Glossary
Sovereignty & Compliance

Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) is the contract required by GDPR Article 28 between a data controller (you) and a data processor (your inference provider) that governs how the provider may process personal data on your behalf. It sets out the provider's obligations - instructions, confidentiality, security, sub-processors, and deletion - and is a precondition for lawfully sending any personal data to an AI service.

Why AI inference needs a DPA

When your application sends a prompt to an inference API, that prompt frequently contains personal data - names, emails, support tickets, medical or legal text. Under GDPR you are the controller and the inference provider is a processor acting on your instructions, and Article 28 requires that this relationship be governed by a written contract: the DPA. Without one, sending personal data to the provider has no lawful basis on the processing side, no matter how good the provider's security is.

A DPA is therefore one of the first things an enterprise or regulated buyer checks - "do you offer a signable DPA?" is a gating question in most procurement and security reviews. A provider that cannot produce a proper Article 28 DPA cannot be used for anything touching personal data, which rules it out of most serious EU deployments.

What a DPA must cover

Article 28 sets out what the agreement must contain. The processor must: process personal data only on the controller's documented instructions; ensure everyone with access is bound by confidentiality; implement appropriate technical and organizational security measures; not engage sub-processors without authorization, and flow the same obligations down to them; assist the controller with data-subject rights and breach notification; and delete or return the data at the end of the service.

The sub-processor clause is where sovereignty and the DPA meet. Every party in the chain that can touch the data - the datacenter, any managed-service or hardware vendor with access - is a sub-processor that must be named and bound. This is why transparency matters: a DPA is only as strong as the honesty of its sub-processor list, and a provider under foreign jurisdiction can still be compelled to disclose despite a signed contract.

The DPA at Infercom

Infercom offers a signable GDPR Article 28 Data Processing Agreement for enterprise customers, backed by an EU operating entity and EU processing. Our sub-processors and certifications are listed transparently in our Trust Center, including where a component - such as the hardware vendor - sits outside the EU, so you can assess the full chain rather than a badge. A DPA plus EU jurisdiction is what turns "your data stays in the EU" from a marketing line into a contract you can hold us to.

Sources

Related terms

See how EU jurisdiction, data residency, and a signable DPA come together on our EU sovereign AI platform - control you can hold us to, not a badge.

Ready to Build the Future of AI in Europe?

Join forward-thinking organizations deploying sovereign AI with world-class performance