Purpose & Scope:
This template establishes the data processing terms between Truvara (as data controller) and its vendors (as data processors) to ensure GDPR‑compliant handling of personal data. It applies to all vendors that process EU‑resident personal data on behalf of Truvara.
Instructions:
- Who: Procurement or Legal team completes this template during vendor onboarding.
- When: Before any data processing begins; must be signed prior to sharing personal data.
- How often: Review and update annually or when processing activities change significantly.
Data Processing Agreement
Version: 1.0 | Owner: Legal/CISO | Review Cycle: Annual
Parties and Definitions
| # | Field | Guidance | Value |
|---|---|---|---|
| 1 | Data Controller | Full legal name and address of Truvara | [Truvara Legal Entity Name, Address] |
| 2 | Data Processor | Full legal name and address of the vendor | [Vendor Legal Entity Name, Address] |
| 3 | Effective Date | Date when this DPA becomes effective | [Date] |
| 4 | Term | Duration of the agreement (align with vendor contract) | [Term] |
| 5 | Type of Personal Data | Categories of data processed (e.g., name, email, IP, health) | [List categories] |
| 6 | Data Subjects | Individuals whose data is processed (e.g., customers, employees) | [Describe data subjects] |
| 7 | Processing Activities | Specific operations performed (e.g., storage, hosting, analytics) | [Describe processing] |
| 8 | Purpose of Processing | Lawful basis and specific purpose under GDPR | [State purpose and legal basis] |
Processor Obligations
| # | Field | Guidance | Value |
|---|---|---|---|
| 9 | Compliance with Laws | Processor must comply with GDPR and applicable data protection laws | [Confirm compliance] |
| 10 | Processing Instructions | Processor shall act only on documented instructions from Controller | [Confirm instruction‑based processing] |
| 11 | Confidentiality | Persons processing data are bound by confidentiality obligations | [Confirm confidentiality measures] |
| 12 | Security Measures | Technical and organizational measures Article 32 GDPR (encryption, pseudonymization, etc.) | [Describe security measures] |
| 13 | Sub‑processor Authorization | General or specific written authorization for sub‑processors; Controller has right to object | [Specify authorization type: General/Specific] |
| 14 | Sub‑processor List | Current list of sub‑processors with locations and services provided | [Attach or list sub‑processors] |
| 15 | Data Subject Rights Assistance | Processor shall assist Controller in responding to data subject requests (access, rectification, erasure, etc.) within GDPR timelines | [Describe assistance process] |
| 16 | Breach Notification | Processor shall notify Controller of any personal data breach without undue delay and no later than 24 hours after awareness | [Confirm 24‑hour notification SLA] |
| 17 | Audit Rights | Controller may conduct audits or inspections; Processor shall provide necessary information and cooperation | [Specify audit frequency and notice period] |
| 18 | Data Deletion/Return | Upon termination, Processor shall delete or return all personal data and certify completion | [Specify format: deletion or return; provide certification timeline] |
| 19 | International Transfers | If transferring data outside EEA, specify safeguards (SCCs, BCRs, adequacy decision) | [Describe transfer mechanism and location] |
| 20 | Liability and Indemnity | Allocation of liability for GDPR violations; indemnity clauses | [Reference main contract; note any DPA‑specific terms] |
Checklist for Completion
- Controller and Processor details filled accurately
- Processing activities and purposes documented
- Security measures aligned with Article 32 GDPR
- Sub‑processor policy defined (general/specific authorization)
- Breach notification timeline confirmed (≤24 hours)
- Data subject rights assistance process outlined
- Audit rights and cooperation terms specified
- Data deletion/return procedure established
- International transfer safeguards documented (if applicable)
- Template reviewed by Legal and Privacy teams
Key Takeaways
- Start early: Fill out the DPA before any personal data is shared with a vendor.
- Stay specific: Clearly list data categories, processing activities, and legal bases to avoid ambiguity.
- Lock down security: Reference Article 32 controls (encryption, pseudonymisation, access controls) and verify the vendor can meet them.
- Control sub‑processors: Decide whether you need general or specific authorisation and keep an up‑to‑date list.
- Plan for incidents: A 24‑hour breach notice window is non‑negotiable under GDPR; embed it in service‑level agreements.
- Audit readiness: Schedule periodic audits and keep documentation handy for regulators.
Conclusion
A well‑crafted Data Processing Agreement is the backbone of any vendor onboarding program that handles EU personal data. By using this template, Truvara’s procurement and legal teams can quickly capture the essential clauses—controller/processor details, security obligations, breach reporting, and audit rights—while staying aligned with GDPR Article 28. Remember to review the DPA annually, adjust it for any regulatory changes (e.g., CCPA or LGPD), and involve legal counsel before finalising. Taking these steps now reduces risk, builds trust with customers, and keeps your data‑processing ecosystem compliant.
Next steps: Download the template, populate the fields with accurate vendor information, have both parties sign, and store the agreement in a centralized repository. Schedule a yearly review meeting to verify that all obligations remain current and that any new processing activities are captured promptly. This disciplined approach ensures continuous compliance and protects both your organization and the individuals whose data you handle.