Data Processing Agreement

Article 28 GDPR-compliant DPA for UK, EEA, and global customers.

How to execute this DPA

1. Download. Click the button above to download the DPA PDF.
2. Complete Part B. Fill in your organisation's details (legal name, registered address, signatory) on page 3 of the PDF.
3. Sign Part D. Your authorised signatory signs page 6.
4. Send to us. Email the signed PDF to legal@vyndeal.com.
5. We countersign & return. Within 5 working days, we'll countersign and email you a fully-executed copy.

What this DPA covers

• Roles of controller and processor under UK GDPR / EU GDPR Article 28
• Scope, nature, and purpose of processing (Schedule 1)
• Technical and organisational security measures (Schedule 2)
• Authorised sub-processors and the 30-day notification commitment (Schedule 3)
• International transfer mechanism — Standard Contractual Clauses (EU) and IDTA (UK), incorporated by reference (Schedule 4)
• Data subject rights assistance, breach notification within 72 hours, audit rights, and data return/deletion on termination

Frequently asked

Do we need to sign the DPA before signing the MSA?

No — the DPA can be signed at any time before personal data starts flowing. Most customers sign the MSA and DPA together at onboarding.

Can we add or remove clauses?

For routine requests, the template is final. For enterprise contracts (typically 50+ users), we'll consider mark-ups; please email legal@vyndeal.com with your suggested edits.

Is this DPA enough for our supplier audit?

Together with our Privacy Policy, sub-processor list, and the security measures in Schedule 2, the DPA is the standard package for B2B SaaS supplier audits. If your procurement team needs a SIG or CAIQ questionnaire completed, send it to security@vyndeal.com.

Request a pre-countersigned copy

If you'd prefer to receive a copy already signed by us (so you only need to add your details and signature), fill in the form below.