A data processing agreement (DPA) — in German: Auftragsverarbeitungsvertrag (AVV) — is a contract required by GDPR Art. 28 that governs the processing of personal data by a data processor. It is legally mandatory whenever you have a service provider process personal data on your behalf — for example, cloud hosting, payroll processing, or email services.
In an ISMS context, the DPA is relevant to ISO 27001 Annex A controls A.5.19–A.5.22 (Supplier Relationships). The agreement must cover the subject matter and duration of processing, types of data, categories of data subjects, technical and organizational measures (TOMs), and sub-processors. Review DPAs regularly for currency, especially when providers change sub-processors or transfer data to third countries.