Data Processing Agreement DPA for SaaS application

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

Data Processing Agreement DPA for SaaS application

Medium

~3-5 business days

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

Data Processing Agreement (DPA) implementation for SaaS application

A Data Processing Agreement (DPA) is a contract between data controller (SaaS customer) and data processor (SaaS provider), mandatory under GDPR. Without DPA, customers cannot legally transfer personal data of their users to the SaaS platform.

Who needs DPA from whom

Scenario 1: Your SaaS processes customer's user data Customer = controller, you = processor. Customer requests DPA from you.

Scenario 2: Your SaaS uses third-party services (AWS, Stripe, Mailgun) You = controller or processor, third-party service = sub-processor. Need DPA with each.

What DPA must contain

1. Subject and duration of processing
2. Nature and purpose of processing
3. Type of personal data
4. Categories of data subjects
5. Obligations and rights of controller

Processor obligations (GDPR Article 28):
- Process data only per documented instructions
- Ensure staff confidentiality
- Implement technical and organizational measures (TOM)
- Don't engage sub-processors without controller consent
- Assist in exercising data subject rights
- Delete or return data upon contract end
- Provide evidence of compliance upon request

DPA generation process in SaaS

class DPAManager:
    def generate_dpa(self, customer_id: int) -> str:
        """Generate DPA for specific customer"""
        customer = db.get_customer(customer_id)

        dpa_variables = {
            'customer_name': customer.legal_name,
            'customer_address': customer.registered_address,
            'customer_country': customer.country,
            'saas_name': 'Our SaaS Company LLC',
            'saas_address': '...',
            'data_types': customer.data_types,  # what data we process
            'purposes': customer.processing_purposes,
            'subprocessors': self.get_current_subprocessors(),
            'date': datetime.now().strftime('%m/%d/%Y'),
            'signature_placeholder': '__________'
        }

        template = self.load_template('dpa_template.md')
        return template.format(**dpa_variables)

    def get_current_subprocessors(self) -> list:
        """Current list of sub-processors"""
        return [
            {'name': 'Amazon Web Services', 'purpose': 'Hosting', 'country': 'US',
             'transfer_mechanism': 'SCCs'},
            {'name': 'Stripe', 'purpose': 'Payment processing', 'country': 'US',
             'transfer_mechanism': 'SCCs'},
            {'name': 'SendGrid', 'purpose': 'Transactional email', 'country': 'US',
             'transfer_mechanism': 'SCCs'},
            {'name': 'Cloudflare', 'purpose': 'CDN and security', 'country': 'US',
             'transfer_mechanism': 'SCCs'},
        ]

DPA signing via DocuSign/HelloSign

@app.route('/api/dpa/sign', methods=['POST'])
@require_admin
def initiate_dpa_signing():
    customer_id = current_user.customer_id
    dpa_content = dpa_manager.generate_dpa(customer_id)

    # Create signing envelope
    envelope = docusign_client.create_envelope(
        document_content=dpa_content,
        signers=[{
            'email': request.json['signatory_email'],
            'name': request.json['signatory_name'],
            'role': 'Customer Signatory'
        }, {
            'email': DPA_INTERNAL_SIGNER_EMAIL,
            'name': 'Our Legal Representative',
            'role': 'Company Signatory'
        }],
        subject='Data Processing Agreement - Our SaaS',
        message='Please review and sign the DPA.'
    )

    db.save_dpa_record(customer_id, envelope['envelope_id'], 'pending')

    return jsonify({'envelope_id': envelope['envelope_id']})


@app.route('/webhooks/docusign', methods=['POST'])
def docusign_webhook():
    event = request.json
    if event['event'] == 'envelope-completed':
        envelope_id = event['envelopeId']
        dpa_record = db.get_dpa_by_envelope(envelope_id)

        # Download signed PDF
        pdf = docusign_client.get_document(envelope_id)
        storage.upload(f"dpa/{dpa_record.customer_id}/dpa-signed.pdf", pdf)

        db.update_dpa_record(envelope_id, status='signed',
                            signed_at=datetime.utcnow())

        # Notify customer
        send_email(dpa_record.customer_email,
                   subject='DPA signed',
                   template='dpa_signed_confirmation')

Sub-processor management page

GDPR requires notifying customers of sub-processor list changes:

class SubprocessorManager:
    def add_subprocessor(self, name, purpose, country, transfer_mechanism):
        # Save new sub-processor
        db.add_subprocessor(name, purpose, country, transfer_mechanism)

        # Notify all customers with active DPA
        customers_with_dpa = db.get_customers_with_signed_dpa()

        for customer in customers_with_dpa:
            send_email(
                to=customer.dpa_contact_email,
                subject=f'Sub-processor change: {name} added',
                template='subprocessor_change',
                vars={
                    'new_subprocessor': name,
                    'purpose': purpose,
                    'country': country,
                    'effective_date': (datetime.now() + timedelta(days=30)).strftime('%m/%d/%Y'),
                    'subprocessors_url': 'https://saas.com/legal/subprocessors'
                }
            )

        # Customer has 30 days to object

Public sub-processor page

# Data Sub-processors

Last updated: March 1, 2024

| Name | Purpose | Country | Transfer Basis |
|---|---|---|---|
| Amazon Web Services | Hosting | US | SCC |
| Stripe | Payments | US | SCC |
| SendGrid | Email | US | SCC |
| Cloudflare | CDN, security | US | SCC |

SCC = Standard Contractual Clauses (EU Standard Contractual Clauses)

Timeline

DPA implementation with generation, signing, and sub-processor management — 3–5 working days.