A data processing agreement review is some of the most repeatable work an in-house privacy team does: the same GDPR Article 28 terms, the same negotiation points, agreement after agreement. That sameness is what makes AI DPA review such a good fit for in-house counsel. A legal AI platform runs the clause-by-clause comparison against your standard in the time it takes to read the first page, then hands you a clean list of what is missing and what is off-market, so you spend your judgment where it counts.
Ask a privacy lawyer who already works this way and you hear the same:
"Junior teammates now run the checklist prompt first and bring me the output as the predicate for my review."
KT Farley, Chief Privacy Officer and Associate General Counsel at Helix, runs exactly that play on her own privacy team.
GC AI was built for this kind of work by Cecilia Ziniti, a three-time general counsel, and DPA review is one of the four pre-built Playbooks the platform ships with, alongside a Mutual NDA, a SaaS MSA, and a commercial MSA for vendor purchases.
When Do You Need a DPA?
A data processing agreement (DPA) is a binding contract between a data controller and a data processor that sets the rules for how the processor handles personal data on the controller's behalf. GDPR Article 28 requires a written DPA whenever a controller engages a processor to handle personal data, which makes one mandatory for nearly every vendor relationship that touches personal data.
In practice, almost every vendor with a personal-data component triggers a DPA.
Your CRM, your payroll provider, your analytics stack, your support-ticketing tool, and your cloud host each process data your company is responsible for, so each one needs a DPA on file.
For an in-house team at a B2B SaaS company, DPA review runs in two directions: you review vendor DPAs on the buy side, and you review your customers' redlines to your own DPA on the sell side.
GC AI's DPA Playbook handles both, because it asks at the start whether it is reviewing third-party paper, a vendor's agreement you are seeing for the first time, or your own first-party paper that the other side has marked up.
It is the same document type reviewed in two directions, dozens of times a quarter. That volume is what makes DPA review worth automating, the same pattern that makes AI contract review repeatable across an in-house team's other agreements.
Put your next DPA into a GC AI Playbook or book a demo to watch the DPA Playbook run on your own paper.
The Terms AI Checks in a Data Processing Agreement Review
A DPA review starts with a fixed checklist, because GDPR Article 28(3) spells out exactly what the contract must contain.
AI handles this well for the same reason a trained junior privacy associate does: the standard holds steady, so the comparison is mechanical. In the In-House Legal Bench (May 2026), GC AI led the contract analysis category at 82.7%, 9.9 points ahead of the next tool, the kind of fixed-standard comparison a DPA review depends on.
The list below is the Article 28 checklist an AI DPA review runs against, drawn from the regulation and the ICO's processor-contract guidance, and it doubles as a copy-ready checklist your team can keep.
Required Term | What AI Confirms |
Subject Matter and Duration | The agreement states what processing covers and how long it runs. |
Nature and Purpose | The processing purpose is specifically defined and limited in scope. |
Type of Data and Categories of Subjects | The agreement names the personal data and whose data it is. |
Documented Instructions | The processor acts only on the controller's written instructions. |
Confidentiality | Personnel handling the data are bound to confidentiality. |
Security Measures | The agreement commits to Article 32 security controls. |
Sub-Processor Authorization | Sub-processors require prior authorization, with notice of changes and a right to object. |
Sub-Processor Flow-Down | Sub-processors are bound by the same Article 28 obligations. |
International Transfers | Transfers outside the EEA rest on a valid mechanism. |
Assistance With Data-Subject Rights | The processor helps the controller respond to access, deletion, and similar requests. |
Breach Notification | The processor notifies the controller of a breach, and the timeline is stated. |
Audit Rights | The controller can request information or audit to confirm compliance. |
Deletion or Return on Termination | Data is deleted or returned at the controller's choice when the contract ends. |
The terms that swallow the most negotiation are the moving parts: sub-processor authorization and flow-down, international transfers, and breach-notification timelines.
On transfers, AI checks whether the agreement relies on a valid mechanism, most commonly the 2021 Standard Contractual Clauses issued by the European Commission, and whether the right module is attached, since Module Two governs the controller-to-processor relationship most vendor DPAs document. It also surfaces the gaps that survive a skim: a DPA that names the SCCs but never appends them, or one that covers EU data while your deal also moves UK or Swiss personal data that needs the UK Addendum or the Swiss annex to ride along.
On breach notification, it flags whether a concrete timeline appears at all and whether a vendor's "without undue delay" hides a 72-hour gap your own regulatory clock cannot absorb.
This is also where a saved review pays off across a team. Alexis Palmer, Senior Managing Counsel at Snyk, described the work on enterprise paper:
"A lot of times they'll ask for language tied to regulatory requirements, and I'll use GC AI to research what those requirements actually are and draft something that works for both sides."
Because the Article 28 baseline holds steady, the review can run the same way every time.
What a DPA Review Catches: A Worked Example
A DPA review is a focused kind of AI legal document review: GC AI's DPA Playbook sorts every clause into one of three buckets.
Pass: the clause satisfies your standard.
Fallback: the clause is acceptable only under conditions you defined in advance and want to approve case by case.
Flag: the clause conflicts with your standard, and that is where the Playbook drafts a suggested red line.
GC AI solutions attorney Taylor Robertson runs the same Playbook engine on a live vendor agreement, sorting clauses and flagging off-standard terms the way a DPA review does:
Take breach notification, the term that trips up the most vendor DPAs. GDPR Article 33 gives the controller a hard deadline: notify the supervisory authority of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it."
A vendor's DPA that commits only to tell you "without undue delay," with no fixed hour count, leaves you to absorb the gap between its open-ended timeline and your 72-hour clock.
Run that DPA through the Playbook and the clause comes back flagged. The analysis explains why: the processor's open-ended promise gives you no contractual deadline to meet your own Article 33 obligation.
The suggested red line, drafted directly in Microsoft Word, replaces "without undue delay" with the fixed deadline you set as your standard position, say notification within 48 hours of the processor becoming aware. You still decide whether 48 hours or 24 is the right ask for this vendor. The Playbook makes sure the gap reaches your desk already marked, with the fix drafted.
Where You Still Own the Call
AI runs the comparison, but you are the one who owns the risk. A DPA review surfaces that a vendor's breach-notification window is 96 hours rather than the 72 you want, or that the sub-processor list includes a transfer to a jurisdiction without an adequacy decision. The platform flags both in seconds. Whether your company accepts a 96-hour window from a low-risk analytics vendor or holds the line because the data set includes health information is a judgment call that belongs to counsel.
The same is true for regulator exposure. A non-standard audit clause might be fine for a vendor processing marketing-list emails and unacceptable for one processing your customers' financial records. AI gives you the gap, and you weigh it against the data, the vendor, and your company's appetite for the position. This is the right division of labor for AI DPA review: the platform reads every clause and never tires on the fortieth agreement, and you accept or reject the risk, the part no model should own.
Your AI Vendor Is a Processor Too
DPA review has a recursive twist worth naming: the moment you send a draft DPA to an AI platform, that platform becomes a processor of the personal data inside it. The platform you use to review data processing agreements is itself a sub-processor you have to diligence, and the first DPA an in-house team should scrutinize is often the one covering its own AI stack.
That diligence question is one GC AI is built to pass. GC AI is SOC 2 Type II and SOC 3 certified, GDPR compliant, with zero data retention agreements with OpenAI and Anthropic, and AES-256 encryption, all documented on its security page. Any in-house team evaluating an AI platform for privacy work should ask a vendor to evidence the same controls before sending it a single agreement full of personal data.
Running DPA Review as a Repeatable Workflow in GC AI
The payoff compounds when your standard stops living in one lawyer's head. Because the DPA Playbook is tunable, your team can load its own breach-notification window, its own approved sub-processor jurisdictions, and its own fallback positions, so every reviewer applies the standard your senior privacy lawyer would.
GC AI teaches teams how to do exactly that in its free Playbooks classes, CLE-eligible sessions taught by former general counsels and solutions attorneys. In one, GC AI solutions attorney Taylor Robertson walked through how teams personalize the DPA Playbook:
"It's more relevant to have references to GDPR and maybe the UK Data Act [UK GDPR/Data Protection Act 2018]. There are circumstances where even your standard positions are maybe only applicable in certain circumstances."
Because the review lives inside Microsoft Word as well as the web app, the redline happens where the document already is, the same place AI contract negotiation plays out for in-house teams. GC AI for Word runs the Playbook against the open DPA, marks the gaps, and drafts replacement language you can drop straight into the agreement. The privacy baseline you negotiate every quarter becomes a shared team workflow, captured in the Playbook so any reviewer applies the same standard.
Frequently Asked Questions
What Is a DPA Review?
A DPA review is the process of checking a data processing agreement against the terms it must legally contain and the positions your company is willing to accept. Under GDPR Article 28, it includes subject matter and duration, sub-processor authorization, international-transfer mechanisms, breach notification, audit rights, and deletion or return of data on termination. AI DPA review runs that clause-by-clause comparison automatically, then surfaces the gaps for a lawyer to weigh.
Can AI Review a Data Processing Agreement Accurately?
Yes, for the parts of DPA review that are a fixed comparison against a known standard. AI is well-suited to confirming whether a DPA contains the required GDPR Article 28 terms and flagging non-standard positions, because the checklist holds steady between agreements. GC AI ships a pre-built DPA Playbook loaded with the Article 28 baseline, and the lawyer still owns the risk-acceptance and regulator-exposure decisions the model should not make.
When Is a Data Processing Agreement Required?
A DPA is required under GDPR Article 28 whenever a data controller engages a processor to handle personal data on its behalf. In practice, that covers almost every vendor with a personal-data component, including CRMs, payroll providers, analytics tools, support platforms, and cloud hosts. In-house teams review vendor DPAs on the buy side and their customers' redlines to their own DPA on the sell side.
What Does AI Check in a DPA Against GDPR Article 28?
AI checks for subject matter and duration, the nature and purpose of processing, the type of personal data and categories of data subjects, processing on documented instructions, confidentiality, Article 32 security measures, sub-processor authorization and flow-down, international transfers and Standard Contractual Clauses, assistance with data-subject rights, breach-notification timelines, audit rights, and deletion or return of data on termination. GC AI's DPA Playbook runs all of these as a single agentic review.
Is GC AI Secure Enough to Review Documents With Personal Data?
GC AI is SOC 2 Type II and SOC 3 certified, GDPR compliant, with zero data retention agreements with OpenAI and Anthropic, and AES-256 encryption. More than 1,700 in-house teams across 53 countries use GC AI as of May 2026, including legal departments at Hitachi, Liquid Death, Snyk, and Columbia, plus 80+ public companies and 25 unicorns.
