What is a DPA?
A data processing agreement, or a so-called DPA, is a legal contract between Growth FullStack and its processors. The purpose of the DPA is to lay out clear roles and obligations for the processors when handling personal data on Growth FullStack’s behalf.
Why and how should I assess this?
While the processor has obligations, ultimately the data controller is responsible for the personal data. Growth FullStack may only use processors that can sufficiently guarantee that the processing meets the requirements of the GDPR. Some things to look for in a DPA:
Processing only on documented instructions of the controller.
The DPA must set out the purpose and duration of the processing and the type of personal data and the categories of data subjects.
Appropriate security measures.
Controllers must only use vendors that can provide sufficient guarantees for the security of their processing activities.
The use of sub-processors.
The processor must not use another processor (i.e., a sub-processor) to help it process personal data without prior permission from the controller.