GDPR Art. 28 requires a written contract with every processor that handles personal data on your behalf — without a signed DPA, you are legally exposed for your processor's data handling practices. Art. 28(3) specifies the mandatory terms: purpose limitation, security obligations, subprocessor restrictions, and data subject rights. ISO-27001:2022 A.5.19 and A.5.20 require supplier security agreements and monitoring of supplier compliance. Most SaaS controllers are unaware that accepting Stripe, Postmark, or Sentry's standard terms does not automatically constitute a signed DPA — a separate DPA acceptance step is required for most vendors. An audit of your actual processor list against your signed DPAs almost always reveals gaps.
Medium because GDPR Art. 83(4) allows fines up to €10M or 2% of global turnover specifically for Art. 28 DPA failures, independent of any actual data breach or misuse.
Systematically sign or accept DPAs for every service that accesses personal data. Most major vendors provide a one-click DPA acceptance in their account settings.
DPA checklist — complete for each service before launch:
□ Stripe — stripe.com/legal/dpa (accept via Dashboard > Settings > Legal)
□ SendGrid — sendgrid.com/policies/dpa
□ Resend — resend.com/legal/dpa
□ Postmark — email support@postmarkapp.com to request DPA
□ Google (GA4) — myaccount.google.com > Data & Privacy > Accept data processing terms
□ Sentry — sentry.io/legal/dpa
□ Vercel — vercel.com/legal/dpa
□ Supabase — supabase.com/privacy (standard GDPR terms; BAA available for HIPAA)
□ Clerk / Auth0 — check vendor legal page
Keep a DPA registry spreadsheet: service, data categories shared, DPA accepted date, SCCs included (Y/N), renewal date if applicable.
ID: data-protection.storage-retention.third-party-dpa
Severity: medium
What to look for: List all third-party services that access or process user personal data. Common services: payment processor (Stripe), transactional email (SendGrid, Postmark, Resend), analytics (Google Analytics, Mixpanel, Plausible), authentication (Auth0, Clerk), customer support (Intercom, Zendesk), error tracking (Sentry), hosting provider (Vercel, AWS). For each service, check whether a Data Processing Agreement (DPA) is in place. A DPA should specify: what data is processed, purposes, data subject rights, security obligations, subprocessor disclosures, and retention. Check the application's privacy policy for a subprocessor list. Cross-reference with the actual services in use.
Pass criteria: At least 1 of the following conditions is met. All third-party services that access personal data have a signed or accepted DPA in place. Major subprocessors are documented (at minimum: payment, email, analytics, auth). Subprocessor list is accessible in the privacy policy or on request.
Fail criteria: One or more major third-party services (payment processor, email provider, analytics) have no DPA. No subprocessor list exists anywhere.
Skip (N/A) when: No third-party services process personal data (extremely rare — most applications use at minimum email and analytics).
Detail on fail: Example: "Stripe, SendGrid, and Google Analytics integrate personal data but no DPAs are documented or referenced. No subprocessor list in privacy policy.".
Remediation: Systematically sign DPAs for all services that touch personal data:
DPA checklist — complete for each service:
□ Stripe — stripe.com/legal/dpa (accept via Dashboard > Settings > Legal)
□ SendGrid — sendgrid.com/policies/dpa
□ Postmark — postmarkapp.com/privacy-policy (GDPR compliant; email support to request DPA)
□ Resend — resend.com/legal/dpa
□ Google (GA4) — myaccount.google.com > Data & privacy (accept via GA Admin > Data Settings)
□ Plausible — plausible.io/dpa (GDPR-focused; often DPA not required as no PII)
□ Clerk — clerk.com/legal/dpa
□ Auth0 — auth0.com/gdpr
□ Sentry — sentry.io/legal/dpa
□ Vercel — vercel.com/legal/dpa
□ Supabase — supabase.com/privacy (BAA available for healthcare; standard GDPR terms apply)
Keep a DPA registry (spreadsheet or Notion doc): service, what data is shared, DPA signed date, renewal date, SCCs included (Y/N).