What is a DPA (Data Processing Agreement)?

A DPA (Data Processing Agreement) is a legally binding contract between a data controller and a data processor that defines how personal data will be handled, protected, and processed. Required under GDPR Article 28, a DPA specifies the types of data being processed, the purposes of processing, security measures in place, data subject rights, and the obligations of each party. Any SaaS platform that processes personal data on behalf of its customers needs a DPA.

In practical terms, when a business uses a cloud service (like an AI agent platform) that handles customer data, employee data, or any personal information, the business is the "data controller" and the cloud service is the "data processor." The DPA is the contract that governs this relationship.

What a DPA Must Include

Under GDPR, a DPA must cover several specific areas:

• Subject matter and duration -- What data is being processed and for how long
• Nature and purpose -- Why the data is being processed and what operations are performed on it
• Types of personal data -- Categories of data involved (names, emails, conversations, IP addresses, etc.)
• Categories of data subjects -- Whose data is being processed (customers, employees, end users)
• Security measures -- Technical and organizational measures to protect the data (encryption, access controls, incident response)
• Sub-processors -- Third parties that also process the data (cloud providers, database services, LLM providers)
• Data subject rights -- How the processor assists the controller in responding to data access, deletion, and portability requests
• Data breach notification -- Timeline and process for reporting security incidents
• Data deletion or return -- What happens to the data when the contract ends

Why AI Agent Platforms Need DPAs

AI agents process significant amounts of data that may include personal information. Conversations with the agent may contain customer names, business details, or strategic information. The agent may browse websites, process files, or interact with APIs that return personal data. All of this processing must be covered by a DPA if the data involves EU residents.

For AI agent platforms specifically, the DPA also needs to address:

• LLM data handling -- Whether conversation data is sent to LLM providers and how those providers handle it
• Agent memory and context -- How long conversation history is retained and who can access it
• Data residency -- Where the data is physically stored and processed
• Skill data access -- What data installed skills can access and how that access is controlled

DPA vs Privacy Policy

A DPA and a privacy policy serve different purposes. A privacy policy is a public document that tells end users how a company collects and uses their data. A DPA is a business-to-business contract that governs how a service provider handles data on behalf of another business. Both are necessary, but they address different relationships.

How It Relates to KiwiClaw

KiwiClaw provides DPAs for Enterprise customers, covering all data processing performed by the platform including agent conversations, LLM API calls, database storage, and sub-processor relationships. The DPA works in conjunction with KiwiClaw's data residency options (US or EU), RBAC access controls, and audit logging to provide a comprehensive compliance package for regulated industries.

This is a key differentiator for KiwiClaw in the enterprise market -- most competing AI agent hosting platforms do not offer DPAs, which effectively blocks GDPR-regulated businesses from using them.

Related Terms

• What is Data Residency?
• What is RBAC?
• What is AI Agent Sandboxing?
• What is OpenClaw?

Frequently Asked Questions

What is a DPA and when do you need one?

A DPA (Data Processing Agreement) is a legally binding contract between a data controller and a data processor that defines how personal data will be handled. You need one whenever a cloud service processes personal data on your behalf, which is required under GDPR Article 28 for any business handling EU residents' data.

Do AI agent platforms need DPAs?

Yes. AI agents process conversation data, user inputs, and potentially sensitive business information that may include personal data. If the data involves EU residents, the relationship between the business and the hosting platform must be covered by a DPA that addresses LLM data handling, agent memory retention, and data residency.

Does KiwiClaw provide a DPA?

Yes. KiwiClaw provides DPAs for Enterprise customers, covering all data processing including agent conversations, LLM API calls, database storage, and sub-processor relationships. This works alongside data residency options, RBAC, and audit logging for a comprehensive compliance package.