Sample positions for the standard controller-to-processor DPA. Pair with the SaaS Vendor playbook when you’re buying SaaS that processes personal data.
§ 4 · Sub-processors
Sub-processor management
Who else processes your data, and your control over the list.
Ideal
Full sub-processor list in Annex I with names, services, locations, and lawful basis for any non-EEA transfers. Notice of additions 30+ days in advance via email and a stable URL. Right to object; if not resolved within 30 days, customer may terminate the underlying contract.
Fallback
Sub-processor list at a stable URL incorporated by reference; email notice of additions; 30-day objection window with termination right for unresolved objections.
Walk away
No sub-processor list, no notice mechanism, or generic “Vendor and its affiliates and standard cloud providers” without specifics.
§ 7 · Breach notification
Personal data breach notification
How quickly you find out when something goes wrong.
Ideal
Notification within 24 hours of the processor becoming aware, including: nature of the breach, affected data subjects, likely consequences, and measures taken or proposed.
Fallback
Notification within 48 hours with the same content. Includes a designated 24/7 incident contact.
Walk away
72-hour notification (this is the controller’s deadline to the regulator, not the processor’s deadline to the controller) or vague “without undue delay” with no defined timeframe.
§ 9 · Audit rights
Audit and inspection rights
How the controller verifies the processor's compliance.
Ideal
Controller may rely on third-party audit reports (SOC 2 Type II, ISO 27001) refreshed annually, made available on request. Controller retains right to direct audit at controller’s expense, with 30 days’ notice, no more than once per year (more often after a breach).
Fallback
Reliance on third-party reports as primary mechanism; direct audit only after a breach or material incident.
Walk away
No audit rights at all, or audits conditioned on processor’s consent / cooperation that the processor can withhold.
§ 11 · International transfers
Cross-border transfer mechanism
The legal basis for moving personal data outside the EEA / UK.
Ideal
2021 EU SCCs (controller-to-processor module) and the UK IDTA, both incorporated in full with Annexes completed. Transfer Impact Assessment available on request.
Fallback
EU SCCs and UK IDTA incorporated by reference with Annexes attached as schedules.
Walk away
Outdated mechanisms (EU-US Privacy Shield, 2010 SCCs), unmodified Annexes, or no transfer mechanism despite obvious cross-border processing.
§ 13 · Return / deletion
Data return on termination
What happens to the data after the relationship ends.
Ideal
On termination, processor returns Customer Data in a structured, machine-readable format within 30 days, then permanently deletes from all systems including backups within 60 days, with written certification. Backup-retention carve-out limited to 90 days.
Fallback
Return within 60 days; deletion within 90 days; backup carve-out per processor’s documented backup policy.
Walk away
Indefinite retention, deletion at processor’s discretion, or no certification of deletion.