Back to all blogs

Contracts

How does a startup get a DPA reviewed and drafted?

Arceus9 min read
Close view of fine wind ripples crossing a dune in cool blue-grey light, a soft diagonal shadow through the frame

A startup gets a DPA reviewed or drafted by routing it to an on-demand service like Arceus, where AI prepares the redline or draft against a standard GDPR Article 28 position and a licensed attorney approves it within 8 hours. Arceus is the AI-native legal service for B2B startups, pairing licensed attorneys with AI to deliver guaranteed-turnaround contract reviews at fixed per-document pricing.

An enterprise customer’s security team attaches a data processing agreement to the MSA, and the deal will not close until it is signed. The DPA runs pages of GDPR language, and it decides what the startup may do with the customer’s data and what it owes if that data leaks.

A DPA is too technical to skim and too central to sign blind. So the deal stalls on a document most founders have never negotiated.

When a startup actually needs a DPA

A DPA is required, not optional. Under GDPR Article 28, whenever one company processes personal data on another’s behalf, the two need a data processing agreement with specific mandatory terms, and a plain confidentiality clause does not satisfy it. For a B2B startup, that trigger fires the moment an enterprise customer’s user data flows through the product.

US privacy laws add parallel requirements. California’s CPRA calls for service-provider or contractor terms, and where health data is in scope, HIPAA requires a business associate agreement. A startup selling into regulated buyers needs the right agreement keyed to the data type.

Important: a DPA is a compliance obligation, not a negotiation nicety. Once personal data is in scope, the question is whether the terms are right, never whether to have one.

Review or draft: which a DPA needs

A DPA reaches a startup in one of two ways, and each needs a different service.

Most often, an enterprise customer sends its own DPA attached to the MSA, and the startup needs a review: a redline that flags the terms it cannot meet and pushes back on the ones that overreach. This is the common case for a startup selling up-market.

The other case is drafting. A startup that processes personal data can keep its own DPA, built on a standard Article 28 position, ready to send when a customer does not bring one. That draft becomes a reusable asset across deals rather than a document rebuilt each time.

Rule of thumb: if the customer sends a DPA, a startup needs a review; if the startup processes personal data and has to offer terms, it needs a drafted DPA of its own. A company selling into enterprises usually needs both.

What a DPA review or draft covers

A DPA turns on a defined set of terms, most of them mandated by Article 28. Here is what a licensed attorney checks on a review, and builds into a draft.

Controller and processor roles

The DPA has to fix each side’s role: the customer as the controller, the startup as the processor acting only on the customer’s instructions. A review flags any clause that recharacterizes the startup as an independent controller, because that framing lets a vendor reuse the data for its own purposes and pulls direct regulatory liability onto the startup.

How the data may be used, including AI training

A processor may act only on documented instructions and may not reuse the data for its own ends. The clause that matters most now is model training. A review flags any language that would let the customer’s personal data feed a model, because that is a use most enterprise buyers prohibit and most startups should not promise.

Sub-processors

A startup rarely runs its whole stack alone, so the DPA governs the sub-processors it relies on, the cloud host, the analytics tool, the support platform. A review checks that sub-processors are authorized, that the customer gets notice and a right to object to new ones, and that each is bound by data-protection terms at least as strict as the DPA itself.

International transfers

When personal data leaves the EU for a US startup, an Article 28 DPA alone is not enough. A review confirms the transfer rides on the 2021 Standard Contractual Clauses (Implementing Decision 2021/914); the legacy clauses were invalid for new transfers after September 2021, so an older set is a live gap.

Security and breach notification

The DPA sets the technical and organizational security measures the startup commits to under GDPR Article 32, and the breach-notification duty. A review checks that the startup can actually meet the security terms, and that its obligation is to notify the customer promptly enough for the customer to meet its own 72-hour regulatory clock, without signing up to an impossible window.

Deletion or return on exit

When the contract ends, the DPA governs what happens to the data. A review checks that the startup can return or delete the personal data on request, that sub-processors do the same, and that the obligation carries a workable carve-out for automated backups that continue under the confidentiality terms until they age out.

How DPA liability meets the MSA cap

A data breach is where the money is, so the DPA and the MSA have to agree on how liability works. A review checks whether a data-protection breach sits inside the MSA’s general liability cap or carves out to a higher one, and confirms the drafting does not try to exclude the statutory liability that data-protection law does not allow a contract to waive.

Why turnaround matters for a DPA

A DPA lands late in the deal, attached to the MSA once an enterprise buyer’s security review begins, which is exactly when the calendar is tightest. A redline that takes two weeks pushes the signature past the quarter, while one that lands in 8 hours keeps the deal on track. The DPA is often the last document standing between a signed enterprise contract and recognized revenue.

Bottom line: the DPA is the document enterprise buyers scrutinize hardest and startups negotiate least, which is why a fast, attorney-approved review matters most here.

Attorney oversight, not just AI

AI reads a DPA well, flagging a missing sub-processor clause, an old SCC reference, or a hidden model-training right in seconds, and it drafts a clean redline. What it cannot do is stand behind the result, and it can miss or invent a clause, the failure that got lawyers sanctioned in Mata v. Avianca in 2023, so a licensed attorney approves every DPA review and draft before it goes back. Whether a startup can use ChatGPT or Claude to review a SaaS contract covers why the signoff carries the risk, and it matters double where a wrong answer is a compliance breach.

How Arceus reviews and drafts DPAs

Arceus runs DPA review and drafting on one guaranteed turnaround, with a licensed attorney accountable for every output.

  1. AI prepares the first pass. It reads or drafts the DPA, compares every term to a standard Article 28 position, and produces the redline or draft in minutes, which is what makes the turnaround possible.
  2. A licensed attorney approves every output. Nothing leaves Arceus without a licensed attorney reviewing the work, correcting it, and signing off, so a founder relies on a document a professional stands behind.
  3. The fee is fixed per document and the deadline is guaranteed. Each review or draft carries a fixed fee agreed before work starts and returns within 8 hours. If Arceus misses that deadline, the work is free.

A DPA rarely travels alone. How startups get contracts reviewed and drafted covers the MSA, NDA, SOW, and the rest of the stack it attaches to.

Frequently asked questions

How do startups get a DPA drafted?
A startup gets a DPA drafted by an on-demand legal service that builds it on a standard GDPR Article 28 position and tailors it to the data flow, with a licensed attorney approving the result. Arceus works on that model, with no retainer.
When does a startup need a DPA?
A startup needs a DPA whenever it processes personal data on a customer’s behalf, which GDPR Article 28 makes mandatory. A confidentiality clause does not satisfy it, and US laws like CPRA and HIPAA add parallel contract requirements keyed to the data type.
What does a DPA review check?
A review checks the controller and processor roles, the use and model-training limits, sub-processors, international-transfer clauses like the 2021 Standard Contractual Clauses, security and breach-notice terms, deletion on exit, and how liability meets the MSA cap. Arceus reviews each against a standard Article 28 position with a licensed attorney approving the result.
Is an NDA enough, or does a startup need a DPA?
An NDA is not enough for regulated personal data. Confidentiality language does not meet GDPR Article 28, so a startup processing a customer’s personal data needs a DPA, plus the 2021 Standard Contractual Clauses for any cross-border transfer. Arceus flags this crossover on every review.

A DPA is the document an enterprise buyer requires and a startup least expects to negotiate, and it decides what happens to a customer’s data and who pays when it leaks. Arceus reviews and drafts DPAs, has a licensed attorney approve every output, and returns them within 8 hours at a fixed per-document fee, so founders can close on schedule without legal becoming a bottleneck.

See how Arceus maps contract coverage to each funding stage, from Pre-Seed to Growth.

This article is general information about reviewing data processing agreements, not legal advice for any specific situation. Reading it does not create an attorney-client relationship. Data-protection requirements depend on the data, the jurisdictions involved, and the parties’ roles. Founders should consult a licensed attorney about their particular DPAs and compliance obligations.

Arceus Legal logo

Redefining the future of law for fast-growing companies. Contract review in hours, priced upfront, never billed by the hour.

© 2026 Arceus

Arceus provides support for companies in collaboration with licensed attorney partners.