A Data Processing Agreement (DPA) is a legally required contract under Article 28 of the EU General Data Protection Regulation (GDPR) between a data controller—the entity that determines the purposes and means of processing personal data—and a data processor—the entity that processes personal data on the controller's behalf. When a law firm or legal department uses an AI tool to process personal data, the firm is typically the controller and the AI vendor is the processor, making a DPA a mandatory contractual requirement before processing begins.
The mandatory content of a GDPR-compliant DPA is specified in Article 28(3) and includes: the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects involved; the controller's obligations and rights; and the processor's commitments to process data only on documented instructions, ensure data security, engage sub-processors only with prior authorization, assist with data subject rights, support compliance audits, and delete or return data at processing completion.
Beyond GDPR's specific requirements, DPAs negotiated with AI vendors typically address additional matters of practical concern: data residency (where data will be stored and processed), sub-processor lists and change notification processes, incident response and breach notification timelines, return/deletion verification procedures, audit rights, liability allocation, and—increasingly—specific provisions addressing AI model training (prohibiting the use of customer data to train models without explicit consent).
Law firms processing personal data with AI tools are data controllers under GDPR and are directly obligated to execute compliant DPAs with their AI vendors. This is not merely a formality: a DPA that is missing required provisions, contains inadequate sub-processor controls, or fails to address international transfer mechanisms is non-compliant and can expose both the law firm and the vendor to regulatory enforcement.
Lawyers also negotiate DPAs on behalf of clients. As AI adoption accelerates across industries, DPA negotiation has become a specialized skill with significant transaction volume. Understanding what standard DPA provisions say, where vendors typically push back, and which provisions are non-negotiable versus negotiable is practical knowledge that directly affects client outcomes in technology transactions, vendor contracting, and SaaS procurement.
The AI-specific provisions in DPAs are a relatively recent area of negotiation focus. The most consequential issue is model training: many AI vendors' standard terms permit them to use customer inputs to improve their models, which would constitute a use of personal data beyond the original processing purpose. Negotiating an explicit prohibition on training-data use—or a right to opt out—has become a standard element of legal-grade AI procurement.
Enterprise legal AI vendors routinely publish standard DPA templates and are generally prepared to negotiate customized DPAs with enterprise customers. Vendors like LegalFly, Legartis, and ContractPodAi maintain updated DPAs that address GDPR Article 28 requirements, Standard Contractual Clauses for international transfers, and AI-specific provisions around model training and data use.
The quality and completeness of vendor DPAs varies considerably. Some vendors offer GDPR-compliant DPAs as a standard feature of enterprise agreements; others require negotiation to reach adequate terms; and some—particularly consumer-oriented or general-purpose AI tools—do not offer DPAs at all, effectively barring their use with personal data in a GDPR context.
AI contract review tools can streamline DPA review and negotiation by automatically identifying gaps against a baseline clause library, flagging non-standard provisions, and generating redlines. This application of AI to DPA work is a useful example of the technology augmenting legal judgment: the AI accelerates identification of issues, but the privacy lawyer still evaluates risk and negotiates position.