Ask the Compliance Experts: What is a DPA? Who needs it? What happens if you don’t have a DPA? What are the different levels of DPA ?


In 2021, Webbula launched a video series, 'Ask the Email Experts' where we sat down with email industry experts to discuss various topics within the email marketing world. 

Webbula would like to introduce our new series. 'Ask the Compliance Experts'. A series that will spread compliance and security awareness within the email industry utilizing top deliverability and compliance experts within the industry.

Subscribe to our newsletter to keep up with new each month.  

Are you a compliance expert and want your voice to be heard in the series? Let us know! 

Ask the Compliance Experts: What is a DPA (Data Processing Agreement)? Who needs it? What happens if you don’t have a DPA? What are the different levels of DPA ?

Chris Arrendale
Yanna-Torry Aspraki
Dennis Dayman
Tawab Safi 
Sergey Serkin



Chris Arrendale

CEO & Founder of CyberData Pros


This is a great question. A DPA is a Data Processing Agreement that is essentially an agreement between a data controller and a data processor. For example, it's a data controller being the company, and the data processor being the third-party service provider, and it essentially regulates personal data processing conducted for business purposes.

This may also be called a GDPR data processing agreement. You'll find that term used quite a bit. It lays out the requirements for the controller and the processor to follow when they're processing data. It sets terms for data storage, data protection, how data's processed, accessed, and how it's used. It's an agreement for what the processor can and can't do because the controller is ultimately responsible for that data, and they're working with that processor via that contract and via that DPA to ensure that they're able to do that. Again, it's tied to the GDPR, so focusing on personal data and data processing, subjects, controllers, and processors. It really mandates that you have to sign a DPA with a third-party processor before they can start processing your data. If you don't, it can result in hefty fines and some penalties, and that's something that has been in the news quite a bit lately as well.

You need a DPA for when you're again hiring that third-party processor to process that data. If you do not process any data in the EU, I always still recommend having a DPA because it can really prove useful for outlining terms that the businesses have with external data processors. So having that is key. You'll see a lot of companies, large brands, marketing companies, and ESP have DPAs on their websites. One of them that I really like is HubSpot's DPA. It makes it easy to read and it breaks it down into different categories, such as responsibilities, obligations, requests, and transfers, and it lays it out really nice with some definitions. I always point to theirs as what I like to see as far as easy to read, easy to access, and easy to understand.

There are quite a few elements to a DPA. The activities involved in data processing, the way personal data is used, the parties responsible, and the duration which is also vital because it is the way it defines how long the data is going to be processed for. It covers definitions, as I mentioned, data storage, and contract termination, it outlines responsibilities of the controller outlines, responsibilities of the processor, and especially on the side, as it relates to opportunities for audits and record-keeping, deletion and return of data contract as well as technical and organizational requirements as well as encryption methodologies, access transfers, testing methodologies, and the CIA triad. So confidentiality, integrity, and availability - I always call it the CIA triad - those are key. Then you really get into the meat of the question as it relates to the subprocess, because if you're going to plan on using those, subprocess, then so you're, you're the controller you're working with a processor that processor is then working with subprocess, and having those subprocess or contractual relationships and requirements is necessary in the DPA. The processor needs that written consent from the controller to use those subprocesses.

Those sub-processors are as responsible for the data processing as the data processor. For example, it's like a little tree that kind of comes down the path. Ultimately, the data controller, the data processor, and the subprocess are responsible for the data together. It just depends on which path and which level if there's a breach or the sub-process or how that rolls up to the processor and how they identify it to the controller.

There are a lot of nuances that take effect. It's important to understand that, especially if you use that sub-process.





Yanna-Torry Aspraki

Deliverability Specialist and CRO of EmailConsul



Businesses with EU residents' data need a GDPR data processing agreement whenever they hire a third-party to process that data. For companies that do not engage with EU user data, a DPA can still help outline business terms with external data processors. It helps organize and define what is done with the data you play with on a daily basis and data you forget even exists. Now I know that most of us barely have a privacy or cookies policy on our own websites when we need even more. Shouldn't we focus on those and build up to having a DPA? Of course! You can get a lawyer to write them for you, and there are quite enough affordable ways to do this. There are half SaaS and half service providers out there that can help you create and manage all these documents with a low monthly fee. You can also use a template from a trusted provider and slowly fill it up with necessary information and have that reviewed by someone who can advise and correct parts. It is always best to have someone with the appropriate knowledge review them.

There are instances where you will be asked to give your DPA as a service provider who processes data. This, for example, can be for security reasons to want to share information with you but need to control who else can see that information and ask what they can do with it. Then you will be scrambling to get everything done altogether.

Getting these documents ready and set up on your website or application is easier than you might think. Get all your agreements ready, including a DPA on your to-do list.





Dennis Dayman

Resident Chief Information Security Officer of Proofpoint


Almost all organizations rely on third parties for processing personal data in today’s digital world i.e., using cloud hosting services, creating a need for data processing agreements (DPA). Even the tools that are considered to be the basic necessities in business, such as email clients, CRM systems, data storage servers, or website analytics, all process personal data on behalf of organizations. With the introduction of the General Data Protection Regulation (GDPR), there are strict requirements and guidelines on how this can be done in a compliant manner, through signed DPAs which is written agreement between an organization (data controller) and a third-party organization (data processor) that ensures that all processing tasks are carried out in accordance with both the GDPR and the data controller’s instructions. Let’s say an organization is using an email marketing tool to distribute its newsletters. By doing so, they are able to measure and gain insight into how subscribers engage with the emails. In this case, a DPA is required between the organization and the service, which needs to include the responsibilities that explain the handling of user requests or contact forms. Generally, you need a DPA whenever you rely on the qualifications and resources of third-party expertise to carry out your data processing. For comprehensive protection, the GDPR clearly defines the mandatory information for any DPA. Numerous aspects have to be covered. Even in instances when regulation may not demand one, you should make DPAs a requirement as part of your data policies and vendor agreements. Data processing agreements are only valuable if you can ensure that every processor used by your organization has one.






Tawab Safi

CEO of InnSolu



A Data Processing Agreement (DPA), is a contract between you or your firm and a data processor, specifying how the data processor will handle your data. In simple words, if you are sharing or controlling data with other parties, you must sign a data processing agreement with the other party. 

A processing agreement is a legally binding document that entails the rights and responsibilities of each of the parties involved concerning personal data. Typically, a data processing agreement should include the agreement's subject. It also includes the agreement scope, including which data will be processed, how the data will be processed, and the controller and processor relationship. The controller and processor relationship is such that the controller refers to the company or you, and the processor refers to the third-party service provider. These service providers will help the controller form and enforce the agreement based on the objectives of every party involved. In short, a DPA is needed by every company that collects, stores, or processes personal data on the behalf of its customers. 

Different types of DPAs are required depending on the level of data protection required. For instance, a basic DPA would cover the basics like storage and security, while a more comprehensive DPA would include provisions for data breaches and data retention. A basic data processing agreement has its own risks. With the surface-level nature of the data processing agreement, there is limited data protection available for either party. 

A comprehensive data processing agreement would provide excellent protection for all the parties involved. However, this also entails higher costs for hiring an expert specialist and providing extensive services. Given that acquiring a data processing agreement is necessary when a company is involved in data exchange, companies must ensure that they plan their objectives and hire a specialist early. 

In the contemporary world, data breaches are becoming more common. Not having a DPA runs the risk that your company might have to bear huge costs if a data breach occurs. You do not want your customers to lose trust in the company if they get to know that there was no data processing agreement in place. In addition, if you don't have a DPA in place, you may violate data protection laws, resulting in fines or other penalties. The best way to ensure you have a suitable DPA in place is to work with a lawyer or some legal professional who specializes in data protection law as they will help you understand your obligations and in drafting a DPA that meets your needs. 





Sergey Serkin

Founder & CPO of EmailConsul, Email Deliverability and Anti-Abuse Evangelist


A DPA is necessary to organize the purpose of a business’ data processing, how the data will be protected, and defines the relationship between the controller and processor. GDPR data processing agreements must contain several different elements.

It should include:

General Information

This contains the activities involved in data processing, the purposes for which personal data is used, the party in charge of ensuring GDPR compliance, and the duration data will be processed. It also covers data subjects (customers or users) definitions, types of data to be processed, how and where it is stored, and contract termination clauses.

Responsibility of the controller

The controller is responsible for establishing and implementing a lawful data process and observing data subjects' rights. The controller is also in charge of delivering processing instructions and regulating how the processor handles data.

Responsibilities of the processor

Processors have a comprehensive range of responsibilities under GDPR. Maintaining information security, working with authorities in the event of an investigation, disclosing data breaches, allowing for audits, record keeping, deletion or return of data at the end of the contract, and more are some of these responsibilities.

Technical and organizational requirements

What methods will be used to encrypt, access, and test data? Can both parties ensure that processing systems and services maintain their confidentiality, integrity, and availability, for example?

This is why it is so important to ask and collect data that is actually useful to your business and the use of your products. Over-collecting not only drowns important data but also makes it more complicated to manage.



If you enjoyed this post, be sure to look for future posts in this video series by signing up for our weekly newsletter!

Check back next month to listen to our next round of email experts' answers to, "What to do if someone threatens to sue you due to data compliance and processing issues."


Verify, Protect and Grow Your Database