Does the Microsoft DPA count as a processor agreement?
Yes, the Microsoft Data Protection Addendum is meant as a GDPR Art. 28 agreement for EU customers. Same for Google Workspace and most large SaaS.
Try this first
- 1Pull the current version from Microsoft 365 admin > Privacy & data > Data Protection Addendum, or via the Microsoft Trust Center.
- 2Also pull the Products and Services DPA and the Data Subject Requests annex. The main DPA references them.
- 3Save the PDF with date in your compliance folder. Microsoft updates the document; you want to prove which version applied when.
- 4Record in the processing register: vendor Microsoft, basis Microsoft DPA, download date, Trust Center link.
- 5Same flow works for Google Workspace, AWS, Atlassian, Salesforce, Adobe. Every large SaaS publishes one.
When to bring us in
In healthcare or government, a generic DPA may not cover sector requirements. Then you negotiate a sector annex. Do not DIY that.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.