HomeFix guides → Data processing addendum referenced

gdpr

How to fix: Data processing addendum referenced

GDPR Art. 28(3)

Why this matters

Each processing activity needs a stated legal basis under GDPR Article 6 (consent, contract, legitimate interest, etc.). 'Because we want to' is not one of them — the basis has to be in the privacy policy.

Background

If you process personal data on behalf of business clients (SaaS, agency, hosting), GDPR Art. 28 requires a Data Processing Agreement. Linking the DPA from your privacy page / sign-up flow proves it exists + lets clients self-serve.

References

GDPR Art. 28(3) — processor contracts must be made available

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
No server config — content link.
apache
Same.
cloudflare
Same.
wordpress
Add a 'Data Processing Agreement' link in the footer + sign-up flow. Template: GDPR.eu DPA template or your legal team's draft.
flask
Add /dpa route or a static PDF link in your privacy policy + footer.
express
Same.
rails
Same.

Verify it's working

Search your privacy policy + footer for 'Data Processing Agreement' or 'DPA'. Should find a link to a real document.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →