✦ AlgoGrass is a compliance guidance platform — not a law firm. Always review outputs with a qualified solicitor. ✦

← Back to blog
GDPR20 Feb 2025 · 5 min read

When Does Your Business Need a Data Processing Agreement?

If you use any third-party tool that processes personal data on your behalf — a cloud hosting provider, an email marketing platform, a payroll system, a CRM — you almost certainly need a Data Processing Agreement (DPA) in place. This is a legal requirement under Article 28 of UK GDPR, and the absence of a DPA is routinely cited in ICO enforcement actions.

Using Google Workspace, Mailchimp, HubSpot, AWS, Xero, or any SaaS tool that stores or processes your customers' or employees' data without a DPA in place is a GDPR violation — regardless of the size of your business.

Controllers vs Processors: The Key Distinction

Before understanding DPAs, you need to understand the two key roles under UK GDPR:

Data Controller

A controller decides the purposes and means of processing personal data. As a business, you are typically the controller for your customers' and employees' data. You decide what data to collect, why you collect it, and how long to keep it.

Data Processor

A processor processes personal data on behalf of a controller, strictly following the controller's instructions. Your email marketing provider, cloud hosting company, and payroll provider are processors — they access personal data you collected, but they process it on your instructions and for your purposes.

A DPA is required whenever a controller engages a processor. It is not required between two controllers (e.g. you and a business partner who independently decides what to do with data you share), though data sharing agreements may be appropriate there instead.

What a DPA Must Contain

Article 28(3) UK GDPR specifies the mandatory content of a Data Processing Agreement. It must set out:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data involved
  • The categories of data subjects (e.g. customers, employees, website visitors)
  • The obligations and rights of the controller
  • That the processor only processes data on documented instructions from the controller
  • That persons authorised to process data are under confidentiality obligations
  • That the processor implements appropriate security measures under Article 32
  • That the processor does not engage sub-processors without prior written consent from the controller
  • That the processor assists the controller in responding to data subject requests
  • That the processor deletes or returns all personal data at the end of the contract
  • That the processor makes available all information necessary to demonstrate compliance, and allows audits

Which Third-Party Tools Require a DPA

Always Requires a DPA

  • Cloud hosting providers (AWS, Google Cloud, Azure, Vercel, Heroku)
  • Email marketing platforms (Mailchimp, Campaign Monitor, Klaviyo)
  • CRM systems (HubSpot, Salesforce, Zoho)
  • Payroll and HR software (Xero, Sage, BambooHR)
  • Analytics platforms that process personal data (Hotjar, Mixpanel)
  • Customer support tools (Zendesk, Intercom)
  • Accounting software that holds customer data (QuickBooks, FreeAgent)
  • Form builders (Typeform, Jotform)
  • Live chat tools (Drift, Tidio)

Usually Does Not Require a DPA (But Check)

  • Professional advisers (lawyers, accountants) — they are typically controllers in their own right
  • Banks and payment processors — they process data for their own regulatory purposes, making them independent controllers
  • Couriers and delivery companies — though a DPA may be appropriate if you share customer address data regularly

How to Get a DPA in Practice

Most reputable SaaS providers have a standard DPA available. You do not always need to negotiate a bespoke document:

  • Google (Workspace, Analytics) — DPA available in your Google Admin console and via their Terms of Service
  • Mailchimp — GDPR DPA available at mailchimp.com/legal/data-processing-addendum
  • AWS — DPA incorporated into their Customer Agreement; sign via the AWS console
  • HubSpot — Data Processing Addendum available in account settings
  • Stripe — DPA incorporated into their Services Agreement

If a provider refuses to sign a DPA or cannot produce one, you should reconsider using that service for processing personal data of UK or EU residents. The absence of a DPA shifts liability to you.

Sub-Processors: The Chain of Responsibility

When your processor engages another company to help process your data (a sub-processor), they must have your consent to do so, either specific approval or a general authorisation with notification rights. As controller, you remain responsible for ensuring sub-processors also meet GDPR standards.

In practice, this means checking your providers' sub-processor lists periodically, particularly for sensitive data categories.

What Happens Without a DPA

Operating without a DPA where one is required is itself a violation of Article 28 UK GDPR — separate from any underlying data breach. The ICO can issue fines, enforcement notices, and corrective orders. In practice, missing DPAs are often discovered during breach investigations, compounding the original violation.

Generate a Data Processing Agreement for your business

AlgoGrass scans your website and identifies which third-party tools need DPAs — then generates the documents you need.

Scan my website →