What it means
A Data Processing Agreement is a written contract that sets out exactly how a vendor handles personal data on behalf of your business. It covers: what data is processed, for what purposes, for how long, where it is stored, who at the vendor has access, what security controls apply, what happens on a breach, and what happens at end of engagement.
Under GDPR, DPAs are mandatory whenever a data processor handles EU personal data. Under PDPA and most other modern data laws, they are strongly recommended even when not explicitly required.
Why it matters
Without a DPA, the legal liability for any data mishandling can fall entirely on you, even if the vendor caused the problem. With a clean DPA, responsibility is clearly assigned.
The DPA is also where you negotiate practical things: data residency requirements, sub-processor approvals, breach-notification SLAs, audit rights. Generic vendor DPAs are often weak on these. Pushing for stronger language is worth the time.
Example
A Singapore healthcare company onboards an AI-agent vendor that processes patient conversation data. The standard vendor DPA does not mention data residency. The healthcare company pushes for an amendment requiring all patient data to remain on Singapore-based infrastructure. The vendor agrees in writing. Six months later, when a regulator asks about data residency, the contract is the answer.