A Data Processing Agreement (DPA) is a legally binding contract required by GDPR Article 28 between a data controller (you) and a data processor (e.g. your cloud provider, AI API provider, analytics tool). It specifies what data is processed, how it is protected and what happens when things go wrong. For AI startups, DPAs are critical because you likely rely on multiple external AI and cloud services that handle your users' personal data.
What a DPA must cover:
- Scope and purpose: What personal data is processed, for what purpose, and for how long? Be specific about AI-related processing like model inference, logging and analytics.
- Security measures: What technical and organisational measures does the processor implement? Encryption, access controls, incident response, etc.
- Subprocessors: Can the processor use subprocessors? You must be informed and have the right to object. Most AI providers use a chain of subprocessors — make sure you know who they are.
- Data subject rights: The processor must help you respond to access, rectification and deletion requests from your users.
- Audit rights: You must have the right to verify compliance, either through audits or by receiving certifications (e.g. SOC 2 reports).
- Data return and deletion: What happens when the contract ends? Data must be returned or deleted.
How to get started:
- Check if your AI providers (OpenAI, Anthropic, Google) already offer a standard DPA — most do, often linked from their privacy page.
- Review each DPA against the requirements above. Pay attention to data location, subprocessor lists and training data usage policies.
- For smaller vendors without a standard DPA, use the Dutch DPA guidance as a template.
Tidal Control helps you track all your processor agreements, monitor subprocessor changes and maintain an up-to-date register of all data processing relationships.