gdpr-data-processing-addendumlisted

# GDPR Data Processing Addendum (DPA) Draft an execution-ready DPA satisfying GDPR Article 28 controller-processor requirements while preserving commercial operability. ## Prerequisites Collect before drafting: 1. **Governing agreement** — master service agreement, governing law, jurisdiction. 2. **Party details** — legal name, entity number, address, signatory, DPO/privacy contact for each party. 3. **Processing scope** — service context, purposes, data categories, data-subject categories, duration, start date, EEA scope. 4. **Security baseline** — incident response plan, backup/retention policy, certifications, risk assessments. 5. **Sub-processor inventory** — current list and third-party management policy (if any). 6. **Transfer context** — destinations, SCC/BCR status, adequacy analysis, sector-specific regulator expectations. 7. **Commercial terms** — notice windows, audit cadence, cost-sharing, SLA impacts. ## Workflow 1. **Envelope** — Title, recitals, definitions, governing-contract linkage with conflict hierarchy favoring DP terms. 2. **Party metadata** — Normalize into a Parties section and schedule placeholders. 3. **Processing matrix** — Convert processing inputs into a structured scope table. 4. **Clause insertion** (in order): 1. Scope / purpose / nature / duration 2. Processor instructions and purpose limitation 3. Confidentiality and security 4. Sub-processor controls 5. Data-subject rights assistance 6. Breach notification and coopera