DPA (Data Processing Agreement): Purposes, Requirements, Startup Checklist

• Startups often outsource software development to third parties.

• In many cases, third parties process customer information. There are precedents of contractors exposing that information, both intentionally and by negligence.

• Having a data processing agreement with a contractor helps mitigate the consequences of a potential breach.

• Startups hiring contractors to process EU citizens’ personal data on their behalf are required to set up a data processing agreement with each of their contractors.

Contractors and partners can help set you up for success, it’s true. But they can also expose you to data breaches of your customers’ personal information, and all the possible ramifications that come with that nightmare. And that’s why the data processing agreement exists.

The Internet has made it easy to sell goods and services online. But this involves the handling of people’s personal details, which is often executed by third parties.

In 2021, security researchers discovered a security breach at QuickBit, a Swedish crypto exchange. The exchange’s contractor had left information about more than 300,000 transactions exposed, which criminals could potentially use to steal users’ identities.

Now, you can take various technical and organizational measures to prevent your contractors and partners from leaking your private information. The type of such measures will depend on the technical specifics of your platform or product. But whatever measures you take, there’s no 100% guarantee of information safety.

That means you need to define parties’ accountability. And a data processing agreement helps you do exactly that. Keep reading to find out what it is, how it works and which points it needs to include.

A data processing agreement, or DPA, is a document that regulates how the contractor handles personal details on behalf of its client. It can also be referred to as:

• a personal data processing agreement
• a DPA as a data protection agreement
• a DPA as a data processing addendum 
• a DPA as a data privacy agreement.

So, when do you need to introduce a data processing agreement? It should be introduced at the initial startup development phases, before a third party steps in to work with customer information. 

Consider the following hypothetical example.

An imaginary Austrian startup named Ubookah wants to provide hookah delivery services through its website and mobile app. And to build those, the startup hires an (also imaginary) software development company we’re calling Buildenture.

Customers are supposed to send their name and phone number to Ubookah to place an order. But this is personal information, and, as an EU-based company, the startup has to comply with the respective data privacy law: the General Data Protection Regulation (GDPR).

Moreover, customer details go through the website and mobile app maintained by Buildenture. And this means Ubookah needs to make sure that Buildenture, as the hired developer, remains accountable if any personal information gets leaked.

That’s why Ubookah signs a DPA with Buildenture. Following the agreement’s terms, the developer guarantees it will handle customer details as required under the GDPR.

A breach may still happen because of Buildenture, and Ubookah may be taken to court. In this case, the DPA functions as a legal agreement that proves the startup took all required measures to ensure customer privacy.

You might have heard about data controllers and processors as parties of a DPA. Here’s who they are and what they do.

Under the GDPR, a controller "determines the purposes and means of the processing of personal data." It could be “a legal or natural person, an agency, a public authority, or any other body.”

Meanwhile, a processor “processes personal data on behalf of a data controller.” It could also be any individual or organization you’ve hired.

In our example, this makes Ubookah a DPA data controller, and Buildenture its processor. As such, the startup is required to “actively demonstrate full compliance with all data protection principles.”

Now, Buildenture may use the services of a cloud storage company (e.g. Amazon Web Services, or AWS). AWS will then have access to customer personal details, too, and will be deemed a sub-processor.

To be compliant with the GDPR, Buildenture must ask Ubookah’s written permission for using AWS. That permission will allow Buildenture to sign the so-called “back-to-back contract” with AWS, which contains the same processor obligations as the original DPA.

Once the contract has been signed, the original DPA will still be legally binding for Buildenture as the processor.

A DPA alone won’t prevent issues on the processor’s side. But if Buildenture allows customer data to leak, and Ubookah doesn’t have a valid DPA signed by both parties, the startup will bear grave consequences.

The GDPR makes this clear: “If your organization is subject to the GDPR, you must have a written data processing agreement in place with all your data processors.”

Startups often resort to software development outsourcing, and they outsource work to developers all around the world. Let’s use our imaginary companies again to illustrate how this might play out: Buildenture could be located in India. Does this make the developer or Ubookah exempt from the GDPR compliance? On the contrary.

As long as Ubookah works with the personal details of EU citizens, it needs to comply with the GDPR. Where their contractors are located makes no difference.

If the India-based Buildenture messes up and there’s no DPA, Ubookah alone will bear legal and public responsibility. But if there is such an agreement between the parties, Ubookah will be able to claim financial compensation from Buildenture. And the startup will also be able to defend itself in the public eye.

Finding a trustworthy developer can be difficult. And if you want to save yourself hours of research, consider EPAM Startups & SMBs.

As a CEO, you will likely delegate DPAs and compliance in general to an expert or external provider. That said, it’s best to know which steps that person or company needs to take to ensure your peace of mind.

We’ve put together the following two checklists to help you assess the work they’ll be doing on your behalf.

GDPR Compliance for Startups

• Audit the customer information you process and collect

You need to create a clear picture of which information you collect from each channel, and identify which information is subject to GDPR. Here’s what the regulation says:

“Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.”

• Adopt the principles of data processing

The GDPR’s Article 5 (1) lists six principles which processors must follow:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

As you follow these principles, make sure that you meet an additional requirement as stated by the Article: accountability.

• Put together a Privacy Policy

Under the GDPR, you must have a Privacy Policy in place. It’s a text on your website that explains to data subjects how you handle their details. Once you’ve identified which of the information you collect is subject to the GDPR, you can find a company that deals with the same information. Copy their Privacy Policy and modify it to suit your business’s needs.

• Register with your data protection authority

Every EU member state has its own data protection authority. This independent organization oversees compliance with the GDPR within a particular country, advises businesses on customer privacy and punishes violators with fines. In the Republic of Ireland, for example, the Data Protection Commission is the supervisory authority.

• Take necessary technical precautions

To achieve the bare minimum of data protection, you must do the following:

1. Analyze personal data breach risks
2. Create a data protection policy
3. Obfuscate personal details
4. Use security software
5. Set up a firewall
6. Train your staff to ensure customer information privacy.

• Appoint a data protection officer (DPO)

Appointing a person responsible for the protection of personal details may sound like an unnecessary step for a startup in its early days. However, the GDPR obliges you to do so if:

1. Your business is built around personal data processing activities (e.g. a dating app)
2. You process a large scope of data (e.g. a merchant platform)
3. You collect data on a regular basis (e.g. a sleep tracker)
4. You handle large chunks of special category data or criminal records.

So, if any of these points describe your business, you must appoint a DPO before you register with the relevant authorities.

Who is a DPO? This could be one of your employees or an independent service provider.

A DPA Checklist for Startups

Here’s the absolute minimum amount of info your DPA needs to include, a standard core around which the context of your agreement will form:

• Why, how long, and in which way the data is processed
• The type of personal data processed
• Whose data is processed
• The rights and obligations of the agreement parties

These points will get you headed in the right direction. However, the list of things to include is much longer, and we suggest using a template as a basis.

As you look for a developer when outsourcing a job, you may encounter companies who have their own DPA templates. This makes things easier for both parties, saving everyone time and effort.

That’s why we've created a comprehensive DPA template at EPAM Startups & SMBs. And we don’t stop there, as we simplify collaboration with our clients. We have a streamlined workflow in place.

A data processing agreement is a must if you use external help to operate while using the personal details of EU citizens. The task of creating such an agreement may sound overwhelming, but not to worry — many have taken this path before. You just need to study and adopt their practices.

However, seasoned developers have their own DPA templates. And using those are the most cost- and time-efficient way of protecting your legal rights and public image. If your contractor suggests their own template, just study it carefully and tweak it accordingly to suit your business model.