Data Processing Agreements for Your Website: Who Needs One and What to Include
Steven | TrustYourWebsite · 6 April 2026
Under Article 28 of the GDPR, if another organisation processes personal data on your behalf, you need a written data processing agreement (DPA) with them. This is not optional — it is a legal requirement for every processor relationship.
Most website owners use dozens of third-party services without realising many of them are data processors. This guide explains who counts as a processor, which services typically require a DPA, and what the agreement must include.
Controller vs. Processor: The Core Distinction
You are the data controller when you decide why personal data is collected and how it is used. Your customers' names, email addresses, and purchase history: you control that data.
A third party is a data processor when they process personal data solely on your instructions, for your purposes. The processor does not use the data for their own purposes — they act as a service provider.
Independent controllers are different: they receive your customers' data and use it for their own purposes. You are not their controller. Examples: delivery companies that have their own relationship with the customer, payment processors that handle fraud detection independently, and social media platforms that receive data via pixels and use it for their own advertising.
The distinction matters because:
- Data processors: you need a DPA, you remain responsible
- Independent controllers: you need to disclose the sharing in your privacy policy, but they are responsible for their own processing
Common Website Services: Processor or Controller?
| Service type | Relationship | DPA required? |
|---|---|---|
| Web hosting / server provider | Processor | Yes |
| Google Analytics | Processor | Yes |
| Email marketing (Mailchimp, ActiveCampaign) | Processor | Yes |
| Booking / reservation system (e.g., Formitable) | Processor | Yes |
| CRM system | Processor | Yes |
| Support chat tool (Intercom, Crisp) | Processor | Yes |
| CDN (Cloudflare, AWS CloudFront) | Processor | Yes |
| Search (Algolia) | Processor | Yes |
| Payment provider (Stripe, Mollie) | Both | Partial — Stripe/Mollie handle fraud independently |
| Delivery / shipping company | Independent controller | No DPA, but disclose in privacy policy |
| Facebook Pixel | Independent controller | No DPA, but consent required |
| Thuisbezorgd / Uber Eats (delivery platforms) | Independent controller | No DPA, but disclose data sharing |
| Accountant with access to your books | Processor | Yes |
| IT support with system access | Processor | Yes |
Where to Find DPAs for Common Services
Most major SaaS platforms provide standard DPAs. You typically accept them in the account settings or by agreeing to updated terms of service.
Google Analytics / Google Workspace Google provides a Data Processing Amendment. Accept it in: Google account settings → Data Processing Terms.
Mailchimp Mailchimp's Data Processing Agreement is incorporated into their Terms of Service. Review it in your account settings.
Stripe Stripe offers a Data Processing Agreement available from their legal page. Stripe is both a processor (for your billing) and an independent controller (for fraud and risk management).
Mollie Mollie provides a standard DPA for Dutch merchants available in their merchant portal.
Cloudflare Cloudflare includes DPA terms in their service agreement. Enterprise plans offer a separately executable DPA.
Hosting providers (TransIP, Antagonist, Siteground, etc.) Dutch and EU-based hosting providers typically include DPA terms in their service agreements or provide a separate DPA on request.
If a service provider does not offer a DPA and processes personal data on your behalf, that is a red flag. You cannot use them for processing EU personal data without one.
What a DPA Must Include (Article 28 GDPR)
Whether you use a vendor's standard DPA or negotiate your own, it must cover:
- Subject matter and duration — what data is processed, for how long
- Nature and purpose — what the processor does with the data, and why
- Type of personal data — names, email addresses, IP addresses, health data, etc.
- Categories of data subjects — your customers, website visitors, employees
- Controller's obligations and rights — what you as controller can instruct the processor to do
The processor must commit to:
- Processing data only on your documented instructions
- Ensuring confidentiality — staff who access data must be bound by confidentiality
- Implementing appropriate security measures (Article 32)
- Only using sub-processors with your prior authorisation
- Providing DPAs with any sub-processors it uses
- Assisting you with data subject rights requests
- Deleting or returning all personal data at the end of the contract
- Providing all information necessary to demonstrate compliance
Sub-processors
A sub-processor is a third party that your processor uses to process your data. For example: Mailchimp uses AWS to host its servers. AWS is Mailchimp's sub-processor for your data.
The DPA must specify:
- Whether you give general or specific authorisation for sub-processors
- What notification your processor must give when it changes sub-processors
- That the processor must impose the same data protection obligations on its sub-processors
Most SaaS DPAs include a list of approved sub-processors and commit to notifying you before adding new ones.
Booking and Reservation Systems (Hospitality Specific)
If you run a restaurant, hotel, or other hospitality business that uses an online booking system, the booking platform is almost certainly your data processor. Guests submit their names, phone numbers, and sometimes dietary requirements — all processed by the booking system on your behalf.
Examples and their DPA status:
- Formitable / Zenchef: Merged in 2023, serving 25,000+ restaurants. DPA available in account settings.
- OpenTable: Operates as a processor for restaurant bookings. DPA incorporated in their terms.
- Resengo: Dutch booking platform, DPA available on request.
Check whether your booking system's DPA covers the specific types of data you collect — particularly dietary requirements and allergy information, which are health data under Article 9 GDPR.
When You Are the Sub-processor
If you build websites, manage social media, or provide digital services on behalf of clients, you may yourself be a data processor — processing your clients' customers' data. Your clients need a DPA with you. If they do not provide one, proactively offer one. This protects both parties.
Practical Steps
- List all third-party services your website uses
- Classify each as processor, independent controller, or joint controller
- Locate the DPA for each processor (usually in account settings or legal pages)
- Accept or sign the DPA — keep a record (screenshot, email confirmation, document)
- Add processors to your internal processing register and privacy policy
- Review annually when you add or change services
For the full picture of GDPR obligations for your website, use our GDPR compliance checklist.
This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Scan your site freeWebsite Guides
Cookie Banner Dark Patterns: What They Are and Why They're Illegal
The EDPB taxonomy of cookie banner dark patterns: 12 manipulative design techniques that make consent invalid under GDPR. With examples and what to use instead.
Cookie Banner Requirements in the Netherlands (2026)
What must a Dutch cookie banner look like to be compliant? The AP's 9 rules, what counts as valid consent, and what gets businesses fined.
Data Breach Reporting in the Netherlands: The 72-Hour Decision Tree
Must you report a data breach to the Dutch DPA (AP)? A 72-hour decision tree for small businesses: what counts as a reportable breach, what to include, and deadlines.