Data Processing Agreement

Last updated: 2026-04-11

What the DPA is

A Data Processing Agreement (DPA) is a contract between a data controller and a data processor required by Article 28 of the EU General Data Protection Regulation (GDPR). It documents the processor's obligations regarding the personal data it processes on behalf of the controller, including subject matter, duration, nature, purpose, categories of data subjects, and the technical and organizational measures in place to protect the data.

Backbuild's DPA is offered to all customers that process personal data subject to GDPR, UK GDPR, or the Swiss FADP. It incorporates the current EU Standard Contractual Clauses (SCCs) for international transfers and the UK International Data Transfer Addendum (UK IDTA) where applicable.

Key terms

• Roles: the customer is the controller; Backbuild is the processor. Backbuild processes customer personal data only on the customer's documented instructions.
• Sub-processors: Backbuild maintains a current sub-processor list and provides advance notice of changes. See sub-processors.
• Confidentiality: Backbuild personnel with access to customer data are subject to confidentiality obligations.
• Security measures: technical and organizational measures are documented and aligned with the controls described under Security.
• Data subject requests: Backbuild assists the customer in responding to data subject requests.
• Personal data breach notification: Backbuild notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer's data.
• Audit: the customer has audit rights subject to the conditions set out in the DPA, which typically include reasonable notice and use of summary reports where appropriate.
• Return or deletion: at the end of the relationship, Backbuild returns or deletes customer personal data in line with the retention schedule.

International transfer mechanisms

• EU Standard Contractual Clauses: the current EU Commission SCCs (Implementing Decision (EU) 2021/914) are incorporated by reference in the DPA.
• UK International Data Transfer Addendum: available for customers subject to UK data protection law; incorporated by reference where applicable.
• Swiss addenda: additional clauses address transfers of personal data relating to Swiss data subjects.

How to obtain and execute the DPA

• The DPA is available as a standard, pre-signed document. It is offered for execution as part of the onboarding process.
• Customers that need to execute the DPA separately can request a copy by emailing dpa@backbuild.ai (or privacy@backbuild.ai).
• Once countersigned by the customer, the DPA becomes part of the contract between the customer and Backbuild.

Negotiated DPAs

Backbuild's standard DPA is designed to satisfy the requirements of the large majority of customers. Where a customer requires specific additional terms, the standard DPA can be negotiated subject to internal review. Enterprise customers should raise specific requirements during procurement.