# Data Processing Agreement (DPA) — SCC & sub-processor sync > Draft the legal annex for DPAs governing controller–processor data transfers under GDPR and CCPA. Inserts the correct Standard Contractual Clauses by data importer country and validates sub-processor list against the privacy portal. Tags: GDPR, CCPA, DPA, Privacy, Standard Contractual Clauses, Sub-processors, Data Protection, Compliance ## Example Prompts - Insert the correct SCCs for a DPA where the data importer is in the United States - Draft the international transfer annex for our DPA with a UK processor - Check that our DPA sub-processor list matches the company privacy portal export - Sync the DPA sub-processor annex with the latest list from the privacy portal URL: https://rakenne.app/skills/dpa-scc/index.md Try this skill: https://rakenne.app/a/?skill=dpa-scc ## Overview Draft the legal annex for DPAs governing controller–processor data transfers under GDPR and CCPA. Inserts the correct Standard Contractual Clauses by data importer country and validates sub-processor list against the privacy portal. ## Getting Started Add your source materials to the project workspace, then activate the *Data Processing Agreement (DPA) — SCC & sub-processor sync* skill. The agent will guide you through the process step by step. ## Example Conversation > **You:** We're signing a DPA with a processor in the United States. Insert the correct Standard Contractual Clauses for the international transfer annex. > **Agent:** I'll use the SCC clause injector for a US data importer. Under EU/EEA rules, the appropriate mechanism is the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor). Here's the clause I've prepared for your DPA: > > *"The Parties agree that the transfer of Personal Data from the Data Exporter to the Data Importer shall be governed by the Standard Contractual Clauses (Controller to Processor) set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021..."* > > Should I insert this into your DPA file? If so, add a placeholder such as `[SCC_CLAUSE]` where the clause should go and tell me the file path. > **You:** Our legal team updated the privacy portal. Can you check that our DPA sub-processor annex matches the export they gave us? DPA is at `dpa.md`, list at `subprocessors.csv`. > **Agent:** I've run the sub-processor list sync. Result: **Drift detected**. Three sub-processors are in the authoritative list but not yet in the DPA (I can add them), and one entry in the DPA is no longer in the portal list — you may want to remove or flag it. Here’s the summary... ## Extension Tools The skill registers two tools the agent can call: **`scc_clause_injector`** selects and inserts the right SCC text by data importer country: - **EU 2021** — Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), for transfers from the EEA to third countries (e.g. US, India). - **UK Addendum** — ICO International Data Transfer Addendum to the EU SCCs when UK GDPR applies. - **UK IDTA** — UK International Data Transfer Agreement as an alternative to EU SCCs + Addendum. - **Swiss FDPA** — EU SCCs as amended by the Swiss FDPIC for FDPA compliance. You pass the data importer country; the tool returns the clause wording and can replace a placeholder in the DPA file if you provide the path and placeholder text. **`subprocessor_list_sync`** compares the DPA’s sub-processor list to an authoritative list (e.g. CSV or one-per-line export from your privacy portal): - Reports how many entries are in both lists, only in the DPA, or only in the authoritative list. - Surfaces names **missing from the DPA** (add these to the annex) and names **only in the DPA** (consider removing or confirming with legal). - Parses tables, bullet lists, and simple line-based lists in the DPA so the agent can keep the annex in sync with the live portal. ## Output Excerpt After running `scc_clause_injector` for a US data importer, the agent can insert a clause like this into the DPA: ```text The Parties agree that the transfer of Personal Data from the Data Exporter to the Data Importer shall be governed by the Standard Contractual Clauses (Controller to Processor) set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"). For the purposes of the EU SCCs: (a) Module Two (Controller to Processor) applies; (b) the optional clauses in the EU SCCs are as selected in Appendix I; (c) the details for Appendix II (technical and organisational measures) are set out in the DPA. The EU SCCs are incorporated by reference and form an integral part of this DPA. ``` A typical **subprocessor_list_sync** report looks like: ```text ============================================================ Sub-processor list sync — DPA vs authoritative list DPA: dpa.md Authoritative list: subprocessors.csv ============================================================ In both: 12 Only in DPA (consider removing or updating authoritative list): 1 Only in authoritative list (add to DPA): 3 --- Missing from DPA (in authoritative list) --- + acme analytics ltd + cloud storage inc + support desk eu --- In DPA but not in authoritative list --- - legacy vendor corp ============================================================ RESULT: Drift detected — update DPA or authoritative list as appropriate. ============================================================ ``` You then update the DPA annex (add the three, remove or flag the one) so it matches the company’s published sub-processor list. --- Back to [Skill Library](https://rakenne.app/skills/index.md)