Data privacy · GDPR Article 28 + SCCs

    Draft a DPA that holds up

    A Data Processing Agreement records how a controller and processor handle personal data, and GDPR Article 28 sets out the terms it must contain. We draft the DPA to your role, append Standard Contractual Clauses or the UK IDTA where data leaves the EEA or UK, and match a security schedule to how you operate.

    $495 Flat fee, quoted up front after a free scoping call

    Privacy and data-protection professionals reviewing a data processing agreement in a bright modern office

    DPA drafted

    Controller ↔ processor

    Transfer clauses

    SCCs included

    Vendor-ready

    Signed & tracked

    Legal team
    GTC's privacy team
    Data-protection counsel
    10,747+ clients11 attorneys5 offices
    10,747+ clients11 attorneys5 offices10+ years
    IIPLA Top IP Consultancy 2026Upwork · Top Rated Plus

    Trusted by founders and brands worldwide

    AtlysPerforaSoxcoBossCareInnovistBacardiFootcare LabBare AnatomyFreedom

    How it works

    How DPA drafting works with GTC

    1

    Scoping call

    A 30-minute call confirms whether you are the controller or the processor, what personal data and processing activities are involved, where the data subjects sit, and where the data flows go. We confirm GDPR scope and quote a flat fee.

    2

    Drafting

    The DPA is drafted to your role — controller-processor or processor-sub-processor. SCCs and the UK IDTA are appended where transfers leave the EEA or UK, and the technical and organisational measures schedule is matched to your security posture.

    3

    Negotiation + execution

    One round of counterparty revisions is included. Most pushback lands on the audit rights and the security schedule — we tune those defaults to what is enforceable in your industry, then prepare the DPA for signature.

    What it costs

    A flat fee per DPA

    DPA Drafting is $495. Each DPA is drafted for a flat fee, confirmed in writing on a free scoping call once your role and your transfer routes are known. There is no hourly billing and no quote after the fact. One round of counterparty negotiation is included. Cross-border transfer addenda — the 2021 SCCs or the UK IDTA — are a defined add-on, and negotiating against a counterparty's own draft is quoted as a separate scope.

    What's included

    • Controller-processor or processor-sub-processor DPA drafted to your role
    • GDPR Article 28(3) required terms: subject matter, duration, nature and purpose, type of personal data, and categories of data subjects
    • Security measures schedule (technical and organisational measures) matched to your posture
    • Sub-processor approval and notification mechanism
    • 2021 Standard Contractual Clauses for transfers out of the EEA, where applicable
    • UK International Data Transfer Addendum (IDTA) for UK transfers, where applicable
    • Audit and inspection rights drafted to what is enforceable in your industry
    • Data breach notification cascade from processor to controller
    • Return or deletion of personal data at the end of the contract
    • One round of counterparty revisions
    DPA template (controller-processor or processor-sub-processor)
    Flat fee, quoted up front
    SCCs addendum for cross-border transfers
    Defined add-on
    UK IDTA addendum for UK transfers
    Defined add-on
    Negotiating against a counterparty's own DPA
    Quoted by scope

    The exact flat fee is confirmed on the scoping call before any drafting begins. A DPA is a contract, not a one-off compliance check — we keep it current as you add sub-processors or open new transfer routes.

    Get started

    Draft your DPA

    Tell us about the data processing and a GTC attorney will scope the DPA and email a flat-fee quote after a free scoping call.

    No payment required Reply within 1 business dayA GTC attorney reviews it & sends a flat-fee quote.
    Crossing a border? Note whether the data leaves the EEA or involves UK personal data — that tells us whether the SCCs, the UK IDTA, or both need to be appended.

    Brand details

    1

    Short label (e.g. 'ACME-Beta DPA').

    2

    Drives the negotiation posture.

    3

    Name + brief description of the counterparty.

    4

    What data is being processed, for what purposes, on what types of data subjects. Approximate scale.

    5

    If the other side sent a draft, upload it.

    Your contact details

    No payment required. Your details stay confidential.

    Why GTC

    Why draft your DPA with GTC

    Legal team
    GTC's privacy team
    Data-protection counsel
    Attorney-led

    Drafted to your role

    Controller-processor or processor-sub-processor — the obligations differ. We confirm which side you are on before drafting, so the DPA carries the right Article 28 terms for your position in the chain.

    Built for cross-border transfers

    Where personal data leaves the EEA, we append the 2021 Standard Contractual Clauses; for UK data, the UK International Data Transfer Addendum. The transfer mechanism is part of the DPA, not an afterthought.

    A security schedule that fits

    The technical and organisational measures schedule is matched to how you run, not copied from a generic list. That is the schedule a counterparty's security team reviews most closely.

    Reusable across relationships

    One well-drafted DPA template carries across your customer and vendor relationships, with a sub-processor mechanism and a breach-notification cascade already built in.

    Your Customer Success Team

    A dedicated team that owns your matter from start to finish.

    Every GTC client gets a dedicated Account Manager and a Senior Account Manager who learn your business and stay with you from first email to final filing. They are named people who pick up the phone and already know your matter, so every step moves forward without delay.

    Your Account Manager

    Your day-to-day point of contact, who coordinates every matter, keeps things moving, and already knows your file. They have your full history, so you start every conversation where the last one left off.

    Your Senior Account Manager

    Senior oversight on strategy and escalations, stepping in as your needs grow, so every important detail stays on track.

    A named person, on email or a call, at every step.

    Your dedicated GTC Customer Success Team

    How we compare

    GTC vs. a generic template or a big consultancy

    What you get GTC Online filing services Doing it yourself
    All GDPR Article 28(3) required terms present and drafted to your role
    Security schedule (TOMs) matched to your operations, not a generic list
    SCCs and the UK IDTA appended where transfers leave the EEA or UK
    Sub-processor approval and breach-notification cascade built in
    One round of counterparty negotiation included
    Drafted by attorneys, reusable across customer and vendor relationships

    All GDPR Article 28(3) required terms present and drafted to your role

    GTC
    Online filing services
    Doing it yourself

    Security schedule (TOMs) matched to your operations, not a generic list

    GTC
    Online filing services
    Doing it yourself

    SCCs and the UK IDTA appended where transfers leave the EEA or UK

    GTC
    Online filing services
    Doing it yourself

    Sub-processor approval and breach-notification cascade built in

    GTC
    Online filing services
    Doing it yourself

    One round of counterparty negotiation included

    GTC
    Online filing services
    Doing it yourself

    Drafted by attorneys, reusable across customer and vendor relationships

    GTC
    Online filing services
    Doing it yourself

    Timeline

    A signable DPA inside a week

    Most DPAs are drafted and ready for the counterparty within five to seven business days of the scoping call.

    1. Day 1

      Scoping call

      A 30-minute call confirms whether you are controller or processor, what data and processing are involved, and where the data flows go. We confirm GDPR scope and quote.

    2. Days 2–5

      Drafting

      The DPA is drafted to your role, with SCCs and the UK IDTA appended where transfers leave the EEA or UK, and a security schedule matched to your posture.

    3. Days 5–7

      Negotiation + execution

      One round of counterparty revisions is included. We tune the audit-rights and security-schedule pushback to what is enforceable in your industry.

    4. Ongoing

      Kept current

      As you add sub-processors or open new transfer routes, the DPA and its schedules are updated so the contract keeps pace with how you process data.

    In their words

    All your legal, in one place.

    One accountable team across every practice, operating since 2016.

    10,747+
    Clients served
    11
    In-house attorneys
    5
    Global offices
    10+
    Years since 2016

    DPA drafting FAQs

    Frequently asked questions

    Whenever a controller — the party deciding the purposes of processing — engages a processor that handles personal data on its behalf. A SaaS provider serving EU customers needs DPA templates for its customers; a vendor that touches personal data needs DPAs with the businesses it serves. GDPR Article 28 requires the arrangement to be in writing.

    Ready to draft your DPA?

    Ready when you are.

    Tell us about the data processing and your role in it. We will confirm GDPR scope, quote a flat fee up front after a free scoping call, and have a signable DPA ready for the counterparty within a week.

    GTC counsel on a client consultation call

    Cookies help us improve the site.We use cookies to improve your experience, analyze site traffic, and personalize content. Learn more