Relevant
Things You Should Know About Data Processing Agreement (DPA) In Software Development Outsourcing

Things You Should Know About Data Processing Agreement (DPA) In Software Development Outsourcing

  • 6 mins read
Andrew BurakAndrew BurakCEO and Founder at Relevant Software

GDPR fines have passed €7.1 billion since 2018, and regulators issued €1.2 billion in 2025 alone (CMS GDPR Enforcement Tracker, 2026). Miss one contract and the bill can reach €20 million or 4% of global turnover, whichever is higher. That risk sits at the center of every deal where an EU business hands personal data to an outside vendor. A data processing agreement (DPA) is the document that keeps such work legal. This post explains what a DPA covers, who signs it, and what to check before you sign one in software development outsourcing. It is written for founders and CTOs who work with vendors outside the EU.

Data processing agreement in software development outsourcing

What is a DPA? 

Under EU data protection law, a party outside the European Union can process personal data of EU residents only if a legal agreement regulates that work. That agreement is the DPA, or data processing agreement. GDPR Article 28 makes it mandatory whenever a controller uses a processor.

A DPA is a legal document signed by the controller and the processor, in writing or in electronic form. Its purpose is to set the terms for processing EU residents’ personal data. Personal data means any information that can identify a person, such as a first and last name, date of birth, or place of residence.

Article 28(3) sets the minimum content of a DPA in eight clauses. None of them are optional. The agreement covers:

  • the scope, subject matter, and purpose of the processing;
  • what data is processed and how it is protected, in line with Article 32 security duties;
  • the relationship between the controller and the processor, plus rules on sub-processors, breach notice, audits, and data return or deletion.

Who is a data controller and a data processor in software development outsourcing? 

The data controller is the person or company that sets the conditions for processing. In software development, that is the client. The data processor is the person or company that processes data on the controller’s behalf, following the controller’s instructions. In outsourcing, that is the contractor.

Take Ukraine as an example. Ukraine is not part of the European Union, yet GDPR rules apply to Ukrainian companies the moment they touch EU residents’ data. That happens often in IT outsourcing. Here is a typical case.

Say an IT outsourcing company gets a job from an EU customer to build a data management app for a healthcare facility. The team needs access to patient data, which is personal and often sensitive. Even without storing it on any device, that access still counts as personal data processing.

Under the GDPR, the party that defines the purpose of processing, the controller, carries more legal obligations. But protecting the data is the job of both sides: the EU company that needs the app and the outsourcing company that needs the data to finish the project.

What happens after you sign the DPA with your EU customer? 

In most cases, the customer, who is also the controller, tells you what to do. As the processor, you follow the organizational measures and technical requirements set out in the DPA. Sometimes a controller asks a processor to pass a certification or adopt binding corporate rules approved by EU regulators. That is still rare, since there is no single GDPR certification and the available schemes stay complex.

What about data leaving the EU? 

A DPA alone does not cover a transfer of data outside the EU. For that, you need a valid transfer mechanism. For US vendors, the EU-US Data Privacy Framework became available in July 2023, after the Court of Justice struck down its predecessor, Privacy Shield, in 2020. Many companies still rely on the Standard Contractual Clauses that the European Commission modernized in June 2021. The 2021 SCCs use four modules, one of which fits the controller-to-processor setup common in outsourcing. Firms in Eastern Europe often pair a DPA with SCCs; you can read more in our guide to outsourcing to Eastern Europe.

Why is a DPA important when you outsource? 

If a controller wants to outsource processing to a contractor abroad, it has to show that its non-EU partner is GDPR compliant and can guarantee adequate data protection. That is why signing a DPA matters, and it matters most in software development outsourcing.

Whatever the purpose of a software product, an outsourcing company writes code that processes data belonging to its clients’ customers. Even without storing any of it, the team has access to a database. That creates a need to agree on how the data is protected, processed, stored, and used. The DPA sets out those conditions for the whole engagement.

What to watch out for when signing a DPA? 

A few things deserve close attention before you sign.

Are there enough guarantees?

Under the GDPR, a controller can be held responsible for a breach even when it happens on the processor’s side. So both parties gain when the processor can protect every piece of data the controller transfers. Smaller risks are better. If a breach still happens, the processor has to act at once to limit the damage and help with breach notice, as Article 28 requires.

How will the processor use the data?

The controller has to make sure the processor’s work does not go beyond the original legal basis for processing. In other words, the outsourcing company can use the data only for the purposes named in the agreement. Checking that scope is the controller’s job. The same limit applies to any sub-processor: under Article 28, the processor cannot bring in a sub-processor without the controller’s written authorization, and it must pass on the same data protection duties by contract.

Is there any room for interpretation? 

There should not be. The text of a DPA has to be clear and specific. If the controller plans to audit the processor, the agreement should spell out every detail of that process. Clear terms keep both sides aligned on expectations and leave no weak spots in the contract.

Relevant Software’s DPA template  

GDPR has been in force since May 2018, yet many software vendors still lack a DPA template. Those without one are, in practice, not GDPR compliant. A missing template also slows the engagement, since it pushes the client to worry about legal issues instead of the actual software. Vendors that build products for regulated fields, such as the teams in our list of healthcare software development companies, treat a ready DPA as a baseline.

At Relevant Software, we respect our clients’ time. That is why we built a legal DPA template made for software development services. When a collaboration starts, the client just fills in the details and we are set.

Written by
AuthorAndrew BurakCEO and Founder at Relevant Software
Andrew Burak is the CEO and founder of Relevant Software. With a rich background in IT project management and business, Andrew founded Relevant Software in 2013, driven by a passion for technology and a dream of creating digital products that would be used by millions of people worldwide. Andrew's approach to business is characterized by a refusal to settle for average. He constantly pushes the boundaries of what is possible, striving to achieve exceptional results that will have a significant impact on the world of technology. Under Andrew's leadership, Relevant Software has established itself as a trusted partner in the creation and delivery of digital products, serving a wide range of clients, from Fortune 500 companies to promising startups. Andrew holds a master’s degree in Computer Science, specializing in Information Control Systems and Technologies. He also holds certifications in Financial Management, People Management, and Business Development in IT. His expertise spans top industries and technologies, including Artificial Intelligence, Healthcare, Fintech, IoT, and IT Outsourcing Services. This strong foundation enables him to drive innovative solutions and deliver exceptional value to clients across diverse domains.

Results we've delivered

Related articles

Let’s talk about your project

Optional
Optional

By sending a message you agree with your information being stored by us in relation to dealing with your enquiry.
Please have a look at our Privacy Policy.