TemplateFREE⏱️ 60-120 minutes
Data Processing Agreement (DPA) Requirements Template
Free DPA requirements checklist for B2B product managers. Covers processor obligations, sub-processors, cross-border transfers, and breach notification...
Updated 2026-03-04
Data Processing Agreement (DPA) Requirem
| # | Item | Category | Priority | Owner | Status | Notes | |
|---|---|---|---|---|---|---|---|
| 1 | |||||||
| 2 | |||||||
| 3 | |||||||
| 4 | |||||||
| 5 |
#1
#2
#3
#4
#5
Edit the values above to try it with your own data. Your changes are saved locally.
Get this template
Choose your preferred format. Google Sheets and Notion are free, no account needed.
Frequently Asked Questions
What is the difference between a data controller and a data processor?+
The data controller decides why and how personal data is processed. The data processor handles data on behalf of the controller. In B2B SaaS, your customer is typically the controller (they decide what employee or customer data to put in your product) and you are the processor (you store and process it according to their instructions). This distinction matters because processors have specific legal obligations including following controller instructions and maintaining sub-processor agreements. See the [Technical PM Handbook](/technical-pm-guide) for how these roles affect system architecture decisions.
Do all B2B products need a DPA?+
Any B2B product that processes personal data on behalf of customers needs a DPA if those customers are subject to GDPR, CCPA, or similar regulations. In practice, this means almost every B2B SaaS product. Even if your product only stores email addresses and names, those are personal data. Enterprise sales teams will tell you that DPA requests have become standard in procurement workflows since 2020.
How do you handle sub-processor changes without losing customers?+
Provide at least 30 days advance notice before adding a new sub-processor. Give customers a formal objection mechanism. If a customer objects, offer alternatives (different region, different processor) or allow them to terminate without penalty. Most customers will not object if the new processor meets equivalent security standards. The key is transparency: surprise sub-processor changes erode trust.
What product capabilities does a DPA actually require?+
At minimum, your product needs: data export (machine-readable), data deletion (scoped to individual data subjects), encryption (at rest and in transit), access controls, and audit logging. More mature DPA requirements include data residency options, processing restriction, automated breach detection, and deletion certification. Prioritize these using the [RICE Calculator](/tools/rice-calculator) based on how many enterprise deals they block.
What happens at contract termination?+
Your DPA should specify a data return period (typically 30-60 days) during which the customer can export their data. After that period, you must delete all customer data and provide a deletion certificate. The tricky part is backups: most systems retain backups for 30-90 days beyond the deletion date. Your DPA needs to disclose this and commit to eventual purge. Build automated termination workflows rather than relying on manual processes. ---
Explore More Templates
Browse our full library of PM templates, or generate a custom version with AI.