Question 1

What does a custom Data Processing Agreement include?

Accepted Answer

Your custom DPA will include:

• Complete Article 28 UK GDPR compliance covering all processor obligations
• Subject matter, duration, nature and purpose of processing
• Types of personal data and categories of data subjects
• Processor obligations, confidentiality undertakings and security measures
• Breach notification procedures and assistance obligations
• Sub-processing arrangements with flow-down provisions
• International transfer mechanisms and safeguards
• Data deletion or return procedures at end of processing
• Audit rights and cooperation obligations
• Records of processing activities requirements

Each section is tailored specifically to your services, data categories, security measures, and vendor relationships.

Question 2

What is the delivery timeline and process?

Accepted Answer

Standard delivery is 3 business days, with optional express delivery in 1 business day.

The process:

1. After checkout, we'll email you a detailed questionnaire about your processing activities, data categories, security measures, sub-processors, and transfer mechanisms
2. A UK solicitor reviews your responses and drafts a bespoke DPA aligned to Article 28 UK GDPR
3. You receive the draft for review and can request amendments
4. We finalize the DPA ready for execution and flow-down to vendors

All communication happens via email, and you'll receive the final agreement in Word and PDF formats.

Question 3

Who will draft my Data Processing Agreement?

Accepted Answer

Your DPA will be drafted by qualified UK solicitors with extensive experience in:

• UK GDPR and data protection compliance
• Controller-processor and processor-sub-processor relationships
• Commercial contracts for technology and services companies
• International data transfer mechanisms (UK IDTA, UK Addendum to SCCs)
• Technical and organisational security measures
• Privacy and incident response frameworks

All our solicitors are regulated by the Solicitors Regulation Authority (SRA) and maintain professional indemnity insurance.

Question 4

How do you gather information about my processing activities?

Accepted Answer

After checkout, we'll send you a structured questionnaire covering:

• Your role (controller or processor) and the other party's role
• Subject matter and duration of the processing
• Nature and purpose of the processing activities
• Types of personal data and categories of data subjects
• Your technical and organisational security measures
• Sub-processors you use and approval mechanisms
• International data transfer destinations and safeguards
• Breach notification timeframes and procedures
• Audit and assistance obligations
• Data deletion or return preferences at end of processing

The questionnaire is designed to be quick to complete while capturing all essential details for Article 28 compliance.

Question 5

How many revisions are included?

Accepted Answer

Your package includes:

• Initial draft based on your questionnaire responses
• Up to 2 rounds of amendments to refine terms, obligations, and procedures
• Final review to ensure all changes are properly incorporated

Additional revision rounds beyond this are available at £150 per round. Most clients find that 2 rounds are sufficient to achieve a final DPA that meets their requirements.

Question 6

Can I consult with the solicitor directly?

Accepted Answer

Yes. While the questionnaire covers most requirements, you can request a 30-minute consultation call with the drafting solicitor (included in your package) to discuss:

• Complex processing scenarios or data flows
• Multi-party arrangements or sub-processing chains
• International transfer mechanisms and adequacy decisions
• Alignment with existing privacy notices or contracts
• Specific security or audit requirements
• Implementation and vendor negotiation guidance

Additional consultation time is available at £200 per half hour.

Question 7

What makes this different from a DPA template?

Accepted Answer

Our custom DPA differs from templates in several critical ways:

• Tailored to your specific processing activities, data categories, and security measures (not generic placeholder text)
• Aligned with your actual sub-processor arrangements and approval workflows
• Incorporates your breach notification timeframes and procedures
• Reflects your technical and organisational measures accurately
• Includes appropriate international transfer mechanisms for your vendor locations
• Flow-down provisions match your actual commercial relationships
• Audit and assistance obligations align with your operational capabilities
• Drafted in plain English that you and vendors understand
• Reviewed by a solicitor who understands your context and requirements

Templates leave critical gaps, use inappropriate provisions, and create compliance risks.

Question 8

What specific GDPR requirements does it cover?

Accepted Answer

Your DPA will comprehensively address all Article 28 UK GDPR requirements:

• Subject matter and duration of processing (Art 28(3)(a))
• Nature and purpose of processing, types of data, and data subject categories (Art 28(3)(a))
• Processor's obligations and rights (Art 28(3)(a))
• Processing only on documented instructions (Art 28(3)(a))
• Confidentiality obligations for personnel (Art 28(3)(b))
• Security of processing measures (Art 28(3)(c))
• Sub-processor engagement conditions (Art 28(2), (4))
• Assistance with data subject rights (Art 28(3)(e))
• Assistance with security, breach notification, and DPIAs (Art 28(3)(f))
• Deletion or return of data at end of processing (Art 28(3)(g))
• Making available information for demonstrating compliance (Art 28(3)(h))
• Audit and inspection rights (Art 28(3)(h))
• Records of processing activities (Art 30)

Plus appropriate provisions for international transfers if applicable.

Question 9

How does it handle international data transfers?

Accepted Answer

We include appropriate transfer mechanisms based on your vendor locations:

• UK IDTA (International Data Transfer Agreement) for transfers from UK
• UK Addendum to EU Standard Contractual Clauses for UK-EU flows
• References to adequacy decisions where applicable
• Transfer impact assessments and supplementary measures where needed
• Appropriate warranties about data protection laws in destination countries
• Suspension or termination rights if transfers become unlawful

We'll tailor the transfer provisions to your specific vendor locations and data flows identified in the questionnaire.

Question 10

Can you align the DPA with our existing contracts?

Accepted Answer

Yes. The questionnaire asks about:

• Existing master services agreements or terms you use
• Confidentiality terms already in place
• Liability caps or limitation provisions
• Termination and notice provisions
• Dispute resolution and governing law preferences
• Insurance or indemnity requirements

We'll ensure the DPA integrates smoothly with your commercial terms and avoid conflicts. We can also provide guidance on which provisions should be in the MSA versus the DPA.

Question 11

What guidance do you provide for implementation?

Accepted Answer

Along with your DPA, you'll receive:

• Execution guidance (how to sign and incorporate into vendor agreements)
• Flow-down recommendations (which provisions must pass to sub-processors)
• Record-keeping requirements (Article 30 records of processing)
• Practical notes on security measure descriptions
• Breach notification workflow guidance
• Audit rights implementation suggestions
• Vendor negotiation talking points for push-back scenarios

We want you to be able to roll out the DPA confidently to your vendors or clients.

Question 12

What happens after I receive the final DPA?

Accepted Answer

After finalization:

• You receive the DPA in Word and PDF formats for easy execution
• You can use it with unlimited vendors/clients (no per-use fees)
• You have a 12-month update window: if UK GDPR changes or your processing evolves significantly, we'll provide one free refresh
• You can return for amendments (£150 per round) if your processing activities change
• You retain the solicitor's contact for follow-up questions (first 15 minutes free within 90 days)

The DPA becomes your standard, compliant foundation for processor-controller or processor-sub-processor relationships.

Custom Data Processing
Agreement

How it works

Form & Checkout

We Draft

Review & Finalize

Why This Data Processing Agreement Works

Clear Roles & Flow‑downs

Security & Confidentiality

Transfers & Mechanisms

Audit & Assistance

Breach Notification

Deletion or Return

Join 6000+ Businesses Who Trust Us

Meet Your Expert Team

Tamara

Alicia

Johanna

Ayesha

Geraint

Kyle

Drew

Chris

Antonella

FAQs

Custom Data ProcessingAgreement