Your new SaaS vendor just sent over a Data Processing Agreement. Or maybe a client is asking you to sign one before they share any customer data. Either way, someone needs a signature on a DPA, and they need it soon.
You don't need to print it. Here's how to sign a DPA online and stay GDPR-compliant while doing it.
What Is a Data Processing Agreement?
A DPA -- Data Processing Agreement -- is a legally binding contract between a data controller and a data processor. In plain English: it's the agreement between a company that collects personal data (the controller) and any third party that handles that data on their behalf (the processor).
Under the GDPR, a DPA is mandatory. Article 28 requires that whenever personal data is processed by a third party, there must be a written agreement in place covering:
- What data is being processed
- Why it's being processed (the purpose)
- How long the processing will last
- What security measures are in place
- What happens when the contract ends (data deletion or return)
- Sub-processors -- any additional third parties involved
If you're a business operating in the EU, working with EU customers, or processing data of EU residents, you need DPAs with every vendor and service provider that touches personal data. That includes your email provider, analytics tools, CRM, payment processor, cloud hosting -- basically everything.
Why Every Business Needs to Sign DPAs
It's not optional. Here's what's at stake:
GDPR fines. Not having a DPA in place when you should can result in fines up to 10 million euros or 2% of annual global turnover, whichever is higher. Regulators have actually issued fines specifically for missing DPAs.
Client requirements. Increasingly, enterprise clients won't work with vendors who can't provide a signed DPA. It's become a standard part of procurement and vendor onboarding.
Data breach liability. Without a DPA, the lines of responsibility during a data breach become blurry. A properly signed DPA clarifies who is responsible for what, which matters enormously when things go wrong.
Trust. Having your DPAs in order signals that you take data protection seriously. It's table stakes for doing business in 2026.
How to Sign a DPA Online with CanUSign
Most DPAs arrive as PDF documents. Here's how to sign one electronically in about a minute.
Step 1: Review the DPA Carefully
Before signing anything, read the DPA. Pay attention to:
- The scope of data processing -- does it accurately describe what the processor will do with the data?
- Sub-processors -- are they listed? Is there a notification process for adding new ones?
- Security measures -- are they adequate for the sensitivity of the data?
- Data breach notification timelines -- GDPR requires notification within 72 hours, and your DPA should reflect this
- Termination clauses -- what happens to the data when the relationship ends?
If you're not sure about anything, have your legal team or a data protection consultant review it first.
Step 2: Upload the DPA PDF
Go to canusign.com/en/create/upload and upload the DPA document. It works with any PDF file.
Step 3: Add Signatures
Place your signature in the appropriate field. If the DPA needs signatures from multiple parties (which it usually does -- both the controller and processor sign), you can add signature fields for each party and share the signing link.
Step 4: Send for Counter-Signature
Share the document link with the other party. They can open it in their browser, review the document, and add their signature without installing anything or creating an account.
Step 5: Download the Signed DPA
Once all parties have signed, download the fully executed PDF. Every signature includes a timestamp and audit trail -- exactly the kind of documentation you want for GDPR compliance.
Total cost: $1 per document. No subscription needed.
Is an Electronic Signature Valid for a DPA?
Yes. The GDPR requires DPAs to be "in writing, including in electronic form" (Article 28(9)). Electronic signatures are explicitly valid.
Under the eIDAS regulation, which governs electronic signatures in the EU, a simple electronic signature (SES) is legally recognized and sufficient for DPAs. You don't need a qualified electronic signature (QES) unless your specific circumstances require it (which is rare for DPAs).
In the US, the ESIGN Act similarly recognizes electronic signatures for data processing agreements. The same applies in the UK under the Electronic Communications Act 2000, now supplemented by the UK GDPR.
The key requirement is that the signature demonstrates clear intent to sign and that there's a reliable record of who signed and when. The audit trail provided by CanUSign satisfies this requirement.
Audit Trail: Why It Matters for Compliance
When a data protection authority comes knocking, "we signed it" isn't enough. You need to prove it.
An audit trail records:
- Who signed the document (name, email)
- When they signed (exact date and time)
- From where (IP address)
- What they signed (the document is locked after signing)
This is particularly valuable for DPAs because regulators may ask you to demonstrate that you had a valid agreement in place before processing began. A signed PDF with a clear audit trail is much stronger evidence than a printout with a scanned signature.
Multi-Party DPA Signing
DPAs frequently involve more than two parties. Common scenarios include:
- Controller + Processor -- the standard setup
- Controller + Processor + Sub-processors -- when the processor uses additional service providers
- Multiple controllers -- joint controller arrangements under Article 26 GDPR
With CanUSign, you can set up signature fields for each party. Send the signing link to everyone involved, and they sign in sequence or simultaneously. You'll get a single PDF with all signatures and a complete audit trail.
Tips for Managing Your DPAs
Keep a register. Maintain a spreadsheet or database of all your DPAs, who they're with, when they were signed, and when they expire. GDPR Article 30 requires records of processing activities, and your DPA register feeds into that.
Set review dates. DPAs should be reviewed periodically, especially when the scope of processing changes, when new sub-processors are added, or when regulations update.
Store signed copies securely. Your signed DPAs contain details about data processing activities. Store them in a secure location with access limited to people who need them.
Use a standard template. If you're a processor signing DPAs with multiple clients, having a standard DPA template saves time. Upload it once, customize the details for each client, and sign.
Frequently Asked Questions
Does the GDPR require a signed DPA?
Yes. Article 28 of the GDPR requires a binding written agreement (which includes electronic form) between controllers and processors. Both parties must sign or otherwise formally agree to the terms.
Can I sign a DPA on my phone?
Yes. CanUSign works in any mobile browser. Upload the PDF, sign with your finger, and download the executed agreement.
How much does it cost to sign a DPA online?
CanUSign charges $1 per document. No subscription, no monthly fee. Pay only when you need to sign.
What if the other party doesn't have CanUSign?
They don't need it. When you share a signing link, the other party opens it in their browser and signs. No account or software required on their end.
Get Your DPA Signed Today
Data processing agreements are non-negotiable under GDPR. Don't let the signing process slow down your vendor onboarding or client relationships. Upload your DPA to CanUSign, collect all signatures digitally, and keep a GDPR-ready audit trail.
One dollar. Full compliance. No printer required.