client data agreements: templates and what to include
most solopreneurs and freelancers handling client data work without a clear data agreement. they sign a master services agreement, accept the project scope, and start working with whatever access the client provides: a Drive folder, a database export, a Stripe API key. the question of “what am I allowed to do with this data, what happens if it leaks, and who is liable” rarely surfaces until a problem occurs. then the absence of an agreement is the problem.
GDPR Article 28 makes data processing agreements (DPAs) mandatory between a controller (your client) and a processor (you, when handling personal data on their behalf). CCPA, PDPA, and most modern privacy regimes impose similar requirements. without a DPA, both you and your client are technically out of compliance; with one, your liability is bounded and your client is protected.
this guide covers what a client data agreement should include, the GDPR Article 28 mandatory clauses, the negotiation points solopreneurs should push back on, and practical templates for common solopreneur scenarios: SaaS development contractor, marketing analytics consultant, accounting bookkeeper, and freelance designer with access to customer data. it is informational, not legal advice. but it walks you from “we don’t have anything in writing” to “we have a defensible DPA in place” in one afternoon.
when you need a DPA
| scenario | DPA needed? |
|---|---|
| building a website that handles customer data | yes |
| running ads that touch customer email lists | yes |
| analyzing customer database | yes |
| writing blog posts with no customer data access | no |
| accessing only anonymized aggregates | gray (depends on anonymization) |
| handling employee data for client | yes |
| handling client’s own admin data only | no |
| processing payments via shared Stripe access | yes |
if you ever touch personal data of your client’s customers, employees, or other data subjects, you need a DPA.
a data processing agreement (DPA) is a contract between a data controller (the client who decides why and how data is processed) and a data processor (the freelancer or agency processing on their behalf). GDPR Article 28 makes it mandatory for any processing of personal data covered by GDPR. the agreement must include specific clauses on processing scope, security, sub-processor authorization, breach notification, audit rights, and data return/deletion at contract end. the standard solopreneur DPA fits on 4-6 pages, takes 2-3 hours to draft from a template, and reduces both regulatory and contractual liability substantially.
the GDPR article 28 mandatory clauses
Article 28(3) lists the minimum content of a DPA:
| clause | requirement |
|---|---|
| subject matter | what data is processed |
| duration | how long the processing continues |
| nature and purpose | why the data is processed |
| type of personal data | categories (email, name, financial, etc.) |
| categories of data subjects | customers, employees, etc. |
| obligations and rights of controller | what the client retains |
| processor’s instructions | follow controller’s instructions only |
| confidentiality | personnel handling data are bound to confidentiality |
| security | Article 32 measures |
| sub-processor authorization | written authorization required |
| data subject rights assistance | help controller respond to requests |
| breach notification | promptly notify controller |
| audit and inspection | controller can audit |
| return or deletion | at end of processing |
| compliance documentation | provide on request |
a working DPA covers all 15 clauses on 4-6 pages.
the structure of a solopreneur DPA
| section | content |
|---|---|
| 1. definitions | controller, processor, personal data, processing |
| 2. subject matter and duration | matches the underlying contract |
| 3. nature, purpose, and types of data | annex 1 lists details |
| 4. obligations of processor | confidentiality, security, instructions |
| 5. sub-processors | annex 2 lists current sub-processors |
| 6. data subject rights | processor assists controller |
| 7. security measures | annex 3 details Article 32 measures |
| 8. breach notification | within 24-48 hours of awareness |
| 9. audit rights | reasonable annual audit on notice |
| 10. return or deletion at end | within 30 days |
| 11. liability | mutually capped at fees paid (negotiable) |
| 12. governing law | aligned with master agreement |
| annex 1 | data details |
| annex 2 | sub-processor list |
| annex 3 | technical measures |
reuse the template across projects with annexes customized per engagement.
practical clauses (key language)
these are the clauses solopreneurs should pay closest attention to.
scope of processing
the processor shall process personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country, unless required by EU or member state law.
translation: do not invent uses for the data the client did not authorize.
sub-processor authorization
the processor shall not engage any sub-processor without prior specific or general written authorization from the controller. in case of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object.
translation: tell the client before you add Stripe, Google Workspace, or any new vendor that touches their data.
security measures (article 32)
the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: pseudonymisation and encryption of personal data; ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; ability to restore availability after incident; regular testing and evaluation of measures.
translation: have a real security stack (covered in our data security basics for solopreneurs 2026 guide).
breach notification
the processor shall notify the controller without undue delay and in any event within 24 hours of becoming aware of a personal data breach, providing all information reasonably necessary to enable the controller to comply with its obligations under Article 33 GDPR.
translation: 24 hours is solopreneur-friendly. some clients will push for “immediately” or “within 4 hours.” negotiate.
audit rights
the controller may conduct, at its own cost, audits of the processor’s compliance with this DPA on reasonable advance notice (no less than 30 days) and during business hours, no more than once per year.
translation: bound the audit. unlimited audit rights are a non-starter for solopreneurs.
return or deletion
upon termination of the processing services, the processor shall, at the choice of the controller, delete or return all personal data within 30 days. the processor shall delete existing copies unless EU or member state law requires storage.
translation: clarify what happens to backups. usually “secure deletion within reasonable time considering backup rotation cycles.”
liability cap
the aggregate liability of the processor under this DPA shall not exceed the fees paid by the controller to the processor in the 12 months preceding the event giving rise to the claim.
translation: this is the most important commercial clause. solopreneurs cannot accept uncapped liability for a $5,000 project. push for a cap tied to fees.
the negotiation table
| clause | client default | solopreneur ask | reasonable middle |
|---|---|---|---|
| breach notification | “immediately” | 72 hours | 24-48 hours |
| audit frequency | “any time on demand” | once a year, 30 days notice | once a year, 30 days notice |
| sub-processor approval | each must be approved individually | general approval with notification | written list, notification of changes |
| liability cap | uncapped | 1x annual fees | 1-3x annual fees |
| data return timing | immediately | 30 days | 30 days |
| insurance requirements | $5M cyber liability | none | $1M cyber liability if available |
| jurisdiction | client’s choice | mutual or solopreneur’s | client’s home jurisdiction is common |
push back politely but firmly. a reasonable client accepts reasonable solopreneur protections.
working templates by scenario
scenario 1: SaaS development contractor
processing scope: customer database, user accounts, support tickets.
key clauses: full Article 28 DPA, sub-processor list (Vercel, Supabase, etc.), 24-hour breach notification, encrypted laptop required, deletion within 30 days of contract end.
scenario 2: marketing analytics consultant
processing scope: GA4 data, customer email list for segmentation, ad platform access.
key clauses: full DPA, no copying customer email list off client systems, time-bounded API access, deletion of any local copies within 14 days of project end.
scenario 3: accounting bookkeeper
processing scope: financial records, employee payroll, invoice details.
key clauses: full DPA, encrypted communication only, multi-factor authentication on accounting tools, retention aligned with tax law (7 years typical), liability cap negotiable but commonly 1x annual fees.
scenario 4: freelance designer with customer data access
processing scope: usually limited (no real PII access), but if user research is involved, full PII for participants.
key clauses: scope-limited DPA, often “no PII access” written explicitly. when PII is involved (interview recordings, survey responses), full DPA with deletion at project end.
comparing solopreneur DPA approaches
| approach | when to use | effort |
|---|---|---|
| client’s DPA template | if reasonable terms | 1 hour review |
| your own DPA template | if client has none | 2-3 hours customize |
| EU SCC + Article 28 module | for international transfers | 2-3 hours |
| commercial template (LegalNature, Termly) | budget-friendly starter | 1-2 hours |
| lawyer-drafted | high-stakes or recurring use | $1500-5000 one time |
most solopreneurs benefit from one well-drafted template they reuse across clients. annual legal review keeps it current.
our GDPR for solopreneurs guide covers the broader regulatory framework, our data security basics for solopreneurs 2026 guide covers the security measures the DPA references, and our customer data ethics framework covers the values layer that goes beyond contract.
frequently asked questions
what if the client refuses to sign a DPA?
walk away. processing personal data without a DPA when GDPR applies is a regulatory violation for both parties. a client unwilling to sign a basic DPA is a client signaling future compliance friction.
can the DPA be part of the master services agreement?
yes, frequently. a “Data Processing Annex” attached to the MSA is common.
what if the client offers their own template?
read it carefully. push back on uncapped liability, unlimited audit rights, “immediate” breach notification, and excessive sub-processor restrictions. these are common client overreaches.
how often should I update my template?
annually, or whenever a major regulatory change occurs (new EDPB guidance, new SCC versions, EU AI Act provisions affecting AI-related processing).
what about Standard Contractual Clauses (SCCs) for international transfers?
if data transfers leave the EU/EEA, SCCs (or another transfer mechanism like adequacy decisions or BCRs) are required under GDPR Articles 44-49. include the relevant SCC module as an annex.
do I need separate DPAs with sub-processors?
yes. Article 28(4) requires the processor to impose the same data protection obligations on sub-processors. when you use Stripe or Vercel for client work, sign their DPAs (offered in their dashboards).
conclusion: build the template this week
client data agreements are one of those topics solopreneurs procrastinate on because they feel legal and intimidating. they are neither. a working DPA is 4-6 pages, follows a standard structure, and is the cheapest contractual protection you can put in place.
block 2-3 hours this week. start from a reputable template (the EU’s official Article 28 template, IAPP’s template, or one your lawyer can validate). customize for your typical engagements. write the three annexes (data scope, sub-processors, security measures). save it. use it on every personal-data-touching engagement going forward.
then schedule annual review. the regulatory landscape moves; your template should move with it.
for connected work, our GDPR for solopreneurs guide covers when GDPR applies and how to comply broadly, our data security basics for solopreneurs 2026 guide covers the security measures the DPA references in Article 32 terms, and our customer data ethics framework guide extends the contract layer with values commitments.
disclaimer: this guide is informational, not legal advice. consult qualified counsel for specific application of GDPR (Regulation EU 2016/679) Article 28, CCPA/CPRA, PDPA, or other data agreement requirements to your business. regulatory references reflect frameworks in force as of 2026.