Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) is a contract between an organization (the data controller) and a vendor (the data processor) that specifies how the vendor handles personal data on the organization’s behalf — covering scope, security, sub-processors, retention, breach notification, and the data subjects’ rights.

Why DPAs matter for mission-driven orgs

Nonprofits, B Corps, and public-good organizations frequently process sensitive member, donor, or beneficiary data. A DPA is the contractual mechanism that makes the vendor accountable for handling that data the way the organization promised its members and funders it would be handled. It’s the difference between “the vendor said they’d be careful” and “the vendor is legally obligated.”

What a good DPA covers

• The categories of personal data and data subjects involved.
• Specific permitted purposes for processing (and prohibition of others, including training AI models).
• Security measures (encryption at rest and in transit, access controls, MFA on admin accounts).
• Sub-processors used, with a notification and objection right for changes.
• Data residency and cross-border transfer mechanisms (SCCs, adequacy decisions).
• Retention and deletion timelines.
• Breach notification timelines (e.g. 72 hours).
• Audit rights and assistance with data subject rights requests.

Where it shows up in WordPress and AI engagements

Every third-party integration — hosting, CRM, email, analytics, AI APIs — needs a DPA review before it touches member data. AI engagements are particularly sensitive because of training-data and retention questions; we default to providers that contractually commit to zero data retention for grounded queries.