Processor Contracts
Description
Processing by a processor must be governed by a contract binding the processor to the controller, with specific minimum terms.
⚠️ Risk Impact
Sub-processor data-handling failures inherit to the controller. Without Article 28 contract terms, the controller has no contractual remedy + carries undivided liability.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Maintain DPA (Data Processing Agreement) inventory. Standard template aligned with Article 28(3). Collect signed DPAs before sharing personal data. Sub-processor flow-through.
💀 Real-World Attack Scenario
A SaaS company used a sub-processor (analytics vendor) without DPA. The vendor experienced a breach exposing customer data. The SaaS carried full GDPR liability for the vendor's breach + had no contractual remedy. Fine: €2.4M + civil suit against vendor failed.
💰 Cost of Non-Compliance
Article 28 violations: €1M-€5M.
📋 Audit Questions
- 1.DPA inventory?
- 2.Standard template per Article 28(3)?
- 3.Sub-processor flow-through?
- 4.Audit rights?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Sharing data with sub-processors via informal agreements
- ⛔DPA missing audit rights
- ⛔Sub-processor (4th-party) flow-through not addressed
📈 Business Value
Strong DPA management transfers vendor-breach liability + ensures contractual defensibility.
⏱️ Effort Estimate
Per-vendor DPA review
EchelonGraph tracks DPA freshness across vendor inventory
🔗 Cross-Framework References
Automate GDPR Art28 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →