What is this document?
This is a customizable Data Processing Agreement (DPA) designed for agencies reselling the DropSaaS platform under their own brand. It formalizes the relationship between your agency and each local business client by clearly defining how customer data is handled, stored, and processed in compliance with the General Data Protection Regulation (GDPR).
Why is this necessary?
Under GDPR, any time personal data is processed on behalf of another business, a written agreement is legally required. If your clients use the platform to send SMS campaigns, request reviews, manage contacts, or communicate with end users, you are acting as a data processor on their behalf—and a DPA is mandatory.
This document:
Defines roles and legal responsibilities
Protects both parties with a formal record of compliance
Provides transparency for clients and regulators
Builds trust, especially with privacy-conscious businesses
Who is who in this agreement?
The local business is the Data Controller — they own and control the customer data.
Your agency is the Data Processor — you process that data on their behalf using DropSaaS.
🛠 How to implement this DPA
Download the DPA template using the link below.
Replace placeholder fields such as [Local Business Name], [Agency Name], and contact information.
Review the clauses with your client, then have both parties sign the agreement—digitally or on paper.
Store the signed document in your agency’s GDPR compliance records.
This simple step not only fulfills a legal requirement—it also positions your agency as professional, trustworthy, and fully aligned with European data protection standards.
Copy This Template
Data Processing Agreement (DPA)
Between [Local Business Name] (Controller) and [Agency Name] (Processor)
Parties
This Data Processing Agreement ("Agreement") is entered into by and between:
[Local Business Name], located at [Local Business Address], email [Local Business Email] ("Controller")
[Agency Name], located at [Agency Address], email [Agency Email] ("Processor")
Purpose of the Agreement
This Agreement governs the processing of personal data by the Processor on behalf of the Controller, in connection with the provision of software-based marketing and communication services under the Controller's account.
Nature and Purpose of the Processing
The Processor shall process personal data solely for the purpose of providing access and operational support to the platform and related services, including but not limited to:
Registration and login of users via magic link
Setup and management of SMS campaigns
Contact list upload and segmentation
Review request campaigns
Centralized inbox for chat aggregation
Social media post scheduling
Business profile integrations and review management
Analytics and reporting features
Technical support and user assistance
Categories of Data Subjects
The Controller's clients (end customers)
Users and staff authorized by the Controller to access the platform
Types of Personal Data Processed
Contact information: names, phone numbers, email addresses
Campaign data: message content, delivery reports, opt-out links
Integration data: business listings, scheduled posts, tokens
Usage logs and metadata (e.g., login attempts, browser info)
Chat message content (if applicable)
Support ticket content
No special categories of data (e.g. health, religious beliefs) are expected to be processed.
Sub-processors
The Controller authorizes the use of the following sub-processors:
Hosting and infrastructure providers (e.g., cloud hosting, databases)
SMS communication API providers
Payment processing providers (if applicable)
External APIs for social media and business integrations
The Processor shall notify the Controller of any changes to sub-processors in advance.
Obligations of the Processor
The Processor shall:
Process personal data solely on documented instructions from the Controller
Ensure confidentiality among authorized staff
Implement appropriate technical and organizational security measures (e.g., HTTPS, access roles, secure storage)
Assist the Controller in responding to data subject requests (access, rectification, deletion, etc.)
Notify the Controller without undue delay of any personal data breach
Provide relevant documentation and allow audits if reasonably requested
Delete or return all personal data upon termination, unless otherwise required by law
Data Transfers
If personal data is transferred outside the European Economic Area, the Processor shall ensure the presence of adequate safeguards (such as Standard Contractual Clauses).
Retention
Personal data will be retained only for the duration necessary to perform the services, or as agreed with the Controller. Upon termination, all data shall be deleted or returned.
Governing Law
This Agreement shall be governed by and interpreted in accordance with the laws of [Insert Country].
Signatures
Controller
Name: _________________________
Company: [Local Business Name]
Date: _________________________
Processor
Name: _________________________
Company: [Agency Name]
Date: _________________________