Skip to content
21/05/2026 4 min read
RSS

DPA and terms of service: the two data-law documents every digital business needs

A data processing agreement protects your GDPR obligations with processors. Terms of service govern how users use your product. Here is what each must say.

DPA and terms of service: the data-law documents every digital business needs

Running a SaaS product, an e-commerce store or any service that touches personal data means dealing with two distinct regulatory requirements. A Data Processing Agreement (DPA) governs your relationship with vendors who process data on your behalf. Terms of Service (ToS) govern the relationship with your end users. Conflating them — or missing either — creates GDPR exposure and contract gaps.

Data Processing Agreement

Under GDPR Article 28, whenever a data controller (you) engages a data processor (a third-party vendor who processes personal data on your instructions), a written DPA is mandatory. Skipping it can cost up to 2 % of global annual turnover.

Who needs a DPA?

Any vendor that handles your users’ personal data on your behalf:

  • Cloud hosting providers (AWS, GCP, Azure)
  • Email marketing platforms (Mailchimp, Klaviyo)
  • Analytics tools that store identifiable data
  • Payment processors beyond PCI tokenisation
  • CRM and customer support platforms
  • Payroll and HR software

What a DPA must contain (GDPR Art. 28)

  1. Subject matter and duration — what processing is done and for how long.
  2. Nature and purpose of processing — categories of data, types of data subjects.
  3. Processor obligations — process only on documented instructions; assist with data subject rights; notify breaches within 72 hours; delete or return data on termination.
  4. Sub-processor controls — list of approved sub-processors; processor must get controller approval before adding new ones.
  5. Security measures — technical and organisational measures (TOMs) appropriate to the risk.
  6. Audit rights — controller’s right to audit or commission audits.
  7. Standard contractual clauses — required for transfers outside the EEA.

Most large vendors offer a pre-drafted DPA. Read it carefully: broad sub-processor lists, weak breach notification timelines and soft deletion obligations are common weak spots.

DPA vs. NDA

A DPA and an NDA serve different purposes. An NDA protects confidential business information from disclosure. A DPA ensures personal data is handled lawfully. You often need both with the same vendor.

Terms of Service

Terms of Service (also called Terms and Conditions, or T&Cs) are a contract between you and your users. They set the rules for using your product and limit your liability when things go wrong.

What ToS must cover

  1. Acceptance mechanism — clickwrap (“I agree” checkbox) or browsewrap (link in footer). Clickwrap is far more defensible in court.
  2. Permitted use and restrictions — what users can and cannot do with your product; prohibited activities.
  3. Intellectual property — you own the platform; users retain ownership of their content but grant you a licence to display and process it.
  4. Payment, refunds and cancellation — pricing, billing cycles, what happens on non-payment.
  5. Disclaimer of warranties — “as is” language limiting implied warranty claims.
  6. Limitation of liability — cap on your exposure (often one month’s fees); exclusion of indirect, consequential and punitive damages.
  7. Termination — your right to suspend or terminate accounts; notice periods.
  8. Governing law and dispute resolution — which country’s courts apply; consider arbitration for consumer-facing products.
  9. Changes to ToS — how you will notify users of updates; when changes take effect.

What ToS cannot do

ToS cannot override mandatory consumer-protection law. In the EU, unfair terms in consumer contracts are automatically void (Directive 93/13). This means you cannot disclaim liability for personal injury, ban class actions in a way that strips consumer rights, or impose disproportionate exit penalties.

How AI helps

zipzipdoc drafts a GDPR-compliant DPA that matches your processing activities and a ToS tuned to whether you are B2B, B2C or marketplace. You answer questions about your data flows and product model; the AI builds the document structure.

Related contract types: Data Processing Agreement (DPA) · Terms of Service · GDPR consent

Generate your DPA and ToS — 14 days free, no card required.

Tool comparison

How does zipzipdoc compare to alternatives?

See a detailed comparison with popular e-signature tools.

zipzipdoc vs DocuSign zipzipdoc vs Adobe Sign zipzipdoc vs Dropbox Sign

Contracts in 60 seconds

Start free