Data Processing Agreements (DPAs)
Whenever another company processes personal data on your behalf — a hosting provider, email platform or analytics service — the law requires a written contract setting out how they must handle it. This is the data processing agreement.
The summary below is general guidance to help you know what to look for.
What a DPA Should Cover
- The subject matter, duration and nature of processing.
- The type of data and categories of people involved.
- An obligation to act only on your instructions.
- Security measures the processor must maintain.
- Rules on using sub-processors.
- What happens to data when the contract ends.
Why It Protects You
As the controller you remain responsible for the data even when someone else handles it. A solid DPA sets clear expectations, supports your own compliance and gives you recourse if something goes wrong.
Practical Tips
Most reputable providers offer a standard DPA you can accept online — keep a copy on file. For bespoke arrangements, make sure the terms reflect the real data and risk involved.
Frequently Asked Questions
Do I need a DPA with every supplier?
Only with those that process personal data for you. A stationery supplier that never sees your customer data does not need one.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.