Extract data from Data Processing Agreements (DPAs)
A Data Processing Agreement is the contract that governs how one company handles personal data on behalf of another. Under GDPR Article 28, whenever a controller lets a processor handle personal data, the two must sign a binding agreement that fixes the subject matter, the duration, the nature and purpose of the processing, the categories of data and data subjects, and the obligations of each side. It is usually attached to a main services contract as a schedule, and it is a contract with two signatures, which is what separates it from a Data Protection Impact Assessment. By contrast, a DPIA is an internal risk study a controller completes before high-risk processing begins; a DPA is the negotiated agreement that binds the processor once the work is underway. Privacy counsel, vendor-management teams, and security reviewers all read the same clauses from it. Obligation lives in the clauses: the sub-processor terms, the technical and organizational measures, the international-transfer basis, and the audit rights. Processors may only engage sub-processors on the terms the controller sets, so whether sub-processors are pre-approved and whether the controller must be notified of changes are fields on their own, and each sub-processor is listed with its role and location. Technical and organizational measures that protect the data are enumerated, and any transfer of data outside the EEA has to rest on a lawful mechanism such as the 2021 EU Standard Contractual Clauses. Retention and deletion terms, audit rights, and the liability cap round out what a reviewer checks before signing. Talonic reads the DPA and returns the controller and processor, the processing purpose and data categories, the sub-processor terms, the security measures, the international-transfer mechanism, and the audit rights as typed fields, keeping the sub-processors, the processing activities, and the security measures as tables. A DPA between controller Northwind Retail Ltd and processor Cloudmesh Systems B.V., attached to master agreement MSA-2026-0442 and effective 2026-04-01, covering contact data, order history, and payment tokens for customers and website visitors, relying on the 2021 EU Standard Contractual Clauses for a transfer to a US sub-processor, with a 24-month post-termination retention limit and controller audit rights, loads into a vendor-risk register instead of a filed schedule. This extraction structures what the agreement states and does not judge whether it satisfies the GDPR.
What gets extracted from Data Processing Agreements (DPAs)
How extraction works for Data Processing Agreements (DPAs)
DPAs arrive as a schedule to a services contract, a standalone signed PDF, or a vendor's template with the parties filled in, and the Article 28 clauses are ordered differently in each. Talonic reads the agreement and maps each clause to the data-processing field set the Field Registry tracks, which separates the controller and processor, the processing description, the sub-processor and security terms, and the transfer and audit clauses rather than treating the schedule as one block. Data categories, data-subject categories, security measures, and data-subject rights come back as arrays, the sub-processor approval and notification questions are read as boolean fields, and the international-transfer mechanism and the Standard Contractual Clauses version are captured as their own values. Sub-processors, processing activities, and security measures each load as a table, and the effective, expiration, and sub-processor approval dates parse to ISO 8601. Every value carries a confidence score and a source-region pointer under DIN SPEC 91491, so a privacy reviewer can trace a transfer mechanism or a named sub-processor back to the clause. In all, Talonic captures what the agreement states and does not decide whether it meets GDPR Article 28.
Sample extraction
A GDPR Article 28 DPA attached to a SaaS master agreement
{
"document_number": "DPA-2026-0442",
"document_date": "2026-03-28",
"effective_date": "2026-04-01",
"data_controller.name": "Northwind Retail Ltd",
"data_controller.address": "20 Finsbury Circus, London EC2M 7EA",
"data_processor.name": "Cloudmesh Systems B.V.",
"data_processor.address": "Keizersgracht 300, 1016 EX Amsterdam",
"processing_purpose": "Hosting, maintenance, and support of the controller e-commerce platform",
"data_categories": [
"contact data",
"order history",
"payment tokens"
],
"data_subject_categories": [
"customers",
"website visitors"
],
"data_retention_period": "24 months after termination, then deletion",
"sub_processor.approved": true,
"sub_processor.notification_required": true,
"security_measures": [
"encryption at rest and in transit",
"role-based access control",
"audit logging"
],
"data_subject_rights": [
"access",
"rectification",
"erasure",
"portability"
],
"international_transfer_mechanism": "standard_contractual_clauses",
"standard_contractual_clauses_version": "2021 (Module Two, controller to processor)",
"audit_rights": true,
"termination_clause": "On termination the processor deletes or returns all personal data at the controller option",
"governing_law": "Ireland",
"dpa_scope_reference": "MSA-2026-0442",
"regulatory_compliance_certification": [
"ISO 27001",
"SOC 2 Type II"
],
"sub_processors": [
{
"processor_id": "SP-1",
"processor_name": "Beacon Analytics Inc.",
"processor_address": "San Jose, CA, United States",
"processing_activities": "Product usage analytics",
"approval_date": "2026-03-20"
}
]
}Frequently asked
How is a DPA different from a DPIA?
A DPA is the GDPR Article 28 contract that binds a processor to handle personal data on the controller terms, with two signatures. A DPIA is the Article 35 internal risk assessment a controller completes before high-risk processing. Talonic reads each on its own schema and cross-links to the dpia extractor.
Does it capture the sub-processor terms?
Yes. Whether sub-processors are approved and whether the controller must be notified are read as their own fields, and each named sub-processor loads in a table with its role, location, and approval date, so a vendor-risk register is populated from structured data.
How are international transfers and SCCs handled?
The international-transfer mechanism is captured as its own field and the Standard Contractual Clauses version is read where stated, so a transfer to a US sub-processor resting on the 2021 EU SCCs is legible without rereading the schedule.
Does Talonic decide whether the DPA is GDPR-compliant?
No. It structures the parties, the clauses, and the measures the agreement states and links each to its source region. Judging whether the agreement satisfies Article 28 is the role of privacy counsel, not the extraction.
Ready to extract from your own Data Processing Agreements (DPAs)?
Author note
Reviewed by Talonic engineering, privacy schema review · last reviewed 2026-07-09