A data processing agreement is the contract that the GDPR makes mandatory between an organisation (data controller) and any party that processes personal data on its behalf (data processor) — such as your IT partner, your ATS vendor or an integration platform. It sets out what the processor may do with the data, how it is secured and what happens in the event of a data breach.

The data processing agreement in practice

The rule of thumb: every tool or service provider that touches personal data of your clients, candidates or employees should have a data processing agreement. With SaaS services it is usually part of the standard terms (often called a 'Data Processing Agreement' or DPA); with custom work and service providers you agree it explicitly.

Do not forget the less visible links: integration platforms and connections process the same data as the systems they connect. For recruitment, where candidate data is subject to strict retention periods, this is extra relevant — see the automating recruitment playbook.

Related terms

  • SaaS — SaaS (Software as a Service) is software you use over the internet and pay for per user or per month, without running servers yourself — think Microsoft 365, Exact Online, Shopify or your ATS.
  • SLA — An SLA (Service Level Agreement) is the agreement between a service provider and a client about the level of service: response times for incidents, availability of systems, help desk opening hours and what happens if the agreed levels are not met.
  • ATS — An ATS (Applicant Tracking System) is the candidate-tracking system of a recruitment organisation: vacancies, candidates, matches and the progress per procedure in one system.

Further reading

Part of the RiverFlows glossary · Updated . Missing a term? Let us know.