← Back to glossary
Glossary

DPA (Data Processing Agreement)

Contract under Art. 28 GDPR between controller and processor. Defines purpose, scope and safeguards of data processing. Mandatory for any SaaS handling personal data.

A Data Processing Agreement (DPA, German: AVV) is mandatory under Art. 28 GDPR whenever a vendor processes personal data on behalf of a customer. For an AI phone assistant this always applies — caller audio, transcripts and CRM data flow through the vendor pipeline.

A defensible DPA covers purpose, duration, type of data, categories of data subjects, technical and organisational measures (TOMs), and the rules around sub-processors. Vendors should provide a clearly versioned document, not a one-off PDF on request.

In practice, what also matters: a transparent list of sub-processors, guaranteed EU data residency, and a defined procedure for personal-data breaches. Without a DPA, deployment is formally unlawful even in B2B contexts.

FAQ
Who signs the DPA?
On the customer side, the legal data controller — typically the managing director or DPO. On the vendor side, an authorised representative.
Is the vendor’s standard DPA sufficient?
For most B2B setups, yes — provided it covers EU data residency, sub-processor transparency, and a breach-notification process. Legal review is advisable for healthcare, legal, or other regulated verticals.
Related terms
Go deeper in the docs
See it applied

Next step

See BHOMY in a 15-minute demo on a real call example.

Request demoBack to glossary
🍪

Cookies & Privacy

We use cookies to provide you with the best possible experience on our website. Some of them are technically necessary, others help us improve the website.

Read Privacy Policy