Data Processing Agreement (DPA)
Key GDPR Article 28 clauses for processing on behalf.
This template outlines key clauses for an Article 28 GDPR data processing agreement between Controller and Processor. Replace placeholders with your company details and sign offline.
Subject Matter and Duration
Processing of customer data for chatbot provision; duration as per subscription/contract.
Nature and Purpose of Processing
Operating the chatbot, handling requests, email delivery, analytics (message/token counts).
Type of Personal Data and Categories of Data Subjects
Chat content, contact details; users/customers/end‑users.
Processor Obligations
- Process only on documented instructions
- Confidentiality
- Security measures (Annex)
- Assist with data subject rights and DPIA
- Delete/return data at end of provision
- Provide evidence of compliance
Sub‑processors
OpenAI (responses), Mailgun (email), hosting providers; Processor informs Controller of changes.
International Transfers
Based on SCCs (Art. 46 GDPR) or equivalent safeguards.
Annex – Technical and Organisational Measures (TOMs)
- Access controls, logging, encryption in transit
- Backups and recovery
- Employee confidentiality and training