Are Data Processing Agreements (DPAs) in place for vendors processing personal data?
Demonstrate that all third-party vendors processing personal data operate under executed Data Processing Agreements that define data protection obligations, processing limitations, and security requirements in compliance with applicable privacy regulations.
Description
What this control does
Data Processing Agreements (DPAs) are legally binding contracts required under privacy regulations (GDPR, CCPA, etc.) that define the scope, purpose, and responsibilities when third-party vendors process personal data on behalf of the organization. These agreements establish data protection obligations, specify permissible data uses, outline security requirements, define breach notification procedures, and grant audit rights. Without valid DPAs, organizations face regulatory penalties, lose visibility into vendor data handling practices, and may be held liable for vendor data breaches or misuse.
Control objective
What auditing this proves
Demonstrate that all third-party vendors processing personal data operate under executed Data Processing Agreements that define data protection obligations, processing limitations, and security requirements in compliance with applicable privacy regulations.
Associated risks
Risks this control addresses
- Vendor processes personal data outside the scope of authorized purposes, leading to unlawful secondary use or commercialization of customer information
- Organization held liable for vendor data breach or unauthorized disclosure due to lack of contractual security obligations and indemnification clauses
- Regulatory enforcement action and financial penalties for failure to establish required processor agreements under GDPR Article 28 or equivalent regulations
- Vendor transfers personal data to unauthorized jurisdictions or sub-processors without proper legal mechanisms or data subject consent
- Inability to exercise audit rights or verify vendor compliance with data protection requirements due to missing contractual provisions
- Data subject rights requests (access, deletion, portability) cannot be fulfilled because vendor obligations are not contractually defined
- Vendor retains personal data beyond necessary retention periods or fails to return/delete data upon contract termination due to absent data handling requirements
Testing procedure
How an auditor verifies this control
- Obtain the complete inventory of third-party vendors, service providers, and contractors from procurement, legal, and IT systems
- Identify which vendors process, store, or transmit personal data by reviewing data flow diagrams, system integrations, vendor questionnaires, and privacy impact assessments
- Request executed DPAs or data processing clauses embedded in master service agreements for all vendors identified as data processors
- Review each DPA for required elements: data processing scope and purpose, data categories and subject types, processing duration, security obligations, sub-processor provisions, breach notification requirements, audit rights, data return/deletion procedures, and cross-border transfer mechanisms
- Verify DPA execution dates precede the commencement of data processing activities and confirm signatures from authorized representatives of both parties
- Cross-reference DPA terms against applicable regulatory requirements (GDPR Article 28, CCPA, HIPAA BAA requirements, etc.) to confirm legal sufficiency
- Identify any vendors processing personal data without executed DPAs and document the gap, data volumes involved, and regulatory exposure
- Validate that sub-processor provisions exist and obtain evidence of sub-processor lists or prior written consent mechanisms where vendors engage downstream processors