GDPR Art. 28 requires a written Data Processing Agreement between a controller and any processor that handles personal data on its behalf. This is not optional even when the processor is a major vendor — Stripe, SendGrid, Vercel, Sentry, and Auth0 all offer DPAs, but they must be actively accepted through account settings; they do not apply by default. Without accepted DPAs, there is no contractual basis governing how these processors handle user data, no obligation for them to assist with DSARs or breach notification, and no mechanism to compel data deletion on contract termination. Regulators have fined controllers specifically for missing DPAs with cloud vendors.
Medium because absent DPAs do not immediately expose user data but leave every third-party processing relationship uncontracted under Art. 28, making the controller fully liable for processor behavior without any contractual recourse.
Systematically accept DPAs for every service that touches personal data. Most major vendors offer DPA acceptance via account settings — no legal negotiation required.
DPA Checklist — complete for each processor:
Payment: Stripe — stripe.com/legal/dpa (Dashboard > Settings > Legal)
Email: Resend — resend.com/legal/dpa
SendGrid — account settings > Legal
Analytics:Google Analytics — GA Admin > Data Settings > Data Sharing
Plausible — plausible.io/data-processing-agreement
Auth: Clerk — clerk.com/legal/dpa
Auth0 — Dashboard > Settings
Infra: Vercel — vercel.com/legal/dpa
Supabase — request via support
Errors: Sentry — account settings > Legal (sentry.io/legal/dpa)
Document accepted DPAs in docs/compliance/dpa-registry.md with: service name, data processed, DPA acceptance date, and whether SCCs are included. Reference this registry from your privacy policy's subprocessor list.
ID: gdpr-readiness.data-processing.data-processing-agreements
Severity: medium
What to look for: List all third-party services that access or process user personal data. Common services: payment processor (Stripe), transactional email (SendGrid, Postmark, Resend), analytics (GA4, Mixpanel, Plausible), authentication (Auth0, Clerk), customer support (Intercom, Zendesk), error tracking (Sentry), hosting (Vercel, AWS), CDN. For each service, check whether a Data Processing Agreement (DPA) is in place. A DPA should specify what data is processed, for what purposes, data subject rights, security obligations, subprocessor disclosures, and data return/deletion on contract end. Look for DPA references in project documentation (README, docs/compliance/), or in the privacy policy's subprocessor list. Check whether major DPAs have actually been accepted (most cloud services offer DPA acceptance via account settings, not requiring a signed paper contract).
Pass criteria: All third-party services that process personal data have an accepted DPA. At minimum, these must be in place: payment processor, email provider, analytics provider, auth provider, hosting/infrastructure provider. A subprocessor list is documented somewhere accessible (privacy policy, a web page, or on request). DPAs are re-reviewed when adding new services. At least 1 implementation must be confirmed.
Fail criteria: One or more major processors (payment, email, analytics) have no DPA documented. No subprocessor list exists anywhere. DPAs have not been accepted via vendor account settings even though the vendor offers them.
Skip (N/A) when: Application uses no third-party services that access personal data (extremely rare — most apps use at minimum hosting infrastructure).
Detail on fail: Example: "Stripe, SendGrid, and Google Analytics integrated but no DPAs accepted in account settings. No subprocessor list in privacy policy.".
Remediation: Systematically accept DPAs for all processors and document them:
DPA Checklist — complete for each service that touches personal data:
Payment:
□ Stripe — stripe.com/legal/dpa (accept via Stripe Dashboard > Settings > Legal)
Email:
□ SendGrid — sendgrid.com/policies/dpa (accept via account settings)
□ Postmark — postmarkapp.com/eu-privacy (email support@postmarkapp.com)
□ Resend — resend.com/legal/dpa
Analytics:
□ Google (GA4) — accept via GA Admin > Data Settings > Data Sharing (includes SCCs)
□ Plausible — plausible.io/data-processing-agreement (GDPR-native)
□ Mixpanel — mixpanel.com/legal/dpa
Auth / Identity:
□ Clerk — clerk.com/legal/dpa
□ Auth0 — auth0.com/gdpr (accept via Dashboard)
Infrastructure:
□ Vercel — vercel.com/legal/dpa
□ AWS — aws.amazon.com/compliance/gdpr-center (via AWS Artifact)
□ Supabase — supabase.com/privacy (DPA available on request)
Error Tracking:
□ Sentry — sentry.io/legal/dpa (accept via account settings)
Maintain a DPA registry: service name, data shared, DPA accepted date, SCCs included.