# Vendor DPA review worksheet

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Privacy, legal, and security teams reviewing whether vendor DPA evidence matches customer commitments.

## What this template is for

Use this worksheet to connect a vendor DPA to your customer-facing promises. It helps separate contract evidence from product behavior, which often needs a separate source.

## When to use it

- Before adding a new vendor to a customer DPA exhibit.
- When a customer asks for processor or subprocessor details.
- After a vendor DPA or terms page changes.

## DPA review worksheet

| Question | Current answer | Review action | Evidence |
| --- | --- | --- | --- |
| Which agreement controls? | Standard online terms, order form, marketplace agreement, enterprise agreement, or reseller path. | Record the contract path before citing the DPA. | Agreement reference and vendor source. |
| What role does the vendor play? | Processor, subprocessor, controller, service provider, or mixed role. | Check whether customer exhibit language matches the role. | DPA role language and internal data map. |
| What data is processed? | Data categories, data subjects, sensitive data, and support data. | Compare vendor DPA categories to your actual use. | DPA schedule and product owner note. |
| How are subprocessors handled? | Notice method, objection period, source URL, and customer update path. | Update evidence or customer list if needed. | Subprocessor source and decision log. |
| What should stay qualified? | Any retention, training, security, or region statement not answered by the DPA. | Find product-specific sources or mark unknown. | Issue page and reviewer note. |

## How to fill it out

- Use the DPA for contract role and processing terms.
- Use product-specific sources for model training, retention, and feature behavior.
- Keep unresolved legal wording with a named legal or privacy owner.

## Common mistakes

- Using the DPA to answer product behavior questions it does not cover.
- Forgetting reseller or marketplace contract paths.
- Listing a vendor as a subprocessor without checking actual customer data flow.

## Example worksheet note

Stripe Services Agreement and DPA reviewed for subscription billing. Payment data, invoices, and customer contact details in scope. Service-provider list checked before customer exhibit refresh.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.