What is a Global Data Processing Addendum (DPA)?
This DPA creates a legally compliant, predictable framework for processing personal data in the United States, the European Union/EEA, the United Kingdom, and Switzerland. It supplements a main services agreement and governs how a service provider (“Provider”) may process personal data on behalf of a customer (“Customer”) across multiple regulatory regimes. It defines the parties’ roles, restricts the Provider to processing only under Customer instructions, outlines required security measures, and sets rules for incident response, subprocessors, audits, international transfers, and data return or deletion. It incorporates GDPR, UK GDPR, Swiss FADP, and U.S. state‑privacy‑law requirements, and includes modern provisions addressing AI/ML usage, automated decision‑making, and obligations for handling data subject requests. Together, these terms establish a controlled and transparent structure for cross‑border vendor data processing.
When Do You Need This DPA?
You need this DPA whenever a service provider processes personal data on your behalf and that data may originate from or be accessed within the U.S., EU/EEA, UK, or Switzerland. It is essential when your services involve cross‑border data flows, international hosting, global user bases, or vendors with distributed teams. The DPA ensures the provider follows your instructions, maintains appropriate security, supports your GDPR and state‑privacy‑law compliance obligations, and refrains from using the data for unauthorized purposes such as selling, sharing, combining datasets, or training AI models. It is also required when restricted transfers may occur and you need SCCs, the UK Transfer Addendum, or Swiss‑aligned safeguards.
Why Use This Template?
This template provides a comprehensive, modern, and processor‑friendly structure for governing data processing across the U.S., EU/EEA, UK, and Switzerland. It includes strict processing‑instruction requirements; detailed security and incident‑response obligations; subprocessor controls; audit rights; and robust return‑and‑deletion procedures. It also incorporates GDPR‑specific requirements such as lawful‑basis obligations, transparency duties, data subject rights, and international transfer mechanisms. The template is designed to reduce legal risk, ensure compliant vendor oversight, and establish predictable data‑handling practices across multiple jurisdictions - but it should be tailored to your specific services and reviewed by a qualified attorney before publication.
Key Provisions Included (Condensed)
- Processing limited to Customer’s documented instructions
- Defined security measures and incident‑response obligations
- Customer responsibilities, including lawful‑basis requirements and restrictions on submitting sensitive or prohibited data
- Support for data‑subject requests under GDPR, UK GDPR, FADP, and U.S. state laws
- Subprocessor controls, notice, and objection rights
- Audit rights with acceptance of SOC 2/ISO reports
- Data return and deletion requirements at end of service
- GDPR‑aligned obligations, including transparency, lawful basis, and controller/processor role definitions
- International transfer mechanisms (SCCs, UK Addendum, Swiss‑FADP alignment)
- AI/ML usage limits and automated‑decision‑making transparency
- Liability aligned with the main agreement
