Short answer: A data processing agreement explains how a supplier processes personal data for a customer. It should cover instructions, security, sub-processors, transfers, breach notices, deletion, audit rights and privacy assistance.
Check whether the parties are acting as controller, processor or independent controllers. Then review processing instructions, data categories, security measures, sub-processors, international transfers, breach notification timing and return or deletion of data.
A SaaS vendor may host customer data using several cloud and analytics providers. The DPA should say whether those sub-processors are approved, how changes are notified and what happens if the customer objects.
Common mistakes include reviewing the DPA separately from the main agreement, ignoring liability caps, accepting vague security schedules and not checking whether audit rights are practical.
See audit rights clause, controller vs processor and Singapore contract management checklist.
Reviewed for general contract operations use. This page is general information and is not legal advice.