Scoping call
A 30-minute call confirms whether you are the controller or the processor, what personal data and processing activities are involved, where the data subjects sit, and where the data flows go. We confirm GDPR scope and quote a flat fee.
A Data Processing Agreement records how a controller and processor handle personal data, and GDPR Article 28 sets out the terms it must contain. We draft the DPA to your role, append Standard Contractual Clauses or the UK IDTA where data leaves the EEA or UK, and match a security schedule to how you operate.
$495 Flat fee, quoted up front after a free scoping call
DPA drafted
Controller ↔ processor
Transfer clauses
SCCs included
Vendor-ready
Signed & tracked
Trusted by founders and brands worldwide








How it works
A 30-minute call confirms whether you are the controller or the processor, what personal data and processing activities are involved, where the data subjects sit, and where the data flows go. We confirm GDPR scope and quote a flat fee.
The DPA is drafted to your role — controller-processor or processor-sub-processor. SCCs and the UK IDTA are appended where transfers leave the EEA or UK, and the technical and organisational measures schedule is matched to your security posture.
One round of counterparty revisions is included. Most pushback lands on the audit rights and the security schedule — we tune those defaults to what is enforceable in your industry, then prepare the DPA for signature.
What it costs
DPA Drafting is $495. Each DPA is drafted for a flat fee, confirmed in writing on a free scoping call once your role and your transfer routes are known. There is no hourly billing and no quote after the fact. One round of counterparty negotiation is included. Cross-border transfer addenda — the 2021 SCCs or the UK IDTA — are a defined add-on, and negotiating against a counterparty's own draft is quoted as a separate scope.
What's included
The exact flat fee is confirmed on the scoping call before any drafting begins. A DPA is a contract, not a one-off compliance check — we keep it current as you add sub-processors or open new transfer routes.
Get started
Tell us about the data processing and a GTC attorney will scope the DPA and email a flat-fee quote after a free scoping call.
Why GTC
Controller-processor or processor-sub-processor — the obligations differ. We confirm which side you are on before drafting, so the DPA carries the right Article 28 terms for your position in the chain.
Where personal data leaves the EEA, we append the 2021 Standard Contractual Clauses; for UK data, the UK International Data Transfer Addendum. The transfer mechanism is part of the DPA, not an afterthought.
The technical and organisational measures schedule is matched to how you run, not copied from a generic list. That is the schedule a counterparty's security team reviews most closely.
One well-drafted DPA template carries across your customer and vendor relationships, with a sub-processor mechanism and a breach-notification cascade already built in.
Your Customer Success Team
Every GTC client gets a dedicated Account Manager and a Senior Account Manager who learn your business and stay with you from first email to final filing. They are named people who pick up the phone and already know your matter, so every step moves forward without delay.
Your day-to-day point of contact, who coordinates every matter, keeps things moving, and already knows your file. They have your full history, so you start every conversation where the last one left off.
Senior oversight on strategy and escalations, stepping in as your needs grow, so every important detail stays on track.
A named person, on email or a call, at every step.

How we compare
| What you get | GTC | Online filing services | Doing it yourself |
|---|---|---|---|
| All GDPR Article 28(3) required terms present and drafted to your role | |||
| Security schedule (TOMs) matched to your operations, not a generic list | |||
| SCCs and the UK IDTA appended where transfers leave the EEA or UK | |||
| Sub-processor approval and breach-notification cascade built in | |||
| One round of counterparty negotiation included | |||
| Drafted by attorneys, reusable across customer and vendor relationships |
All GDPR Article 28(3) required terms present and drafted to your role
Security schedule (TOMs) matched to your operations, not a generic list
SCCs and the UK IDTA appended where transfers leave the EEA or UK
Sub-processor approval and breach-notification cascade built in
One round of counterparty negotiation included
Drafted by attorneys, reusable across customer and vendor relationships
Timeline
Most DPAs are drafted and ready for the counterparty within five to seven business days of the scoping call.
A 30-minute call confirms whether you are controller or processor, what data and processing are involved, and where the data flows go. We confirm GDPR scope and quote.
The DPA is drafted to your role, with SCCs and the UK IDTA appended where transfers leave the EEA or UK, and a security schedule matched to your posture.
One round of counterparty revisions is included. We tune the audit-rights and security-schedule pushback to what is enforceable in your industry.
As you add sub-processors or open new transfer routes, the DPA and its schedules are updated so the contract keeps pace with how you process data.
In their words
One accountable team across every practice, operating since 2016.
DPA drafting FAQs
Ready to draft your DPA?
Tell us about the data processing and your role in it. We will confirm GDPR scope, quote a flat fee up front after a free scoping call, and have a signable DPA ready for the counterparty within a week.

Cookies help us improve the site.We use cookies to improve your experience, analyze site traffic, and personalize content. Learn more