Recipe
DPA Doc Design
A structured approach to designing Data Processing Agreement documentation that satisfies GDPR Article 28 requirements while remaining readable for both legal and engineering stakeholders.
1
Scope & Parties
Define controller-processor roles, subject-matter boundaries, and processing purposes with unambiguous language.
2
Technical Measures
Map encryption, access controls, pseudonymisation, and resilience measures to specific data categories and threat models.
3
Sub-processor Chain
Document prior-authorisation mechanisms, notification windows, and flow-down obligations for every sub-processor tier.
Key Clauses
- Data retention & deletion — specify timelines, triggers, and verifiable deletion methods per data category.
- Audit rights — define frequency, scope, third-party auditor qualifications, and cost allocation.
- Breach notification — establish SLAs, communication templates, and root-cause analysis deliverables.
- Cross-border transfers — reference SCCs, adequacy decisions, and supplementary measures with specificity.
→
Pair this recipe with the GDPR Audit Trail recipe for end-to-end compliance documentation.