Wolf-Tech Logo
Back to Blog

The DPA Behind the Contract: Engineering Controls That Make a Data Processing Agreement True

#data processing agreement engineering controls
Sandor Farkas - Founder & Lead Developer at Wolf-Tech

Sandor Farkas

Founder & Lead Developer

Expert in software development and legacy code optimization

Every B2B SaaS company that sells to European customers signs a Data Processing Agreement sooner or later. The DPA is the contract annex that turns Article 28 of the GDPR into specific promises: you will only process data on documented instructions, you will keep a current subprocessor list, you will assist with data subject requests, you will notify breaches without undue delay, and you will delete or return data when the contract ends.

For years, most DPAs were signed and filed. Nobody checked. That has changed. Enterprise buyers now run vendor security reviews that ask for evidence, not signatures. A procurement questionnaire in 2026 routinely asks how you enforce subprocessor change notifications, how long your backup retention actually is, and whether your deletion workflow covers replicas. If your engineering reality does not match your DPA, the gap surfaces during the sales cycle, at the worst possible moment.

This post walks through the clauses that appear in nearly every data processing agreement and connects each one to the engineering controls that make it true. The goal is not legal advice. It is an engineering checklist for making the contract you already signed match the system you actually run.

Why the Data Processing Agreement Became an Engineering Document

Three forces pushed the DPA out of the legal folder and into the backlog.

First, buyer-side security teams professionalized. Mid-size European companies now run the same vendor risk processes that only banks ran five years ago. They send questionnaires, they ask for evidence samples, and they compare your answers against your public subprocessor page.

Second, regulators started looking at processors directly. Supervisory authorities have fined processors, not just controllers, for security failures and for processing beyond documented instructions. The era when a processor could hide behind its customer is over.

Third, certifications raised the baseline. If your competitor has SOC 2 Type II and matching DPA evidence and you have a PDF nobody can verify, that difference shows up in deal velocity. We covered the certification side in our SOC 2 readiness checklist; this post covers the contractual side.

Clause by Clause: From Promise to Proof

1. Processing only on documented instructions

The clause sounds abstract, but it has a concrete engineering meaning: no employee, script, or analytics job should touch customer personal data for purposes outside the contract.

Controls that make it true:

  • Role-based access control with customer data scoped to the services that need it, not to everyone with a VPN login.
  • An audit log that records who accessed which tenant's data and why. Append-only storage or hash chaining makes the log credible.
  • A documented process for support access: time-boxed, ticket-linked, and logged.

Evidence a buyer can check: an access policy, a sample audit log extract with personal data redacted, and quarterly access review records.

2. The subprocessor list and change notification

Most DPAs commit you to maintaining a current list of subprocessors and notifying customers before adding one. Engineering teams break this clause constantly without noticing, because adding a subprocessor is as easy as npm install plus an API key.

Controls that make it true:

  • A machine-readable subprocessor inventory that maps every external service touching personal data: hosting, email delivery, error tracking, analytics, LLM APIs, support tooling.
  • A CI check or review rule that flags new outbound integrations. If a pull request introduces a new SDK or external endpoint, the review template asks whether it processes personal data.
  • A notification workflow: when the inventory changes, customers on the notification list get an email with an objection window, automatically.

The trap to avoid: error trackers and LLM providers. Stack traces contain personal data more often than teams assume, and prompts sent to a model API are processing in the GDPR sense. Both belong on the list.

3. Technical and organisational measures (the Annex II promises)

The TOM annex is where DPAs list encryption, access control, resilience, and testing commitments. It is also where copy-pasted templates promise things the team never built, like annual penetration tests or encryption of data at rest in every store.

Controls that make it true:

  • Encryption at rest verified across all stores, including the forgotten ones: object storage buckets, log archives, queue persistence, and database snapshots.
  • TLS enforced internally, not only at the edge.
  • Dependency and image scanning in CI, with a patching SLA you actually meet.
  • Backup restore tests on a schedule, with the result recorded.

The honest move is to rewrite the annex to match reality, then improve reality release by release. A shorter, true annex beats a long, false one in every serious review. If you are unsure where your codebase stands, an external code quality audit gives you the gap list before a customer's security team finds it for you.

4. Assistance with data subject rights

Your customer is the controller, but when their user demands access or erasure, the DPA obliges you to help within a defined window. If fulfilling an export request takes an engineer two days of ad hoc SQL, you do not have a control, you have a liability.

Controls that make it true:

  • A per-tenant export endpoint or admin action that produces a structured, complete copy of one data subject's records.
  • An erasure workflow that is idempotent, covers search indexes and caches, and is honest about backup retention. We wrote about the hard parts in engineering the right to erasure.
  • Request tracking with timestamps, so you can prove you responded inside the contractual window.

5. Breach notification without undue delay

DPAs typically commit the processor to notifying the controller within a fixed window, often 24 to 48 hours, much tighter than the 72 hours Article 33 gives the controller. That window is an engineering requirement disguised as a legal one: you cannot notify what you cannot detect.

Controls that make it true:

  • Alerting on the signals that precede breach discovery: anomalous query volume, authentication anomalies, exfiltration-sized egress.
  • An incident runbook that names the person who decides whether an event is notifiable, with a deputy for vacations.
  • A customer contact register, current and exportable, so notification does not start with a search through the CRM.

Run one tabletop exercise per year. The first one always finds the same gap: nobody knows who is allowed to send the notification email.

6. Deletion or return at end of contract

The quietest clause is the one most often false. When a customer churns, their data should be deleted or returned within the contractual period, including replicas, analytics copies, and backups beyond the stated retention window.

Controls that make it true:

  • An offboarding workflow triggered by contract end, not by someone remembering.
  • Tenant-scoped deletion that enumerates every store where tenant data lives. A data map, even a simple YAML file in the repo, is the prerequisite.
  • Backup expiry policies that match the retention number written in the DPA. If the DPA says 90 days and your snapshots live for a year, the contract is false today.
  • A deletion certificate generated from the workflow's completion log, because buyers ask for one.

A Mapping Table to Steal

DPA clauseEngineering controlEvidence artifact
Documented instructions onlyRBAC plus tenant-scoped audit logAccess policy, log sample, review records
Subprocessor managementInventory plus CI flag on new integrationsPublic list, notification emails
Technical measures (TOMs)Encryption, scanning, restore testsConfig screenshots, CI reports, test logs
Data subject assistanceExport and erasure workflowsRequest log with timestamps
Breach notificationDetection alerts plus runbookTabletop report, alert configs
End-of-contract deletionOffboarding workflow plus backup expiryDeletion certificate, retention configs

How to Close the Gap Without Stopping the Roadmap

Treat the DPA like a failing test suite. List every commitment, mark each one true, partially true, or false, and triage.

Week one is the audit: read your own DPA next to your architecture diagram and produce the gap list. Most teams find two or three false clauses and a handful of partially true ones.

The first month covers the cheap wins: the subprocessor inventory, backup retention alignment, and the support access policy. None of these require new infrastructure.

The first quarter covers the workflows: tenant offboarding, data subject export, and the breach runbook with one tabletop run. These are real engineering projects, but each one is days, not months, when scoped properly.

What remains is usually structural, like tenant-scoped deletion across a system that was never designed for it. That is an architecture project, and it pays for itself the first time a major customer's security review goes smoothly. If your team lacks the capacity to build these workflows alongside feature work, this is exactly the kind of bounded, high-leverage project we take on in custom software development engagements.

FAQ

Is a signed DPA enough for GDPR compliance as a processor? No. The DPA is the contractual layer. Article 28 also requires that the measures described actually exist, and Article 32 requires security appropriate to the risk. A signed document with no controls behind it can make things worse, because it documents promises you knowingly fail to keep.

Do LLM API providers count as subprocessors? If prompts or completions contain personal data, yes. Add the provider to your subprocessor list, sign their DPA, and check where the data is processed. Several providers offer EU-region endpoints with zero-retention options precisely for this reason.

Our DPA promises 30-day backup deletion but our backups keep data for a year. What now? Fix whichever side is cheaper to fix, fast. Either shorten backup retention or amend the DPA to state the real number with a clear justification. A documented, honest retention period is defensible. A false contractual statement is not.

How much of this do enterprise buyers actually check? More each year. Subprocessor lists and breach notification windows are checked almost universally now. Deletion evidence and TOM verification show up in larger deals and regulated industries. The pattern matches what we described in the B2B SaaS security checklist enterprise clients actually audit.

Make the Contract True

A data processing agreement is a list of engineering requirements wearing legal clothing. Teams that treat it that way turn vendor reviews from a sales blocker into a closing argument.

If you want a second pair of eyes on the gap between your DPA and your architecture, we do exactly this kind of review. Write to hello@wolf-tech.io or visit wolf-tech.io and get in touch. One focused audit now is cheaper than one stalled enterprise deal later.