Adobe Acrobat Sign

Protect personal data by dialing in your DPA.

A data processing agreement (DPA) is a major part of protecting customer data. Learn what these agreements do and how you can create one for your business.

Explore Acrobat Sign

A person sitting at a table in the atrium of a building working on their laptop

Introduction to data protection.

No matter the business type or service provider, one of the most valuable assets an organization has is user data. This data enables better service, marketing, and structure for businesses that are developing forward-thinking strategies.

Because of this, if you or your organization handles user data, it’s vital to protect it from a data breach. One of the components of securing user data is a legally binding agreement that explicitly states the controller’s (the person or entity in charge of data) instructions, rights, and obligations about the protection of that personal data and how you share it with third parties. This is known as a data processing agreement, or DPA.

What is a DPA?

DPAs are required by the General Data Protection Regulation (GDPR), which is a privacy and security law passed by member states of the European Union. Even if your business isn’t located in the EU, if you do business with EU citizens, you need a DPA.

DPAs cover the governance and protection of personal data, whether that data comes from email information, web analytics, or other transactions. These agreements also cover how your organization stores data, be it in the cloud or in a physical location, and how that data will be protected.

What makes a good DPA?

DPAs define what a data controller (you) can and cannot do with data. A huge part of a data security plan is not only ensuring that you can provide guarantees of data protection and safety, but that the processors you work with can do the same.

For instance, payment and data processors that handle transactions in your online store also need to have sufficient data protection, or you — DPA or no DPA — might be held liable.

Two photos: A photo of a person working on a data protection agreement at their desk next to a photo of a staged home office

Key components of a DPA.

DPAs are legally binding documents, and you should consult a legal professional for legal advice when pulling the entire document together. Generally speaking, they have the following components:

  • An agreement between processor and controller to process personal data only as written by the controller
  • A section swearing all parties involved to confidentiality and an obligation to uphold security measures
  • An outline of categories of data subjects
  • An agreement by processor to not subcontract to sub-processors unless given permission
  • A processor agreement to delete all personal data when a project is complete
  • A processor agreement to submit to audits by the controller and other organizational measures
  • A commitment by the controller and processor to constantly update and control the organization and storage of personal data

This agreement, once signed, is legally binding, so it’s important to get it right. Make sure to review with relevant stakeholders and get your legalese locked in.

GDPR compliance and DPAs.

Once again, if you’re located in the EU, or if you do business with any customers in the EU, you must have a written DPA to be compliant with GDPR. This agreement is a result of the EU prioritizing data privacy, especially when it comes to data processing activities.

Examples of a DPA on different devices as well as an example of signing a DPA with Adobe Sign

What to do if you’re signing a DPA.

If you’re signing a DPA with a processor, you want a secure method of gathering signatures and keeping them encrypted. Acrobat Sign can help you collect, manage, and submit any e-signature on any device.

After that, the most important element of any agreement with a processor of any kind is to ensure that the data will be secure both during the transfer to the processor and afterward. This is because even if a data breach happens on the processor side, the data controller can be held accountable.

Make sure that you know the scope of the agreement between you and the processor, and make doubly sure that you’re aware of how they’ll be using the data.

Make security part of your documentation.

A critical aspect of any sensitive document handling is security. Regardless of the level of sensitive information in a document, Acrobat Sign can assist in document management, contract signature management, and the overall streamlining of your signing processes.

As part of any security or data protection process, there will be plenty of signatures. Most legal entities recognize digital agreements with e-signatures, and by adopting e-sign processes, you help make contracts, agreements, and other documents accessible from any device and at any time, streamlining your document processes.

Acrobat Sign comes with a trove of resource documentation, tutorials, and templates, so you can make any document creation process accessible to your team — and you can start now.