DPA (Data Processing Agreement)
A contract between a data controller and processor defining GDPR-compliant data handling.
A DPA (Data Processing Agreement) is a legally binding contract between a data controller (the business that decides why and how personal data is processed) and a data processor (a vendor that processes that data on the controller's behalf). Under GDPR Article 28, a DPA is mandatory whenever a controller engages a processor.
Why it applies to AI voice agents
An AI calling platform processes personal data on your behalf — caller phone numbers, names, recordings, and transcripts. If you operate in or serve the EU/UK, you (the controller) must have a DPA in place with the platform (the processor) before that data is processed.
What a DPA typically defines
- The scope, nature, and purpose of processing, and the categories of data subjects.
- Security measures (encryption in transit and at rest, access controls).
- Sub-processor disclosure and approval rules.
- Data subject rights handling (access, deletion, portability).
- Breach notification timelines.
- International transfer mechanisms (e.g., Standard Contractual Clauses).
A DPA is distinct from a privacy policy: the privacy policy informs end users, while the DPA governs the controller-processor relationship.