand?
    • Does it clearly define the subject matter, duration, nature, and purpose of the processing?
    • Are the types of personal data and categories of data subjects specifically listed?
  2. Security Measures (TOMs):
    • Does the DPA detail the technical and organizational security measures the processor will implement?
    • Are these measures appropriate for the sensitivity of the data being processed? Look for commitments to encryption, access controls, regular testing, etc.
  3. Sub-processor Management:
    • How does the processor engage sub-processors?
    • Do they require the controller’s prior specific or general written authorization?
    • Is there a commitment to ensure sub-processors are bound by similar data protection obligations?
    • Is there a list of current sub-processors available, and a process for notifying about new ones?
  4. Data Subject Rights Assistance:
    • Does the processor commit to assisting the controller in fulfilling data subject requests (e.g., for access, deletion, portability)?
  5. Breach Notification Terms:
    • Are the timelines and procedures for the processor to notify the controller of a data breach clearly defined and reasonable (e.g., “without undue delay”)?
  6. Audit Rights:
    • Does the controller have the right to conduct audits or inspections to verify the processor’s compliance, or will the processor provide compliance reports/certifications?
  7. Data Return/Deletion:
    • What happens to the personal data at the end of the contract? Does the processor commit to deleting or returning it as instructed?
  8. International Data Transfers:
    • If data will be transferred internationally (e.g., outside the EU/EEA), does the DPA specify the legal safeguards used, such as Standard Contractual Clauses (SCCs)?
  9. Liability and Indemnity:
    • Are the clauses regarding liability and potential indemnification clear and fair to both parties?
  10. Is it GDPR-Compliant (if applicable)?
    • Does the DPA explicitly meet the requirements of Article 28 of the GDPR?

This checklist isn’t exhaustive, and complex situations may require legal advice. However, it provides a good starting point for reviewing a DPA.

The Web Creator’s Responsibility: Guiding Clients on DPAs

As a web creator, you are often a trusted advisor to your clients on many aspects of their online presence. Data protection is increasingly part of this.

Identifying When a DPA is Needed for Client Projects

Be proactive in recognizing situations where your client will need a DPA. This includes when they:

  • Sign up for any new cloud service that will handle customer or user data.
  • Engage an external agency for marketing or analytics that involves personal data.
  • Use plugins or integrations on their website that send data to third parties.

Advising Clients to Review Vendor DPAs

Encourage your clients not to just blindly accept terms of service. When a service involves processing personal data, they should look for and review the vendor’s DPA. Help them understand what key clauses to look for (as per the checklist above).

Ensuring Your Own Practices are DPA-Ready

If you act as a data processor for your clients (e.g., through hosting or maintenance services), ensure you have a solid DPA template ready to use. Make sure your own security practices and data handling procedures align with the commitments you make in your DPA.

Building Trust Through Transparency in Data Handling

Being knowledgeable about DPAs and data protection demonstrates professionalism. It shows your clients that you take their data, and their customers’ data, seriously. This transparency builds trust and strengthens your client relationships.

Conclusion: DPAs – The Unsung Hero of Data Privacy

In an increasingly data-driven world, the Data Processing Agreement (DPA) might seem like just another piece of legal paperwork. However, it’s far more than that. A DPA is a cornerstone of modern data privacy, a critical tool for ensuring that personal information is handled responsibly, ethically, and lawfully. It provides the essential framework for collaboration between data controllers and the processors they entrust with sensitive data.

For web creators and their clients, understanding DPAs is no longer optional. They are fundamental for compliance with laws like GDPR, for protecting businesses from significant risks, and, most importantly, for building and maintaining the trust of customers. By recognizing the importance of DPAs, knowing what they should contain, and ensuring they are in place whenever third-party services like Send by Elementor are used to process personal data, you champion a culture of data respect. This commitment not only safeguards data but also strengthens brands and fosters more secure digital experiences for everyone.

Have more questions?
Contact Support

Related Articles

Instagram Facebook-f X-twitter Youtube Linkedin-in

© 2025 Elementor Ltd. dba Send. All rights reserved.