Attestly
Home/Docs

Documentation

Data Processing Agreement

Customer-signable DPA with full Article 28 obligations, Annex II TOMs, and live subprocessor list.

Last updated May 8, 2026

Attestly's DPA generator produces a self-serve, customer-signable Data Processing Agreement. The document you can hand a procurement team without your lawyer being on the call.

What's in it

  1. Description of processing (Art. 28(3)) — subject matter, duration, nature and purpose, categories of personal data, categories of data subjects.
  2. Subprocessors — pulled live from your scan, with purpose, location, AI flag, and data categories per row.
  3. Subprocessor change process — explicit notification channel, objection window, and resolution path under Art. 28(2).
  4. Processor obligations — full Art. 28(3)(a)–(h) clauses (documented instructions, confidentiality, security, subprocessor terms, data-subject assistance, security/DPIA assistance, return-or-deletion, audit rights).
  5. Annex II — Technical and organisational measures — eight grouped sub-blocks (encryption in transit / at rest, pseudonymisation, access control, network security, integrity, availability, incident management) plus an organisational-measures list.
  6. Personal-data breach — notification SLA you set (default 72 hours, to match GDPR Article 33) and a process narrative.
  7. International transfers — incorporates the EU SCCs by reference, plus a Transfer Impact Assessment (Schrems II) note.
  8. Return or deletion on termination — extraction window, deletion method, and certificate availability.
  9. Liability — pointer to the underlying MSA's limits (we never invent monetary caps).
  10. Governing law and venue — defaulted from your tenant facts.

Subprocessor change notifications

The killer feature: when you publish a new DPA version that adds a new subprocessor, every customer who's signed your DPA receives an email with the diff. Attestly tracks who has signed which version, so you don't have to.

This satisfies the prior notification requirement under GDPR Article 28(2).

How signing works

Each DPA gets a signable URL under your trust center path, e.g. https://<app-host>/trust/<slug>/dpa/sign (or the equivalent https://<slug>.<trust-root>/dpa/sign when using the trust subdomain). Customers visit the URL, fill in their company details, and click "Accept". We render a PDF with a SHA-256 hash of the version they signed and email both parties. The signature record lives forever in your audit log.

What we do not do

  • We do not generate Master Services Agreements.
  • We do not handle non-disclosure agreements.
  • We do not produce SOC 2 reports — we map to SOC 2 controls (see SOC 2 friendly) but do not replace your auditor.

For those, talk to your lawyer. For everything DPA-shaped, Attestly has you covered.