Is my contract data secure?

Your documents are encrypted in transit using TLS 1.3. We never store your contract files permanently — they're processed in memory and discarded after analysis. Your data is never used to train AI models.

How accurate is the AI analysis?

ClauseGuard uses a hybrid AI architecture: fast triage to scan all clauses, then deep expert-level analysis on flagged issues. It catches drafting errors, one-sided terms, missing standard clauses, and overly broad language.

What contract types do you support?

NDAs, MSAs, SaaS agreements, employment contracts, vendor agreements, consulting agreements, commercial leases, partnership agreements, and purchase orders. Any standard business contract in PDF or DOCX format.

How is this different from ChatGPT?

ChatGPT requires you to write the right prompts. ClauseGuard automatically checks 50+ clause types, compares each to market standards, generates specific replacement language in three negotiation tones, and exports a Word document with tracked changes.

How long does analysis take?

Most contracts are analyzed in 60-90 seconds. Longer contracts (20+ pages) may take up to 2 minutes.

What happens after my free analysis?

You get one full analysis free. After that, pay $5 per contract or upgrade to Pro ($99/month) for unlimited reviews, DOCX export, contract history, custom playbooks, and more.

Compliance8 min readMarch 2, 2026

Data Processing Agreements Under GDPR: What You Need to Know in 2026

If your vendor processes personal data of EU residents, you need a DPA. Not having one is a GDPR violation carrying fines of up to 4% of global revenue.

GDPRDPAdata privacycomplianceEU

When a DPA is required

Under Article 28 of the GDPR, a Data Processing Agreement is required whenever a "controller" (the company that determines why and how personal data is processed) engages a "processor" (a company that processes personal data on the controller’s behalf).

In practice, this means: every SaaS vendor that handles your customers’ data needs a DPA, every cloud hosting provider needs a DPA, your email service provider needs a DPA, and your analytics tools need a DPA. If a vendor touches personal data of EU residents on your behalf, you need a DPA with them.

The 9 required elements

Article 28(3) specifies that a DPA must include: processing only on documented instructions, confidentiality obligations for personnel, appropriate security measures, sub-processor controls (prior consent + equivalent obligations), assistance with data subject rights, assistance with breach notification, deletion or return of data on termination, audit and inspection rights, and a requirement to inform the controller if an instruction infringes GDPR.

Missing even one of these elements means the DPA is non-compliant.

Sub-processor rules

Your vendor almost certainly uses sub-processors — AWS for hosting, Stripe for payments, Twilio for SMS. Under GDPR, the processor must: get your prior written consent before engaging sub-processors (general or specific), maintain a current list of sub-processors, notify you before adding new ones (30 days is standard), give you an objection right, and ensure sub-processors are bound by equivalent data protection obligations.

The 30-day notice period is critical. Without it, your vendor could start sending your data to a new sub-processor without you knowing.

Cross-border transfers after Schrems II

If your vendor transfers personal data outside the EEA, the DPA must address this with appropriate safeguards. The standard approach is Standard Contractual Clauses (SCCs) adopted by the European Commission. The EU-US Data Privacy Framework provides an adequacy decision for certified US companies, but not all US vendors are certified.

Your DPA should specify: where data will be processed and stored, which transfer mechanism applies, and a commitment to implement supplementary measures if required.

Breach notification timelines

GDPR requires controllers to notify supervisory authorities within 72 hours of becoming aware of a breach. This means your DPA should require the processor to notify you faster — 48 hours is the standard — to give you time to assess and report.

The notification should include: nature and scope of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Download free DPA template

Free, no account required.

Get started →

← All articles