What is a DPA / AVV, exactly?

A Data Processing Agreement under GDPR Art. 28 (German: Auftragsverarbeitungsvertrag / AVV). Required whenever an external vendor processes personal data on your behalf — i.e. not as an independent controller. Typical: hosting, email, CRM, accounting, AI services, marketing tools. The DPA must contain 13 specific mandatory clauses from Art. 28(3).

Who counts as a processor — does Microsoft 365 count?

Yes. Microsoft 365, Google Workspace, Dropbox, Slack, DATEV, Retell AI, OpenAI, Anthropic, Telnyx, Mailgun, Cal.com and almost every SaaS tool are processors as soon as they handle personal data of your customers, staff, or leads. All major vendors publish a DPA — but you must actively execute it (accepting the ToS is not enough).

What happens if no DPA exists?

Art. 28 GDPR is a duty, not a recommendation. Fines: up to €10M or 2% of global annual turnover (Art. 83(4)). In practice, a missing DPA is the most common finding of German data protection authorities. In a breach at the vendor, you share liability without limit if no DPA is in place.

Is the vendor's standard DPA enough?

Usually yes, but not automatically. Typical standard DPAs cover Art. 28(3) in substance — but often keep sub-processor notification and audit rights vague. Check: (a) are sub-processors listed by name and are changes notified? (b) do you get access to TOMs and certifications? (c) is return or deletion with proof at contract end regulated?

What if the vendor is in the US?

Then you need a transfer mechanism in addition to the DPA: EU-US Data Privacy Framework (for certified US vendors), Standard Contractual Clauses (SCC 2021/914), or Binding Corporate Rules. Many large vendors (Microsoft, Google, OpenAI) are DPF-certified — simplest route. Check status at dataprivacyframework.gov.

How does Mandu Studios help specifically?

We've been shipping AI and process tools with proper DPAs as the default since late 2024 — we provide the DPA chain (our DPA with you plus all sub-processor DPAs). On request: GDPR record-of-processing entry, TOM documentation, named sub-processor list with notification. 30 minutes of free consultation is enough to scope which DPAs you actually need.

DPA Self-Check — GDPR Art. 28

Does your Data Processing Agreement meet the mandatory clauses? 10 questions, 3 minutes, no sign-up.

Every business using external services (Microsoft 365, Google Workspace, DATEV, Telnyx, Retell, OpenAI, Mailgun) needs a Data Processing Agreement (DPA / AVV) with each vendor under GDPR Art. 28. Without one, or missing any of the 13 mandatory clauses in Art. 28(3), fines go up to €10M or 2% of global annual turnover. This check walks through the key DPA duties — including the two most common traps: sub-processor rules and international transfer.

01
Do you use at least one external vendor that processes personal data on your behalf (hosting, email, CRM, accounting, AI, marketing)?
Almost every SMB: yes. Microsoft 365, Google Workspace, DATEV, Mailchimp, Telnyx, Retell — each is a processor.
GDPR Art. 4(8)
02
Do you have an executed DPA (written or electronic) with EVERY such vendor?
Accepting the ToS is not enough. The DPA must be a separate document actively executed — usually in the admin panel for large vendors.
GDPR Art. 28(3)
03
Does the DPA specify subject-matter, duration, nature, purpose of processing, data categories, and categories of data subjects?
Mandatory detail in the annex. No standard template fulfils this without an individualised description of your use case.
GDPR Art. 28(3) sentence 1
04
Does the DPA oblige the processor to process data only on your documented instructions?
Core clause: the processor cannot use your data for its own purposes. Exception: legal duty to disclose to authorities.
GDPR Art. 28(3)(a)
05
Are all personnel at the vendor with access to your data bound by a confidentiality obligation?
Standard in any professional DPA. Practice: one-off confirmation is enough, does not need to be logged per access.
GDPR Art. 28(3)(b)
06
Does the DPA describe the technical and organizational measures (TOM) under GDPR Art. 32 — or reference an auditable TOM document?
Encryption, access control, backup, incident response. Often an Annex A to the DPA or a separate 'Security Addendum'.
GDPR Art. 28(3)(c) in conjunction with Art. 32
07
Does the DPA require sub-processors to be engaged only with prior consent, or with notification and right to object?
Most common trap: the vendor silently uses AWS/GCP/Azure as a sub-processor. The DPA must include a current list or a notification mechanism.
GDPR Art. 28(2) + Art. 28(3)(d)
08
Does the DPA oblige the processor to assist you with data subject requests (access, deletion, portability)?
GDPR Art. 15-22 — in practice: the vendor must provide tools or a contact path that lets you deliver deletion within 30 days.
GDPR Art. 28(3)(e)
09
At contract end, is return OR deletion of all personal data including copies regulated — with proof of deletion?
Either is fine, your choice. Important: a written proof of deletion (even as a confirmation email) is required, not optional.
GDPR Art. 28(3)(g)
10
For vendors outside the EU/EEA: do you have a valid transfer mechanism (EU-US DPF, Standard Contractual Clauses 2021/914, BCR, or adequacy decision)?
Without one of these mechanisms, the transfer is unlawful under Schrems II. Check DPF status at dataprivacyframework.gov.
GDPR Art. 44-49

How it works

01
10 yes/no questions
Each question maps to a mandatory clause under GDPR Art. 28(3) or a flanking provision (Art. 32, Art. 44 ff.).
02
Traffic-light result
Green = met. Yellow = review. Red = gap. Red items are GDPR duties — priority closes.
03
No data collection
Your answers never leave the browser. No submit, no email, no database.

FAQ

What is a DPA / AVV, exactly?
A Data Processing Agreement under GDPR Art. 28 (German: Auftragsverarbeitungsvertrag / AVV). Required whenever an external vendor processes personal data on your behalf — i.e. not as an independent controller. Typical: hosting, email, CRM, accounting, AI services, marketing tools. The DPA must contain 13 specific mandatory clauses from Art. 28(3).
Who counts as a processor — does Microsoft 365 count?
Yes. Microsoft 365, Google Workspace, Dropbox, Slack, DATEV, Retell AI, OpenAI, Anthropic, Telnyx, Mailgun, Cal.com and almost every SaaS tool are processors as soon as they handle personal data of your customers, staff, or leads. All major vendors publish a DPA — but you must actively execute it (accepting the ToS is not enough).
What happens if no DPA exists?
Art. 28 GDPR is a duty, not a recommendation. Fines: up to €10M or 2% of global annual turnover (Art. 83(4)). In practice, a missing DPA is the most common finding of German data protection authorities. In a breach at the vendor, you share liability without limit if no DPA is in place.
Is the vendor's standard DPA enough?
Usually yes, but not automatically. Typical standard DPAs cover Art. 28(3) in substance — but often keep sub-processor notification and audit rights vague. Check: (a) are sub-processors listed by name and are changes notified? (b) do you get access to TOMs and certifications? (c) is return or deletion with proof at contract end regulated?
What if the vendor is in the US?
Then you need a transfer mechanism in addition to the DPA: EU-US Data Privacy Framework (for certified US vendors), Standard Contractual Clauses (SCC 2021/914), or Binding Corporate Rules. Many large vendors (Microsoft, Google, OpenAI) are DPF-certified — simplest route. Check status at dataprivacyframework.gov.
How does Mandu Studios help specifically?
We've been shipping AI and process tools with proper DPAs as the default since late 2024 — we provide the DPA chain (our DPA with you plus all sub-processor DPAs). On request: GDPR record-of-processing entry, TOM documentation, named sub-processor list with notification. 30 minutes of free consultation is enough to scope which DPAs you actually need.

Found a DPA gap?

30 minutes on the phone. Free. We walk through your vendor list and show which DPAs are missing or need tightening.

Book a free consultation

DPA Self-Check — GDPR Art. 28

Do you use at least one external vendor that processes personal data on your behalf (hosting, email, CRM, accounting, AI, marketing)?

Do you have an executed DPA (written or electronic) with EVERY such vendor?

Does the DPA specify subject-matter, duration, nature, purpose of processing, data categories, and categories of data subjects?

Does the DPA oblige the processor to process data only on your documented instructions?

Are all personnel at the vendor with access to your data bound by a confidentiality obligation?

Does the DPA describe the technical and organizational measures (TOM) under GDPR Art. 32 — or reference an auditable TOM document?

Does the DPA require sub-processors to be engaged only with prior consent, or with notification and right to object?

Does the DPA oblige the processor to assist you with data subject requests (access, deletion, portability)?

At contract end, is return OR deletion of all personal data including copies regulated — with proof of deletion?

For vendors outside the EU/EEA: do you have a valid transfer mechanism (EU-US DPF, Standard Contractual Clauses 2021/914, BCR, or adequacy decision)?