The Data Processing Agreement Template for Enrichment Vendors
A Data Processing Agreement (DPA) is not just a compliance checkbox. It is the contract that defines what your enrichment vendor can and cannot do with the personal data they process on your behalf. Get it wrong (or skip it entirely) and you are exposed to regulatory risk, data misuse, and potential liability for your vendor's mistakes.
Let us break down what a solid DPA should contain and how to negotiate the terms that matter most.
Why DPAs Matter for Enrichment
Under GDPR, a DPA is legally required whenever a data controller (you) engages a data processor (your enrichment vendor) to handle personal data. Under CCPA, similar contractual requirements apply to service provider relationships. Even in jurisdictions without explicit DPA requirements, having one is best practice because it clearly defines responsibilities and reduces ambiguity about data handling.
For enrichment specifically, the DPA matters because your vendor is accessing, processing, and returning personal data (names, emails, phone numbers, job titles) at scale. Without a DPA, there is nothing contractually preventing the vendor from retaining that data, combining it with other sources, or using it for purposes you did not intend.
Essential DPA Components
1. Purpose and Scope of Processing
The DPA should clearly state why the vendor is processing data and what processing activities are covered. For enrichment, this typically includes:
- Receiving contact records from the controller for enrichment
- Querying data sources to discover additional contact information
- Verifying email addresses and phone numbers
- Returning enriched and verified data to the controller
The scope should be specific enough that the vendor cannot claim authorization for processing activities you did not intend. Broad language like the vendor may process data for business purposes is too vague. Specify the exact processing activities.
2. Categories of Personal Data
List the types of personal data the vendor will process:
- Full names
- Email addresses (work and personal)
- Phone numbers (direct dial, mobile, landline)
- Job titles and seniority levels
- Company names and company identifiers
- Company firmographic data (size, industry, location)
- Technology stack data
Explicitly exclude sensitive data categories that should not be part of the enrichment process: racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or financial account information.
3. Data Retention Period
Specify how long the vendor retains the data you send them and the enrichment results. Options include:
- No retention: the vendor deletes all data after processing and returning results (most privacy-friendly)
- Limited retention: the vendor retains data for a specified period (30, 60, 90 days) for quality assurance and re-processing purposes
- Contract-term retention: the vendor retains data for the duration of the contract and deletes upon termination
The shorter the retention period, the lower your compliance risk. Push for no-retention or limited-retention terms.
4. Security Measures
The DPA should specify the technical and organizational security measures the vendor implements. At minimum, expect:
- Encryption in transit (TLS/SSL for all API communications)
- Encryption at rest (AES-256 or equivalent for stored data)
- Access controls (role-based access, multi-factor authentication for employees)
- Network security (firewalls, intrusion detection, DDoS protection)
- Employee training (regular security awareness training)
- Physical security (secure data centers with access controls)
- Regular security testing (penetration testing, vulnerability scanning)
5. Sub-Processor Management
The DPA should address sub-processors (third parties the vendor uses to process data):
- Current list of sub-processors with their roles and locations
- Process for adding new sub-processors (prior notice to you, typically 30 days)
- Your right to object to new sub-processors
- The vendor's obligation to ensure sub-processors are bound by equivalent DPA terms
6. Audit Rights
You should have the right to audit the vendor's compliance with the DPA. This can take several forms:
- Right to request and review the vendor's SOC 2 or ISO 27001 audit reports
- Right to conduct on-site or remote audits with reasonable notice
- Right to engage a third-party auditor at your expense
Most vendors will not agree to unlimited on-site audits, but they should be willing to share third-party audit reports and respond to written audit questionnaires.
7. Breach Notification
The DPA should specify the vendor's obligations in the event of a data breach:
- Notification timeline: GDPR requires processors to notify controllers without undue delay. Best practice is 72 hours or less.
- Notification content: what information the vendor will provide (nature of the breach, categories of data affected, estimated number of records, measures taken)
- Cooperation: the vendor's obligation to assist you in meeting your own breach notification obligations to regulators and data subjects
8. Data Return and Deletion
What happens to your data when the contract ends?
- The vendor should return all your data in a machine-readable format upon request
- After return (or upon instruction), the vendor should securely delete all copies of your data
- Deletion should extend to backups within a specified timeframe (typically 30 to 90 days)
- The vendor should provide written certification of deletion upon request
9. International Data Transfer Mechanisms
If data crosses borders (especially EU data processed outside the EU), the DPA should specify the transfer mechanism:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission
- Binding Corporate Rules (for intra-group transfers)
- Any applicable adequacy decisions
10. Liability and Indemnification
The DPA should address liability allocation:
- The vendor's liability for breaches of the DPA
- Indemnification for regulatory fines resulting from the vendor's non-compliance
- Liability caps (most vendors will negotiate caps, typically tied to contract value)
Negotiation Tips
Start with the Vendor's Template
Most reputable enrichment vendors have a standard DPA that they have already vetted with their legal team. Start with their template rather than drafting from scratch. It is usually faster and covers the basics adequately.
Focus on the Points That Matter
Do not try to negotiate every clause. Focus on: retention period (push for shorter), breach notification timeline (push for faster), deletion upon termination (push for comprehensive), and sub-processor management (push for prior notice and objection rights).
Accept Reasonable Compromises
Vendors may push back on unlimited audit rights, zero-retention policies, or uncapped liability. These are reasonable negotiation points. What is not reasonable: refusing to sign a DPA at all, refusing to disclose sub-processors, or refusing to commit to breach notification timelines.
Red Flags in Vendor DPAs
- Language that allows the vendor to use your data for their own purposes (improving their products by using your data should be opt-in, not default)
- Overly broad processing purposes that could cover activities you did not intend
- Unlimited retention with no deletion obligation
- No sub-processor transparency or notification
- Breach notification timelines longer than 72 hours
- No audit rights of any kind
The Bottom Line
A DPA is not optional when you use enrichment vendors that process personal data. It protects you legally, defines the vendor's obligations, and provides recourse if something goes wrong. Most enrichment vendors (including BetterEnrich) have standard DPAs ready for review. Take the time to read them carefully, negotiate the key terms, and keep the signed agreement on file. It takes a few hours of legal review to complete and provides years of protection.




