compliance6

The data processing agreement checklist every SaaS founder needs

Enterprise legal teams ask for a DPA the moment procurement starts, and not having one ready stalls the deal. Here's the exact checklist of clauses to have ready before that email lands.

A data processing agreement, or DPA, is the contract that governs how you handle a customer's personal data on their behalf, and it is not optional once an enterprise buyer's legal team gets involved. If you sell to any company with a privacy officer or a general counsel, expect the request the moment your deal reaches procurement, and expect the deal to stall if you don't have an answer ready.

What a DPA actually is, and why it shows up out of nowhere

A DPA is a legal requirement under GDPR Article 28 any time you process personal data on behalf of another company, and CCPA imposes a near-identical obligation for California residents. Your customer is the controller. You are the processor. The agreement spells out what you're allowed to do with their data, who else touches it, and what happens if something goes wrong.

Most founders never think about this until it lands in their inbox as an attachment from a buyer's legal team, usually somewhere between the security questionnaire and the signed contract. By then you're negotiating under deadline pressure, which is the worst possible position to negotiate from.

The mistake that costs founders the deal

The common failure mode isn't refusing to sign a DPA. It's one of two extremes: signing whatever the customer's legal team sends without reading it, or going silent for two weeks while you try to find a lawyer.

Signing blind is how founders end up agreeing to uncapped liability, audit rights that let a customer show up unannounced, or breach notification windows of 24 hours that no five-person engineering team can realistically hit. Going silent is how a warm deal goes cold while procurement moves on to a vendor who responded same-day.

The fix is having your own DPA ready before anyone asks for one, so you're the one setting the terms instead of redlining someone else's.

The checklist to have ready before the request lands

  1. A standard DPA template you control. Draft one before your first enterprise prospect, not during the deal. Most SaaS companies base theirs on the EU Standard Contractual Clauses, which large customers' legal teams already recognize and move through faster than a custom document.
  2. A sub-processor list. Every vendor that touches customer data on your behalf, like hosting, email, analytics, or support tooling, needs to be named. Customers will ask for 30 days' notice before you add a new one.
  3. A data location statement. Where the data lives and whether it ever leaves the customer's region. This single line ends or extends a lot of EU negotiations by itself.
  4. A breach notification commitment you can actually meet. 72 hours is the GDPR standard and the number most legal teams expect. Don't agree to 24 hours to look responsive if your team can't detect and confirm a breach that fast.
  5. A liability cap. The market standard for SaaS DPAs is 12 months of fees paid, sometimes uncapped specifically for data breaches. Know your number before you're asked for one.

The three clauses actually worth negotiating

Not every line in a DPA is worth a fight. These three are.

  • Audit rights: buyers often ask for unannounced on-site or system audits. Counter with advance written notice of 30 days, capped to once per year, remote where possible.
  • Data use restriction: buyers ask for no use of customer data beyond the stated service. Accept this one as written, it should already be true of your product.
  • Liability: buyers often propose uncapped liability or a cap tied to total contract value over multiple years. Counter with a cap at 12 months of fees paid, with a carve-out for gross negligence only.

Audit rights and liability caps are where most of the real back-and-forth happens. The data use restriction clause almost never needs a fight, because if your product is training models on customer data or reselling insights without disclosure, that's a bigger problem than the contract language.

What this actually looks like in practice

A DPA request rarely arrives alone. It shows up bundled with a security questionnaire and sometimes an MSA redline, all from the same procurement email. Founders who treat the DPA as a standalone fire drill burn a week on it. Founders who already have the five checklist items above sitting in a folder can turn most DPA requests around within 48 hours, which matters more than the content of the document itself. Legal teams are comparing your responsiveness against every other vendor in their queue, not just your contract terms.

The 30-day move

Don't wait for your first enterprise prospect to ask. Spend one afternoon this month drafting a DPA based on the EU Standard Contractual Clauses, list your current sub-processors, decide your liability cap and your real breach notification window, and save it as a template. The next time a legal team's email lands with DPA in the subject line, you send a document back the same day instead of forwarding it to a lawyer and waiting.

Frequently asked questions

Do I need a DPA if I don't have any EU customers?

Yes, if you have any California customers or process data on behalf of another business at all, since CCPA and most US state privacy laws impose similar processor obligations. GDPR just made the requirement explicit first.

Can I use a template instead of hiring a lawyer?

A template gets you a strong starting position, but have a lawyer review your final version once, especially the liability cap and audit clauses, before you use it as your standard.

What happens if I refuse to sign a DPA?

The deal stops. Enterprise legal teams will not approve a vendor relationship without one once they've identified that personal data is involved, regardless of how much their business team wants your product.

How long should a DPA negotiation take?

If you're working from your own template, most DPA negotiations close in under a week. Deals that drag for a month are usually stuck because the vendor is negotiating from the customer's draft instead of their own.

Does a DPA need to be renegotiated for every customer?

No. Use one standard template and only make case-by-case changes for genuinely unusual requirements, like a customer requiring in-region-only data storage. Renegotiating from scratch every time is what turns a two-day task into a two-week one.

Who should own the DPA inside an early-stage company?

The founder, until you have a dedicated ops or legal hire. It touches sales, engineering, and legal at once, and handing it to whoever is available at the time is how the sloppy, ad-hoc versions that create liability problems later get signed.

Read enough.
Ready to grow?

19 spots in the cohort. Applications open now.