Guides

Customer DPA for SaaS: what to include

The baseline comes from GDPR Article 28(3). Your DPA should cover documented instructions, confidentiality, security measures, subprocessors, data subject rights assistance, incident and DPIA support, return or deletion, and audit or compliance information.

Best fit

Founders, sales, and legal-adjacent teams drafting customer processor terms

Last updated: 2026-03-14

The non-optional Article 28 clauses

Article 28(3) sets out the core processor obligations that should appear in your DPA. This is the baseline buyers are checking against, even when they send their own paper first.

  • Process data only on documented controller instructions
  • Bind authorised personnel to confidentiality
  • Implement appropriate security measures
  • Follow the subprocessor conditions in Article 28
  • Assist with data subject requests
  • Assist with security, breach, DPIA, and consultation duties
  • Delete or return data at the end of services, unless law requires retention
  • Provide information needed to demonstrate compliance and support audits

The annexes buyers usually expect

A usable SaaS DPA normally needs schedules or annexes that make the legal text concrete. Without them, the paper often fails buyer review because the processing details are still missing.

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Categories of personal data
  • Categories of data subjects
  • Approved subprocessors
  • Technical and organisational measures

How to keep the template honest

Your DPA should match your real service model. If your product uses new vendors, new retention logic, or new support flows, the annexes should be updated as well.

That is also why the DPA, subprocessor list, and security summary should be maintained together. Buyers notice when those three documents contradict each other.

Product context

Review the annual plan that includes the Customer DPA and supporting due-diligence documents. See annual pricing for the customer-facing pack.

Related guide

Continue with How to publish a subprocessor list for SaaS.

Sources

Official GDPR text on EUR-Lex

Official GDPR text, especially Article 28(3) and Article 28(4).

Open source

EDPB Opinion 22/2024

Official EDPB guidance on controller checks and subprocessor chains.

Open source

Next step

Use the guide as the baseline, then generate your own pack when you are ready to replace examples with your actual company, product, and vendor details.

Start Free