LEGAL TEMPLATE

Data Processing Agreement Review Template

DPA review: processing scope, GDPR protections checklist, sub-processors, and recommended changes.

Use this template

What's inside

Field	Details
Agreement	DPA title or reference
Controller	Who determines purpose of processing
Processor	Who processes on behalf of controller
Reviewer
Date	YYYY-MM-DD
Status	Under Review

Processing Scope

Does the DPA clearly define what data is being processed, why, and for how long?

Categories of data subjects identified (customers, employees, end users)
Types of personal data specified (name, email, IP, payment data, health data, etc.)
Purpose of processing is specific and limited (not open-ended)
Duration of processing is defined
Processing on controller's documented instructions only

Key Protections

Protection	Present?	Adequate?	Notes
Processing limited to documented instructions	Yes	Yes
Confidentiality obligations on processor personnel	Yes	Yes
Appropriate security measures (Art. 32)	Yes	Review	Are specific measures listed or just "appropriate"?
Sub-processor controls (prior consent, flow-down)	Yes	Yes
Data subject rights assistance	Yes	Yes
Breach notification (72-hour window)	Yes	Review	Is the timeline specific? Does it include our notification obligations?
Data deletion/return on termination	Yes	Yes
Audit rights	Yes	Review	Can we actually exercise this? Any limits?
International transfer mechanism	Yes	Yes	SCCs, adequacy decision, or BCRs?

Sub-Processors

Sub-Processor	Location	Purpose	Transfer Mechanism	Concern
Name	Country	What they do with the data	SCCs / adequacy

Verdict

Question	Answer
Does this DPA meet our requirements?	Yes / No / With changes
Gaps or concerns?	List specific issues
Required changes before signing
Special data categories involved?	Health, biometric, children's data — if yes, extra protections needed

Recommended Changes

Clause	Issue	Proposed Change	Priority
			Must Change
			Should Change

Other Legal templates