Browse Skills

Data Processing Agreement (DPA) — SCC & sub-processor sync

    GDPR CCPA DPA Privacy Standard Contractual Clauses Sub-processors Data Protection Compliance
    Get Started with This Skill

    Overview

    Draft the legal annex for DPAs governing controller–processor data transfers under GDPR and CCPA. Inserts the correct Standard Contractual Clauses by data importer country and validates sub-processor list against the privacy portal.

    Getting Started

    Add your source materials to the project workspace, then activate the Data Processing Agreement (DPA) — SCC & sub-processor sync skill. The agent will guide you through the process step by step.

    Example Conversation

    You: We’re signing a DPA with a processor in the United States. Insert the correct Standard Contractual Clauses for the international transfer annex.

    Agent: I’ll use the SCC clause injector for a US data importer. Under EU/EEA rules, the appropriate mechanism is the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor). Here’s the clause I’ve prepared for your DPA:

    “The Parties agree that the transfer of Personal Data from the Data Exporter to the Data Importer shall be governed by the Standard Contractual Clauses (Controller to Processor) set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021…”

    Should I insert this into your DPA file? If so, add a placeholder such as [SCC_CLAUSE] where the clause should go and tell me the file path.

    You: Our legal team updated the privacy portal. Can you check that our DPA sub-processor annex matches the export they gave us? DPA is at dpa.md, list at subprocessors.csv.

    Agent: I’ve run the sub-processor list sync. Result: Drift detected. Three sub-processors are in the authoritative list but not yet in the DPA (I can add them), and one entry in the DPA is no longer in the portal list — you may want to remove or flag it. Here’s the summary…

    Extension Tools

    The skill registers two tools the agent can call:

    scc_clause_injector selects and inserts the right SCC text by data importer country:

    • EU 2021 — Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), for transfers from the EEA to third countries (e.g. US, India).
    • UK Addendum — ICO International Data Transfer Addendum to the EU SCCs when UK GDPR applies.
    • UK IDTA — UK International Data Transfer Agreement as an alternative to EU SCCs + Addendum.
    • Swiss FDPA — EU SCCs as amended by the Swiss FDPIC for FDPA compliance.

    You pass the data importer country; the tool returns the clause wording and can replace a placeholder in the DPA file if you provide the path and placeholder text.

    subprocessor_list_sync compares the DPA’s sub-processor list to an authoritative list (e.g. CSV or one-per-line export from your privacy portal):

    • Reports how many entries are in both lists, only in the DPA, or only in the authoritative list.
    • Surfaces names missing from the DPA (add these to the annex) and names only in the DPA (consider removing or confirming with legal).
    • Parses tables, bullet lists, and simple line-based lists in the DPA so the agent can keep the annex in sync with the live portal.

    Output Excerpt

    After running scc_clause_injector for a US data importer, the agent can insert a clause like this into the DPA:

    The Parties agree that the transfer of Personal Data from the Data Exporter to the Data Importer shall be governed by the Standard Contractual Clauses (Controller to Processor) set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"). For the purposes of the EU SCCs: (a) Module Two (Controller to Processor) applies; (b) the optional clauses in the EU SCCs are as selected in Appendix I; (c) the details for Appendix II (technical and organisational measures) are set out in the DPA. The EU SCCs are incorporated by reference and form an integral part of this DPA.

    A typical subprocessor_list_sync report looks like:

    ============================================================
Sub-processor list sync — DPA vs authoritative list
DPA: dpa.md
Authoritative list: subprocessors.csv
============================================================

In both: 12
Only in DPA (consider removing or updating authoritative list): 1
Only in authoritative list (add to DPA): 3

--- Missing from DPA (in authoritative list) ---
  + acme analytics ltd
  + cloud storage inc
  + support desk eu

--- In DPA but not in authoritative list ---
  - legacy vendor corp

============================================================
RESULT: Drift detected — update DPA or authoritative list as appropriate.
============================================================

    You then update the DPA annex (add the three, remove or flag the one) so it matches the company’s published sub-processor list.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started