A data processing agreement (DPA) is a contract between a controller and a processor that sets out the terms and conditions for the processing of personal data.
The controller is the entity that determines the purposes and means of processing personal data, while the processor is the entity that processes the personal data on behalf of the controller.
A DPA is required under the General Data Protection Regulation (GDPR) for any processing of personal data that is carried out by a processor on behalf of a controller.
The DPA specifies the purposes of the processing, the obligations of the processor, and the rights of the data subjects.
It also sets out the requirements for the security, confidentiality, and accountability of the processing.