When a vendor sends over a data processing agreement (DPA), the situation is familiar: the document is drafted to suit the vendor's interests, the timeline is tight, and a careful review still cannot be skipped. Since Switzerland's revised Data Protection Act (revDSG) came into force, this applies not only to organisations subject to GDPR but also to Swiss companies that have personal data processed by external service providers. This guide covers what matters in a DPA review and how AI-assisted tools can bring structure to the process.
What a DPA covers and when one is required
A data processing agreement - known in German as an Auftragsverarbeitungsvertrag (AVV) - is a contract between a controller and a processor. It defines the conditions under which the processor may handle personal data on behalf of the controller.
The legal basis in the EU is Art. 28 GDPR. Under Swiss law, Art. 9 revDSG similarly requires a contractual arrangement when a processor handles personal data on the controller's behalf. The requirements are comparable in substance but not identical.
A DPA is required as soon as external service providers gain access to personal data - for example through SaaS tools, cloud infrastructure, CRM systems, analytics platforms, or IT integration projects. Missing or inadequate DPAs create significant liability exposure in the event of supervisory audits or data incidents.
The critical clauses in a DPA review
Not every DPA a vendor presents will adequately protect the controller. A standard vendor DPA is written primarily to suit the processor's interests. The following areas require active scrutiny during any review.
Purpose and scope of processing
The DPA must clearly define the processing purpose, data categories, categories of data subjects, and duration. Vague formulations such as "data necessary for contract performance" are problematic because they provide no meaningful boundary.
Technical and organisational measures
The TOM annex is one of the most common weak points. It may be missing entirely, out of date, or filled with generic statements that lack operational substance. Concrete requirements - access controls, encryption, incident response processes, deletion concepts - must be demonstrably present.
Sub-processors and sub-processor lists
The processor is generally only permitted to engage third parties with the controller's approval. Blanket approval clauses ("the processor may engage sub-processors") and incomplete or outdated lists are typical problem areas. With international providers - particularly US-based ones - the question of third-country transfers arises alongside this.
Third-country transfers
Where data is processed outside the EU/EEA, appropriate safeguards must be in place - typically Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment (TIA). Where these are absent or outdated, a clear risk exists.
Data subject rights and notification obligations
The DPA must establish how the processor supports the controller in fulfilling data subject rights: access, erasure, rectification. In practice, these clauses are often incomplete or place the burden disproportionately on the controller.
Liability, audit rights, and deletion
Liability clauses in DPAs are frequently drafted in the processor's favour. Audit rights are often reduced to questionnaire-based checks, even though a genuine right to audit should be contractually anchored. After contract termination, the processor must either return or demonstrably delete the data.
What a structured review process looks like
A workable DPA review follows a clear sequence.
First, all relevant documents are assembled: the DPA draft, the main contract, the TOM annex, the sub-processor list, and a description of the tool or service. Without these documents, a complete review is not possible.
Then comes role classification: is this genuinely a commissioned processing relationship, or does it constitute joint controllership? The distinction has significant legal consequences.
The substantive review of the clauses listed above follows. Each gap or deviation from requirements is documented, prioritised, and paired with a recommendation: accept, negotiate, or reject.
How AI changes the DPA review
Reviewing a DPA manually is time-consuming. With international vendors, the package often runs to 20 to 40 pages of contract text, a TOM annex, and a sub-processor list - before any real analysis begins.
AI-assisted tools can accelerate this by automatically identifying clauses, comparing them against a defined standard, and surfacing gaps in a structured way. That does not change the legal responsibility of the reviewer - but it shifts the effort away from reading towards judgment.
CASUS, a Swiss legal AI platform for law firms and in-house legal teams, offers several modules designed to work together for exactly this purpose.
Benchmark: checking a DPA against a standard
The Benchmark module lets users check a DPA automatically against a defined standard - an internal playbook, for example, or established best practices for data processing agreements. CASUS shows which standard clauses are missing, which are incomplete, and where deviations exist. The result is a structured overview with a match percentage and specific recommendations per gap. Missing clauses can be inserted directly into the document, correctly formatted and placed in the right location.
Risk & Quality Review: prioritising risks
The Risk & Quality Review analyses the DPA from the contracting party's perspective and prioritises findings by severity: low, medium, or high. That is particularly useful when not every gap deserves equal weight - a deletion clause without operational evidence is high-criticality, while a slightly incomplete definition clause may sit at medium priority. Improvement suggestions come as concrete drafting options that can be applied directly in Word.
AI Chat: targeted questions about the document
Through AI Chat, specific questions can be asked: which sub-processors are approved under the DPA? How are audit rights worded? Is there a deletion deadline after contract termination? Answers are linked to the relevant passages, so users can jump directly to the source text.
Legal Research: placing clauses in legal context
The Legal Research module supports the assessment of clauses based on statutes and case law - source-based, structured, and traceable. Anyone checking whether a particular TOM formulation meets revDSG requirements, for example, can get a structured first assessment that feeds directly into the review.
What this means in practice
For legal teams in Swiss companies, the practical takeaway is this: DPA reviews can be structured more efficiently with AI support, without transferring legal responsibility. The efficiency gain is most tangible in recurring tasks - reviewing new SaaS tools before go-live, vendor onboarding, updates to existing agreements. A standardised AI-assisted workflow brings consistency and saves time.
Law firms advising clients on technology adoption benefit similarly: structured outputs instead of ad-hoc reviews, clear negotiation priorities, and drafting suggestions that are ready to use.
One aspect worth noting: CASUS hosts all data in Switzerland or the EU, does not transfer data to the US, and operates with zero data retention and no human review. When reviewing DPAs - documents that are themselves about data security - that is a relevant consideration.
Getting started with CASUS
Legal teams that regularly review data processing agreements can use CASUS in the browser or as a Microsoft Word add-in. The platform is built specifically for Swiss law firms and in-house legal teams. A free trial with no upfront commitment is available at app.getcasus.com/signup.
FAQ
What is a data processing agreement (DPA)?
A data processing agreement (DPA) - referred to in German as an Auftragsverarbeitungsvertrag (AVV) - is a contract between a controller and a processor. It defines how the processor may handle personal data on the controller's behalf, which technical and organisational measures apply, and what rights and obligations each party holds.
When is a DPA required under the revDSG?
Under Art. 9 revDSG, a DPA is required when a processor handles personal data on behalf of a controller. This applies to external service providers such as SaaS vendors, cloud platforms, CRM systems, or IT service providers that gain access to personal data.
What needs to be checked in a DPA review?
A thorough DPA review should cover: the purpose and scope of processing, technical and organisational measures (TOM annex), the sub-processor list and approval mechanism, third-country transfer safeguards (SCCs, TIA), data subject rights obligations, the controller's audit rights, and deletion or return obligations after contract termination.
What is the difference between commissioned processing and joint controllership?
In commissioned processing, the service provider acts exclusively on the controller's instructions, with no independent discretion over the purpose and means of processing. In joint controllership, two or more parties jointly determine purpose and means - which requires a different contractual arrangement. Role classification is therefore the first step in any DPA review.
Is a vendor's standard DPA sufficient?
A vendor's standard DPA primarily protects the processor's interests. It may be acceptable, but it needs active review. Missing clauses, blanket sub-processor approval provisions, and inadequate TOM annexes are typical weak points that require negotiation or supplementation.
How can AI help with reviewing a data processing agreement?
AI tools such as CASUS can automatically compare a DPA against a defined standard, display gaps and deviations in a structured format, prioritise risks by severity, and provide concrete drafting suggestions. This significantly speeds up the review. Legal judgment and decision-making authority remain with the reviewing lawyer.
Is CASUS suitable for reviewing confidential contract documents?
CASUS hosts all data in Switzerland or the EU, does not transfer data to the US, and operates with zero data retention and no human review. Contract documents are not stored and are not accessed by third parties.
What happens if a DPA is missing or inadequate?
A missing or substantively deficient DPA is a breach of Art. 28 GDPR or Art. 9 revDSG respectively. In the event of a data incident or regulatory inquiry, this creates liability exposure, potential fines, and reputational risk. The controller is also liable for damages arising from non-compliant commissioned processing.
