Skip to content
Vectel
Support/Compliance and regulations

Do I need a Data Processing Agreement with this vendor?

Yes, if they process personal data on your behalf. GDPR Art. 28 requires a written agreement before you go live.

Try this first

  1. 1Decide the role. Processor when they only execute (cloud storage, mail provider, payroll). Controller when they set purpose and means (bank, accountant). The latter does not need a DPA but does need clear terms.
  2. 2Ask the vendor for their standard DPA. Microsoft, Google, AWS, Salesforce all publish one and you accept it in their portal. Print the proof.
  3. 3Confirm purpose, data types, retention, sub-processors and non-EEA transfers are spelled out. Generic DPA without an annex is not enough.
  4. 4Custom DPA? Use the AP model or a NOREA template as the base. Writing from scratch goes wrong more often than not.
  5. 5File the signed copy in the processing register entry for that activity.

When to bring us in

Vendor refuses a DPA or wants unlimited sub-processors? That is not a vendor issue, it is a red flag. Call us before you sign.

See also

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.

Who are you?

For the AI question we need your email and company, so we can follow up if the AI gets stuck, and to prevent abuse.

Limited to 2 questions per hour and 5 per day, kept lean so the AI stays useful. For more, contacting us directly works better for you and us.

Or skip the DIY entirely

Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.

Bring us inHow Managed IT works