What is in a DPA, and do I need one?
A DPA (data processing agreement) is required under GDPR once a vendor processes your customers' personal data. The sub-processor list comes with it.
Try this first
- 1Request the DPA via vendor admin or support; many large vendors (Microsoft, Google, AWS) provide it as a download.
- 2Read the definition of 'personal data', the retention period, and the breach handling; these are the key sections.
- 3Request the sub-processor list; that lists all third parties potentially touching your data (CDN, helpdesk, analytics).
- 4Sign the DPA and store it in your SaaS register; an audit asks whether you have one per vendor handling personal data.
- 5On sub-processor changes the vendor should notify you; check that the notice clause is in the DPA.
When to bring us in
For DPAs that deviate from standard EU clauses or vendors refusing to sign one: ask for advice, that is not an IT call but a legal one.
See also
- New hire has an account but cannot reach Outlook or TeamsAn M365 account without a license is an empty shell. Assigning takes a few clicks, but picking the right plan pays off long-term.
- Employee left, but their email must be retainedPulling the license straight away starts a 30-day timer on the mailbox. The right route keeps access to the mail without paying for the license.
- We pay for licenses nobody usesBetween leavers, duplicate plans, and test accounts there is often 10-20% wasted license spend. A usage report exposes it fast.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.