The contract required between a controller and processor that governs how the processor may handle personal data.
A Data Processing Agreement is a contract that the GDPR requires whenever a processor handles personal data for a controller. It sets out the subject matter, duration, nature, and purpose of processing, the types of data and data subjects, and the obligations of both parties.
It must address security measures, confidentiality, the use of sub-processors, assistance with data subject rights, and what happens to data at the end of the relationship.
Related frameworks
KaitoSec