DPAs in place for all processors
Demonstrate that valid, comprehensive Data Processing Agreements are in place with all third-party processors handling organizational data, covering all required regulatory provisions and updated to reflect current processing activities.
Description
What this control does
This control requires that formal Data Processing Agreements (DPAs) are executed with all third-party data processors who handle personal or sensitive data on behalf of the organization. DPAs define the scope, duration, nature, and purpose of data processing, establish processor obligations including security measures and breach notification requirements, and delineate liability and indemnification terms. These agreements are legally required under GDPR, CCPA, and similar privacy regulations to clarify controller-processor relationships and ensure processors implement appropriate technical and organizational safeguards.
Control objective
What auditing this proves
Demonstrate that valid, comprehensive Data Processing Agreements are in place with all third-party processors handling organizational data, covering all required regulatory provisions and updated to reflect current processing activities.
Associated risks
Risks this control addresses
- Regulatory enforcement action and fines for non-compliance with GDPR Article 28, CCPA, or equivalent privacy law processor requirements
- Unauthorized use or disclosure of personal data by processors lacking contractual security and confidentiality obligations
- Loss of legal recourse and indemnification when processors cause data breaches or misuse data outside permitted purposes
- Inability to enforce data subject rights (access, deletion, portability) when processor obligations are not contractually defined
- Data residency and cross-border transfer violations when DPAs fail to specify permitted processing locations and transfer mechanisms
- Scope creep where processors use organizational data for their own purposes without contractual restrictions prohibiting secondary use
- Inadequate incident response coordination when DPAs lack breach notification timelines and processor reporting obligations
Testing procedure
How an auditor verifies this control
- Obtain the organization's complete inventory of third-party vendors and service providers who process personal or sensitive data, including cloud platforms, SaaS applications, payment processors, HR systems, and marketing vendors
- Request executed DPA documentation for each identified processor, including amendments, addenda, and Standard Contractual Clauses where applicable for international transfers
- Select a representative sample of 10-15 processor relationships spanning high-risk, moderate-risk, and low-risk processing activities based on data sensitivity and volume
- Review each sampled DPA to verify inclusion of required clauses: processing scope and purpose limitations, data security obligations, subprocessor notification and approval rights, breach notification timelines, data subject rights support, audit rights, liability and indemnification, and data deletion or return provisions
- Cross-reference DPA terms against actual processing activities documented in vendor assessments, contracts, and system documentation to identify gaps where processing scope exceeds contractual permissions
- Verify DPAs are signed by authorized representatives with appropriate signature authority and dated within reasonable proximity to when processing activities commenced
- Interview procurement, legal, and privacy teams to assess the process for ensuring new processors execute DPAs before data processing begins and existing DPAs are reviewed and updated when processing changes
- Test for exceptions by identifying any processors on the inventory lacking executed DPAs and assess whether alternative legal mechanisms (e.g., direct contractual provisions, consent) adequately address regulatory requirements
Where this control is tested