Get Dropbox's Data Processing Agreement

What is a Data Processing Agreement (DPA)?

A data processing agreement, or a so-called DPA, is a legal contract between Dropbox and its processors. The purpose of the DPA is to lay out clear roles and obligations for the processors when handling personal data on Dropbox’s behalf.

Why and how should I assess this?

While the processor has obligations, ultimately the data controller is responsible for the personal data. Dropbox may only use processors that can sufficiently guarantee that the processing meets the requirements of the GDPR. Some things to look for in a DPA:

  • Processing only on documented instructions of the controller.

    The DPA must set out the purpose and duration of the processing and the type of personal data and the categories of data subjects.

  • Appropriate security measures.

    Controllers must only use vendors that can provide sufficient guarantees for the security of their processing activities.

  • The use of sub-processors.

    The processor must not use another processor (i.e., a sub-processor) to help it process personal data without prior permission from the controller.