Sign in Talk to our team
Glossary · DPA

DPA. What it is, what it must cover.

DPA · Data Processing Agreement · Last updated 2026-05-07

Definition

A Data Processing Agreement — DPA — is the contractual instrument required by GDPR Article 28 between a controller and processor (and, recursively, between processor and sub-processor) when personal data is being processed on behalf of someone else. It specifies how the data will be handled, the security measures applied, the breach-notification obligations, the rules for engaging sub-processors, the audit rights of the controller, and what happens to the data on termination.

For an AI vendor in 2026, the DPA is no longer optional or pro-forma — it's procurement-blocking if missing or undercooked. EU enterprise customers will not sign without one.

What a DPA must cover

Article 28(3) GDPR specifies the minimum content. A DPA that meets the bar covers:

  • Subject matter and duration — clearly defined scope and term.
  • Nature and purpose — specific description of what processing will occur.
  • Type of personal data and categories of data subjects — what's being processed, about whom.
  • Documented instructions — the processor commits to processing only on the controller's instructions.
  • Confidentiality — personnel are bound by confidentiality obligations.
  • Security (Article 32) — appropriate technical and organizational measures.
  • Sub-processors — written authorization, written agreement back-to-back, the processor remains liable for sub-processor performance.
  • Data subject rights assistance — the processor will help the controller respond to access, erasure, etc.
  • Breach assistance — notification without undue delay (target: 24–48 hours from confirmation, to enable the controller's 72-hour deadline).
  • Deletion or return on termination — controller chooses; copies are deleted unless legal retention is required.
  • Audit rights — the controller can audit, or accept third-party audit reports (SOC 2 Type II, ISO 27001).

What's specific to AI in 2026

An AI vendor's DPA in 2026 needs three additions that pre-2023 templates often miss:

Sub-processor list with LLM providers. If your AI calls OpenAI, Anthropic, or Google Vertex, those are sub-processors. List them by name, with role and processing location. Customers will check.

No-training commitment. Customer Data must not be used to train your models or — critically — your sub-processors' models. The contract must say so, and your sub-processor contracts must back it up.

EU AI Act references. Article 50 transparency obligations apply from August 2, 2026. Your DPA should describe which AI Act roles you assume (provider, deployer, or both) and reference your transparency disclosures.

What in-house counsel asks AI vendors

  • Can I see your standard DPA template before we start negotiation?
  • What's your published sub-processor list and what's the change-notification window?
  • What's your breach-notification SLA to me as a customer?
  • Are you a "service provider" under CCPA, and does the DPA include §1798.140(ag) terms?
  • Do you process EU personal data outside the EEA? Which SCC modules apply?
  • Can you provide a Transfer Impact Assessment summary on request?

Cogneris publishes its DPA terms summary on the Data Protection page, including the sub-processor list, SCC module use, and the 48-hour breach notification commitment.

Related terms

BAA →

The HIPAA equivalent for protected health information.

Data Protection →

Our DPA terms, sub-processor list, and TIA summary.

GDPR for document AI →

Article 28 obligations applied to AI workflows.

Sub-processors in AI →

What your DPA needs in 2026.

Back to the full glossary