IndexableDPA reviewLast reviewed 2026-05-21

Vendor DPA review worksheet

Use this worksheet to connect a vendor DPA to your customer-facing promises. It helps separate contract evidence from product behavior, which often needs a separate source.

Download Markdown Download CSV Generate this automatically

Who it is for

Privacy, legal, and security teams reviewing whether vendor DPA evidence matches customer commitments.

Template

DPA review worksheet with 5 starter rows.

Download formats

Markdown for docs, CSV for spreadsheet review.

When to use it

Before adding a new vendor to a customer DPA exhibit.
When a customer asks for processor or subprocessor details.
After a vendor DPA or terms page changes.

How to fill it out

Use the DPA for contract role and processing terms.
Use product-specific sources for model training, retention, and feature behavior.
Keep unresolved legal wording with a named legal or privacy owner.

DPA review worksheet

Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.

4 columns

Question: Which agreement controls?
Current answer: Standard online terms, order form, marketplace agreement, enterprise agreement, or reseller path.
Review action: Record the contract path before citing the DPA.
Evidence: Agreement reference and vendor source.

Question: What role does the vendor play?
Current answer: Processor, subprocessor, controller, service provider, or mixed role.
Review action: Check whether customer exhibit language matches the role.
Evidence: DPA role language and internal data map.

Question: What data is processed?
Current answer: Data categories, data subjects, sensitive data, and support data.
Review action: Compare vendor DPA categories to your actual use.
Evidence: DPA schedule and product owner note.

Question: How are subprocessors handled?
Current answer: Notice method, objection period, source URL, and customer update path.
Review action: Update evidence or customer list if needed.
Evidence: Subprocessor source and decision log.

Question: What should stay qualified?
Current answer: Any retention, training, security, or region statement not answered by the DPA.
Review action: Find product-specific sources or mark unknown.
Evidence: Issue page and reviewer note.

Question	Current answer	Review action	Evidence
Which agreement controls?	Standard online terms, order form, marketplace agreement, enterprise agreement, or reseller path.	Record the contract path before citing the DPA.	Agreement reference and vendor source.
What role does the vendor play?	Processor, subprocessor, controller, service provider, or mixed role.	Check whether customer exhibit language matches the role.	DPA role language and internal data map.
What data is processed?	Data categories, data subjects, sensitive data, and support data.	Compare vendor DPA categories to your actual use.	DPA schedule and product owner note.
How are subprocessors handled?	Notice method, objection period, source URL, and customer update path.	Update evidence or customer list if needed.	Subprocessor source and decision log.
What should stay qualified?	Any retention, training, security, or region statement not answered by the DPA.	Find product-specific sources or mark unknown.	Issue page and reviewer note.

Common mistakes

Using the DPA to answer product behavior questions it does not cover.
Forgetting reseller or marketplace contract paths.
Listing a vendor as a subprocessor without checking actual customer data flow.

Example worksheet note

Stripe Services Agreement and DPA reviewed for subscription billing. Payment data, invoices, and customer contact details in scope. Service-provider list checked before customer exhibit refresh.

AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.

Related vendor pages

Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.

StripeReview Stripe privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.PaddleReview Paddle privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.Microsoft 365 / CopilotReview Microsoft 365 / Copilot privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.ZendeskReview Zendesk privacy, terms, DPA, security, and data-use sources for SaaS customer commitments.

Related templates

These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.

Subprocessor change review checklistUse this checklist when a vendor adds, removes, or changes a subprocessor, or when your team starts using a new vendor feature that changes the subprocessor story.Customer notification decision log templateUse this log to record the decision, not just the change. It keeps customer notice decisions grounded in source evidence, contract review, and owner approval.

Turn this template into a review packet.

Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.

Generate DPA review notes View all templates