DPA Template 2026 for Privacy Counsel Teams

Negotiating template contents

The downloadable PDF is intentionally watermarked Draft 2026. It frames controller versus processor obligations, SCC references for EU/UK controllers, subprocessors disclosures tied to /trust/sub-processors, mandated technical measures aligned to SOC2 controls in progress, regulator assistance workflows, subprocessors-change notification windows, deletion/return steps, conditional audit clauses, plus incident escalation mirroring Tier 1/2 SLA language.

Operational guidance

• Route redlines simultaneously to procurement and compliance@gsdsi.com for threaded responses.
• Request editable DOCX only after diligence scoping with the compliance inbox.
• Never circulate unsigned PDFs externally as finalized agreements.

Download gsdsi-dpa-template-2026.pdf (draft watermark).

FAQ

Is the downloadable PDF a binding agreement?

No. It is a watermarked drafting template for negotiating teams. Executable obligations emerge only after both parties countersign an order referencing the final DPA or equivalent data processing exhibit.

Which transfer mechanisms does the template reference?

The scaffold references SCC Module 2 (controller-to-processor) where GDPR/UK GDPR transfers apply and aligns supplementary measures with TLS 1.2+, AES-256 storage, MFA, RBAC, and subprocessors enumerated on /trust/sub-processors.

Where can procurement review subprocessors?

The live disclosure table lives at /trust/sub-processors — updated quarterly or sooner when materially new processors join production workflows; enterprise notices follow contract terms.

What incident timelines appear in diligence?

Tiered breach notifications start with GDPR-class 72-hour notice for confirmed unauthorized access to identified customer payloads, escalate preliminary notices inside five US business days for suspected incidents, and document non-customer-impact events according to contractual reporting cadences — see /trust/security-program for verbatim SLA language.