ContractRisk.io
Data Processing AgreementSample review

7.7

/ 10 risk

Data Processing Agreement

Controller ↔ DataNexus Ltd. · Governing law: European Union / India

⚖️ Verdict: High risk — renegotiate before signingLeans: Favors the processor — and breaches GDPR / DPDP as written

A data-processing addendum with critical privacy gaps: no breach-notification deadline, international transfers with no Standard Contractual Clauses, and audit rights waived. Signing it as written would put you offside of GDPR and India's DPDP Act.

9

Clauses analyzed

5

High risk

4

Need review

0

Accepted

↓ Download PDF↓ Download WordAll samplesScan your own — free →

Where to focus

Your top negotiation priorities

The flagged clauses ranked by how much they matter. Tackle these first — tap any one to jump to the full breakdown and the suggested safer rewrite.

1

No Breach-Notification Deadline

Data ProtectionHIGH RISK

This is a critical compliance failure. GDPR Art. 33(2) requires processors to notify the controller 'without undue delay,' and controllers must report to the regulator within 72 hours. A discretionary, post-investigation timeline defeats that obligation.

Jump →
2

Unrestricted International Transfers (No SCCs)

Data ProtectionHIGH RISK

International transfers without an approved safeguard (SCCs, adequacy decision, or BCRs) are unlawful under GDPR Chapter V. The clause's attempt to push compliance onto the Controller does not cure the lack of a transfer mechanism.

Jump →
3

Processor Acting as Independent Controller

Data ProtectionHIGH RISK

A processor that repurposes personal data for its own marketing/analytics breaches the purpose-limitation principle and Art. 28(3)(a), which requires processing only on documented instructions. Strike the secondary-use rights.

Jump →

Shared contract report

Clause risk overview

Enterprise-grade contract risk intelligence.

Scan your own contract — free →

Overall risk

HIGH RISKScore: 7.7/109 clauses
High: 5Medium: 4Accepted: 0

Benchmark delta

+2.7

Industry benchmark

5/10

Compound risks

2

Heatmap high

5

Data protection gaps • Cluster of high-risk clauses

Risk heatmap

High
56%
Medium
44%
Accepted
0%

No Breach-Notification Deadline

Data ProtectionScore 10/10Priority 10/10
HIGH RISK
SeverityOverall 10/10
Financial
8.0
Legal
10.0
Ops
7.0
ComplianceLegalFinancial
  • DataNexus need only notify 'as soon as reasonably practicable' after it confirms a breach and finishes its own investigation, and it limits disclosure to whatever it considers relevant.
  • This makes it impossible for the Controller to meet its 72-hour notification duty.
Risk insight: This is a critical compliance failure. GDPR Art. 33(2) requires processors to notify the controller 'without undue delay,' and controllers must report to the regulator within 72 hours. A discretionary, post-investigation timeline defeats that obligation.
Safer rewrite: DataNexus shall notify the Controller without undue delay and in any event within 24 hours of becoming aware of a personal data breach, and shall provide all information reasonably necessary for the Controller to meet its own notification obligations, including the nature of the breach, categories and approximate number of data subjects, likely consequences, and remediation measures.
Law ref: GDPR Art. 33(2); India DPDP Act 2023 §8(6)
Worst case: A breach is discovered weeks after the fact; the Controller misses its 72-hour window and faces a regulatory penalty plus reputational harm.

Unrestricted International Transfers (No SCCs)

Data ProtectionScore 9/10Priority 10/10
HIGH RISK
SeverityOverall 9/10
Financial
7.0
Legal
10.0
Ops
6.0
ComplianceLegal

DataNexus may transfer personal data to any country it or its subprocessors operate in, and shifts all responsibility for transfer compliance onto the Controller — with no Standard Contractual Clauses or adequacy mechanism in place.

Risk insight: International transfers without an approved safeguard (SCCs, adequacy decision, or BCRs) are unlawful under GDPR Chapter V. The clause's attempt to push compliance onto the Controller does not cure the lack of a transfer mechanism.
Safer rewrite: DataNexus shall not transfer personal data outside the EEA/India except where an approved transfer mechanism is in place. The parties incorporate the EU Standard Contractual Clauses (2021/914) for any such transfer, and DataNexus shall conduct and document transfer impact assessments as required.
Law ref: GDPR Arts. 44–49; EU SCCs 2021/914
Worst case: A regulator finds the Controller's data was unlawfully transferred to a third country, triggering an order to suspend transfers and a fine.

Processor Acting as Independent Controller

Data ProtectionScore 8/10Priority 10/10
HIGH RISK
SeverityOverall 8/10
Financial
6.0
Legal
9.0
Ops
6.0
ComplianceLegal

DataNexus reserves the right to process the Controller's personal data as an 'independent controller' for its own purposes, including product analytics and marketing, and to process for its own legitimate interests beyond the Controller's instructions.

Risk insight: A processor that repurposes personal data for its own marketing/analytics breaches the purpose-limitation principle and Art. 28(3)(a), which requires processing only on documented instructions. Strike the secondary-use rights.
Safer rewrite: DataNexus shall process personal data solely on the Controller's documented instructions and shall not process for its own purposes. Any use of aggregated, fully anonymized statistics must be incapable of re-identification and disclosed to the Controller.
Law ref: GDPR Art. 28(3)(a), Art. 5(1)(b) (purpose limitation)
Worst case: The processor markets to or profiles the Controller's data subjects without a lawful basis, exposing the Controller to claims.

Audit Rights Waived

Data ProtectionScore 8/10Priority 10/10
HIGH RISK
SeverityOverall 8/10
Financial
5.0
Legal
9.0
Ops
6.0
ComplianceLegal
  • The Controller is made to waive on-site audits and access to security documentation, accepting only an annual self-certification.
  • GDPR Art.
  • 28(3)(h) requires the processor to make available information necessary to demonstrate compliance and to allow audits.
Risk insight: A waiver of audit rights is directly contrary to Art. 28(3)(h). Restore the right to audit (including via an independent auditor) and to receive security reports such as SOC 2 / ISO 27001.
Safer rewrite: DataNexus shall make available all information necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor on reasonable notice. DataNexus shall provide its current SOC 2 Type II and ISO 27001 reports on request.
Law ref: GDPR Art. 28(3)(h)
Worst case: A regulator asks the Controller to evidence its processor's safeguards and the Controller has no contractual means to obtain them.

Processor Liability Excluded for Data-Protection Claims

LiabilityScore 9/10Priority 10/10
HIGH RISK
SeverityOverall 9/10
Financial
9.0
Legal
9.0
Ops
5.0
LegalFinancialCompliance
  • DataNexus disclaims essentially all liability for data-protection and breach claims except its own willful misconduct, and caps even that at one month of fees.
  • This shifts the financial consequences of the processor's failures onto the Controller.
Risk insight: Under GDPR Art. 82, a processor is directly liable to data subjects and cannot fully contract that away. The clause is both commercially unacceptable and legally ineffective as to third-party claims; negotiate a meaningful, mutual data-protection liability regime.
Safer rewrite: Each party remains liable under applicable data-protection law. DataNexus's liability for breaches of its data-protection obligations shall be subject to a separate, elevated cap (e.g., the greater of 12 months' fees or a negotiated super-cap) and shall not be excluded.
Law ref: GDPR Art. 82 (right to compensation and liability)
Worst case: A processor-caused breach leads to data-subject claims and a fine, all of which the Controller must fund.

Subprocessors Without Notice or Objection

Data ProtectionScore 6/10Priority 8/10
NEEDS REVIEW
SeverityOverall 6/10
Financial
4.0
Legal
7.0
Ops
5.0
ComplianceLegal

General authorization is acceptable, but DataNexus may add subprocessors without notice or any right to object, and only commits to 'commercially reasonable efforts' to bind them — short of the equivalent-obligations flow-down GDPR requires.

Risk insight: Add a notice-and-objection mechanism and a firm flow-down of the same data-protection terms to subprocessors, as required by Art. 28(2) and (4).
Safer rewrite: DataNexus shall maintain a subprocessor list and give at least 30 days' notice of any new subprocessor, during which the Controller may object on reasonable data-protection grounds. DataNexus shall impose data-protection obligations on subprocessors no less protective than this DPA and remains liable for their acts.
Law ref: GDPR Art. 28(2), (4)

Indefinite Data Retention

Data ProtectionScore 6/10Priority 8/10
NEEDS REVIEW
SeverityOverall 6/10
Financial
3.0
Legal
7.0
Ops
5.0
ComplianceLegal

On termination, DataNexus may retain personal data indefinitely for 'legitimate business interests' and backups, with no defined deletion deadline — contrary to the storage-limitation principle and the controller's deletion duties.

Risk insight: Set a firm deletion deadline (e.g., 30–90 days) post-termination, with narrowly scoped, time-limited legal-hold exceptions and a deletion certificate.
Safer rewrite: Within 30 days of termination, DataNexus shall delete or return all personal data and certify deletion in writing, except for copies required by law, which shall be deleted at the end of the legal retention period and remain protected by this DPA until then.
Law ref: GDPR Art. 5(1)(e) (storage limitation), Art. 28(3)(g)

Vague Security Measures

SecurityScore 6/10Priority 8/10
NEEDS REVIEW
SeverityOverall 6/10
Financial
5.0
Legal
6.0
Ops
6.0
ComplianceOperational
  • Security is described only as 'reasonable measures appropriate to its business,' fully determined by DataNexus and changeable without notice.
  • GDPR Art.
  • 32 expects specified, risk-appropriate measures such as encryption and resilience.
Risk insight: Replace the vague standard with a concrete security schedule (encryption in transit/at rest, access controls, logging, resilience, testing) and a no-material-downgrade commitment.
Safer rewrite: DataNexus shall implement and maintain the technical and organizational measures set out in Exhibit [Security], including encryption of personal data in transit and at rest, access controls, logging, regular testing, and resilience measures, and shall not materially decrease them during the term.
Law ref: GDPR Art. 32 (security of processing)

Data-Subject Requests Billed, No SLA

Data ProtectionScore 5/10Priority 7/10
NEEDS REVIEW
SeverityOverall 5/10
Financial
5.0
Legal
6.0
Ops
6.0
ComplianceOperational

DataNexus only forwards data-subject requests, charges professional-services rates for any assistance, and commits to no timeframe — yet controllers must respond to most requests within one month under GDPR.

Risk insight: Require the processor to assist within a defined SLA and at no extra charge for reasonable assistance, so the Controller can meet its one-month statutory deadline.
Safer rewrite: DataNexus shall, at no additional charge, assist the Controller by appropriate technical and organizational measures to respond to data-subject requests within five (5) business days of the Controller's request, insofar as possible.
Law ref: GDPR Art. 28(3)(e), Art. 12(3)

Want this for your own contracts?

Get the full clause-by-clause breakdown, suggested rewrites, law references, and a redlined Word doc — free to start.

Start free →