Sub-processor notification period (notifying Customers of changes)
In a DPA, customers will always ask to be alerted if your sub-processors change. This is called the sub-processor notification period. The most typical notification periods are:
14 days
30 days or
A reasonable timeline
π A sub-processor is a tool or vendor that you use to offer your services directly. If you have a SaaS and use Amazon Web Services or OpenAI as part hosting or for your AI features, they will be sub-processors.
This means that you need to notify those customers that have signed a DPA with you in those timelines. Anything longer than 30 days may become a blocker as you grow your business as you may need to notify your Customers and wait for their approval.
Sub-processor Authorisation (waiting for Customers' approval)
There are two common ways in which your customers may approve your changes to sub-processors: General Authorisation and Specific Authorisation.
General Authorisation: you notify your customers of a change within the specified period (e.g. 14 days) and you wait for them to object. If they don't then you can start processing with your new sub-processor.
Specific Authorisation: you notify your customers of a change within the specified period (e.g. 14 days) and you must wait for them to confirm in writing that you can use that sub-processor.
Do Data Processing Agreements (DPAs) need to be signed or can they be incorporated by reference?
In SaaS, companies manage their Services Agreements and Terms of Service in different ways. Sometimes these agreements need to be signed and sometimes they are accepted when you sign up for services, without requiring a signature. Similarly, Data Processing Agreements (DPAs) work similarly.
There currently isn't clear guidance on whether it's mandatory to sign a DPA, the guidance implies that it must be legally binding. This means that some companies want to offer a signed version and others a version incorporated by reference into their Services Agreement.
The best way to ensure you're meeting the requirements is to treat it as a separate agreement that must be signed by all parties.
Do Standard Contractual Clauses (SCCs) need to be added to the agreement or can they be incorporated by reference?
Similarly, with Standard Contractual Clauses (SCCs), there isn't clear guidance on whether they must be implemented into the document or if they can be incorporated by reference. Different companies take different approaches.
The best way to make sure you're meeting the requirements is to incorporate them directly into the Data Processing Agreement (DPA).
The same thing happens with the UK International Data Transfer Addendum/Agreement.
What is a standard or best practice for liability in a Data Processing Agreement (DPA)?
This clause can vary greatly depending on the companies involved in the DPA, but as a standard, we have seen:
Reference to the services agreement and the liability set out there.
A multiple of the contract value between 1-5x.
Uncapped liability in the event of non-comlpiance.
While these vary quite a bit these are typically what we see. Note that sometimes different wordings may impact this clause. For example, some companies may establish the liability per event - which may refer to each security incident or breach instead of the agreement as a whole. This can potentially increase the liability significantly and it's important to pay attention to these.