ClearLaunch
Feature CheckerRegulations & PoliciesEnforcementRadarVendorsChangelogGuides
FAQ
← All Controls

Data processing agreements (DPAs) with vendors

processor-agreementsDomain: data-privacyType: policy

Description

Data processing agreements (DPAs) are the GDPR Article 28 contracts between a controller and a processor that allocate responsibility for the personal data the processor handles on the controller's behalf, and Article 28(3) enumerates the eight required clauses: subject matter, duration, nature and purpose, type of data and categories of data subjects, controller obligations, processor obligations, sub-processor terms, and end-of-engagement disposition. The clause set looks routine and is operationally not, because most platforms run as both a controller and a processor depending on the relationship, the same vendor relationship can change posture across product lines, and the standard DPA most vendors offer is built for the buyer's posture rather than the user's. CCPA and the California Privacy Protection Agency's regulations require analogous service-provider contracts with their own clause set, with material differences from the GDPR list (the no-sale-no-share representation is the most prominent). The operational shape: maintain a vendor inventory keyed to the data the vendor processes, the controller-or-processor posture per relationship, and the executed DPA reference; treat any new vendor onboarding as gated on the DPA being executed before the data starts flowing, not after. The piece that consistently slips is the sub-processor consent chain, where the vendor's DPA grants a generic consent to sub-processors that the vendor's actual sub-processor list does not match.

Required by (9 regulations)

  • CCPA/CPRA

    CCPA §1798.140(ag) — service-provider contracts.

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • CPA

    Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

  • CTDPA

    Conn. Gen. Stat. §§42-515 to 42-525

  • GDPR

    Article 28(3) — required terms of controller-processor agreements.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • LGPD

    Article 39.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

  • MCDPA

    Mont. Code Ann. §§30-14-2801 to 30-14-2817

  • PDPL

    Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

  • Tennessee IPA
  • VCDPA

    Va. Code §§59.1-575 to 59.1-585

Fulfilled by (2)

  • onetrust · partial · low effort · $$
  • In-house build · medium effort

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

  • signed DPA library
  • vendor onboarding checklist
  • audit-clause register

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

ClearLaunch

Regulatory intelligence for people who ship products.

Tools
Feature CheckerRegulations & PoliciesVendorsGuidesFor LegalFor EngineeringFor ExecutivesFor Investors
About
AboutMethodologyChangelogFAQRegulatory UpdatesClearLaunch on LinkedIn
Legal
Terms of ServicePrivacy PolicyHow we handle your dataCoverage scope & limitations

Built by Neel Patel, in-house game counsel. Games touch more compliance domains at once than anything else in tech. That's what ClearLaunch was designed around.

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. ClearLaunch provides legal information; consult a licensed attorney in your jurisdiction. Data reviewed through March 2026. Methodology

© 2026 ClearLaunch · Terms · Privacy