DPA Privacy Risk Review

---
name: dpa-review
description: "Review Data Processing Agreements (DPAs) for legal, operational, and compliance risks. Trigger this skill whenever the user uploads a DPA, data processing agreement, data processing addendum, or privacy agreement for review. Also trigger when the user asks about DPA compliance, wants to redline a DPA, needs a privacy risk assessment of a vendor agreement, mentions GDPR Article 28 review, asks about subprocessor clauses, international transfer safeguards, or any contract review focused on data protection terms. Trigger even if the user just says 'review this DPA' or 'check this for privacy risk' or uploads a PDF and mentions vendor privacy terms."
---

# DPA Privacy Risk Review

## Overview

Review a Data Processing Agreement against GDPR, CPRA/CCPA, and HIPAA standards, producing a structured Privacy Risk Report with risk ratings, clause-by-clause findings, compliance mapping, and actionable redlines.

## When to Use

- User uploads a DPA, data processing addendum, or vendor privacy agreement
- User asks for a privacy risk review of a contract
- User wants to redline or evaluate data protection terms
- User mentions reviewing vendor agreements for GDPR/CCPA/HIPAA compliance
- User references DPA compliance, subprocessor review, or international transfer analysis

## Input Requirements

The user must provide a DPA document (PDF, text, or pasted content). If no document is provided, ask:

> "Please upload the DPA (PDF or text). If you have specific areas of concern — such as international transfers, AI/ML clauses, liability caps, or jurisdictional coverage — let me know so I can prioritize those in the review."

If the document is uploaded as a PDF, read it using the pdf-reading skill or appropriate file reading tools before proceeding.

## Procedure

Review the DPA across all ten dimensions below. For each dimension, classify the finding as **Sufficient**, **Partial**, or **Missing**. Quote or reference specific contract language where relevant.

### 1. Roles and Scope of Processing

- Identify whether the vendor is acting as processor, controller, joint controller, or a hybrid role
- List the categories of personal data and data subjects covered
- Flag vague or overly broad processing purposes
- Check whether the DPA permits secondary uses: analytics, profiling, AI/ML model training, product improvement, or aggregated benchmarking
- Note if processor vs. controller roles shift depending on the service or data type

### 2. Subprocessors

- Confirm whether a subprocessor list is included, referenced by URL, or missing entirely
- Evaluate notification mechanism: does the controller get prior notice of changes?
- Check for approval rights (prior written consent vs. general authorization with objection window)
- Determine whether subprocessors are contractually bound to equivalent data protection obligations
- Flag if subprocessor list is stale, undated, or lacks geographic information

### 3. International Transfers

- Identify transfer safeguards: Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement (IDTA), EU-U.S. Data Privacy Framework (DPF), Binding Corporate Rules, or adequacy decisions
- Check SCC module selection (Controller-to-Processor, Processor-to-Processor, etc.) for correctness
- Flag gaps for non-EEA transfers (UK, Switzerland, Asia-Pacific, Latin America)
- Check for transparency about data hosting locations, backup sites, and disaster recovery regions
- Note any reliance on invalidated mechanisms (Privacy Shield) or missing Transfer Impact Assessments

### 4. Security and Breach Notification

- Summarize security controls mentioned: encryption (at rest/in transit), access management, MFA, network segmentation, vulnerability management
- Check for certifications: ISO 27001, SOC 2 Type II, SOC 3, HITRUST, FedRAMP
- Evaluate breach notification timeline — look for specific hours (24, 48, 72) vs. vague language ("without undue delay")
- Check whether breach notification includes required content: nature of breach, categories of data, approximate number of data subjects, likely consequences, mitigation measures
- Flag if the DPA distinguishes between "security incident" and "personal data breach"

### 5. Data Subject Rights (DSARs)

- Confirm the processor commits to assist with: access, deletion/erasure, rectification, portability, restriction, and objection requests
- Check for defined response timelines or SLAs (not just "reasonable" or "commercially reasonable")
- Note if DSAR support is conditional on additional fees, limited in scope, or requires the controller to use a specific portal
- Check for automated decision-making / profiling opt-out support if applicable

### 6. Data Retention and Deletion

- Review post-termination data handling: return, deletion, or certification of destruction
- Check timeline for post-termination deletion (30 days, 60 days, 90 days, or unspecified)
- Confirm whether backup/archive systems are addressed — data persisting in backups is a common gap
- Flag vague carve-outs like "except as required by applicable law" without specifying which laws or retention periods
- Note if the controller can request data export before deletion

### 7. Audit Rights and Cooperation

- Determine whether the controller has direct audit rights, third-party audit rights, or is limited to reviewing SOC/ISO reports
- Check for reasonable limitations: notice period, frequency caps, confidentiality of findings, cost allocation
- Verify whether the DPA covers cooperation with Data Protection Impact Assessments (DPIAs)
- Check for cooperation obligations during regulatory investigations or supervisory authority inquiries
- Note if audit rights are meaningful or effectively neutered by excessive restrictions

### 8. Indemnity and Liability

- Review whether liability is capped (per-incident, annual aggregate, or tied to fees paid)
- Check if data protection obligations are excluded from or subject to liability caps
- Identify indemnification provisions for data protection violations, regulatory fines, or third-party claims
- Flag one-sided indemnity provisions or absence of mutual indemnification
- Note if consequential damages are excluded and whether this affects data breach recovery

### 9. Regulatory Compliance Mapping

**GDPR Article 28 checklist:**
- [ ] Processing only on documented instructions
- [ ] Confidentiality obligations on personnel
- [ ] Appropriate technical and organizational security measures
- [ ] Subprocessor conditions (prior authorization, equivalent obligations)
- [ ] Assistance with data subject rights
- [ ] Assistance with security, breach notification, DPIAs, and prior consultation
- [ ] Deletion or return of data after end of services
- [ ] Audit rights and information access

**CPRA/CCPA checklist:**
- [ ] "Service provider" or "contractor" language present
- [ ] Prohibition on selling or sharing personal information
- [ ] Use restrictions (limited to the business purpose specified)
- [ ] Prohibition on combining personal information from multiple sources
- [ ] Certification of compliance

**HIPAA (if health data is in scope):**
- [ ] Business Associate Agreement (BAA) included or referenced
- [ ] Required safeguards and breach notification terms present
- [ ] Subcontractor flow-down obligations

### 10. Emerging Risk and AI Provisions

- Check whether the DPA restricts AI/ML model training on customer data
- Look for provisions on automated decision-making transparency
- Note if the DPA offers faster-than-required DSAR support (competitive advantage indicator)
- Check for access to Records of Processing Activities (RoPA)
- Flag any provisions addressing generative AI, LLM training, or synthetic data generation
- Note provisions on data anonymization/pseudonymization and whether re-identification is prohibited

## Output Format

Structure the review as a **Privacy Risk Report** with these exact sections:

### Executive Summary

- **Overall Risk Rating**: Low 🟢 / Moderate 🟠 / High 🔴
- **Recommendation**: Go / Conditional Go / No-Go
- **Rationale**: 1–2 sentence explanation of the rating and recommendation

### Findings by Clause or Topic

For each of the 10 review dimensions:

- **Status**: Sufficient ✅ / Partial ⚠️ / Missing ❌
- **Summary**: What the DPA says (or doesn't say)
- **Risk**: What could go wrong
- **Key Language**: Quote or reference the specific clause if relevant
- **Recommendation**: What to negotiate, add, or clarify

### Compliance Matrix

A table mapping the DPA against each applicable regulation:

| Regulation | Status | Notes |
|---|---|---|
| GDPR Art. 28 | Compliant / Partial / Gap | Brief explanation |
| CPRA/CCPA | Compliant / Partial / Gap | Brief explanation |
| HIPAA | Compliant / Partial / Gap / N/A | Brief explanation |

### Suggested Redlines and Vendor Questions

- Draft specific contract edits for the most critical gaps
- List follow-up questions to send to the vendor for ambiguous or missing terms
- Prioritize by risk impact (high → low)

## Style Guidance

- Concise, professional language throughout
- Short paragraphs and clear headings
- If information is not found in the DPA, mark as **"Not Addressed"** and include a recommended vendor question
- Do not speculate about what the DPA "probably means" — flag ambiguity explicitly
- When quoting contract language, keep quotes brief and use them to illustrate a specific finding

## Edge Cases

- **Heavily redacted DPA**: Note which sections are redacted and flag that the review is incomplete in those areas
- **DPA references external documents** (e.g., "see our Security Policy at [URL]"): Note the reference and recommend the user obtain and review the linked document separately
- **Multiple jurisdictions**: If the DPA covers data subjects in multiple regions, evaluate compliance for each applicable regulation
- **No DPA provided**: Do not proceed. Ask the user to upload the document first
- **DPA is actually a privacy policy or terms of service**: Flag the mismatch and explain what a DPA should contain vs. what was provided