=== GDPR CONTRACT REVIEW TRIAGE REPORT === Legal positioning: This is legal triage and issue spotting, not legal advice. Final contract approval requires qualified legal/privacy review. Contract: SaaS Vendor Data Processing Agreement Documents reviewed: - DPA text provided by user - No main agreement provided - No security schedule provided - No subprocessor list provided Parties: Customer and SaaS vendor Likely role structure: Controller-to-processor, based on the vendor processing customer personal data to provide SaaS services. Processing summary: The vendor appears to process customer-provided personal data for service delivery, support, hosting, and related operational purposes. Personal data categories: Not clearly listed. Data subject categories: Not clearly listed. Processing purposes: Service provision is mentioned, but the purposes are broad and should be clarified. Processing duration: Not clearly defined beyond the term of the services. Overall risk rating: High Executive summary: The DPA contains basic processor language but has several gaps requiring privacy/legal review. The most important issues are missing data categories, unclear data subject categories, unclear deletion timeline, missing security schedule, no subprocessor list, and unclear international transfer mechanism. Clause presence matrix: Party roles: Found, but should be confirmed. Subject matter: Ambiguous. Duration: Ambiguous. Nature and purpose: Ambiguous. Types of personal data: Missing. Categories of data subjects: Missing. Documented instructions: Found. Confidentiality: Found. Security measures: Ambiguous. No detailed TOMs attached. Subprocessors: Ambiguous. Subprocessors appear allowed, but list and objection process are not provided. Breach notification: Found, but timeline should be reviewed. Return/deletion: Ambiguous. Deletion timing and backup handling unclear. Audit and information rights: Ambiguous. Audit rights appear limited. International transfers: Ambiguous. Transfer mechanism not clear from provided text. GDPR contract risk table: | Area | Status | Risk level | Issue | Evidence | Why it matters | Recommended human review | |---|---|---|---|---|---|---| | Data categories | Missing | High | DPA does not clearly list types of personal data | No schedule provided | Processing scope is incomplete | Privacy/legal | | Data subjects | Missing | High | Data subject categories not listed | No schedule provided | Required for understanding scope | Privacy/legal | | Security measures | Ambiguous | High | TOMs are vague or missing | No security schedule | Security obligations may be insufficient | Security/privacy | | Subprocessors | Ambiguous | High | No subprocessor list or objection process provided | DPA references subprocessors | Onward processing risk | Privacy/procurement | | Transfers | Ambiguous | High | Transfer locations/mechanism unclear | No transfer schedule/SCCs provided | Cross-border transfer review needed | Privacy/legal | | Deletion | Ambiguous | Medium | Deletion timeline and backups unclear | End-of-services language vague | Retention risk | Legal/privacy | Questions for vendor: 1. Please provide the current subprocessor list, including processing locations and services performed. 2. Please identify all personal data categories and data subject categories processed under the services. 3. Please provide the technical and organizational measures/security schedule. 4. Please confirm whether personal data is transferred outside the EEA/UK and identify the applicable transfer mechanism. 5. Please clarify deletion timing, backup deletion, and whether deletion confirmation is available. 6. Please clarify breach notification timing and information included in notices. Questions for internal legal/privacy team: 1. Is this relationship correctly classified as controller-to-processor? 2. Are the vendor’s security measures sufficient for the data involved? 3. Is the liability cap acceptable for the processing risk? 4. Are the transfer terms acceptable after vendor clarification? Suggested redline comments: Comment: Please add a schedule listing the categories of personal data, categories of data subjects, processing purposes, processing duration, and processing locations. Comment: Please provide a current subprocessor list and clarify notice and objection rights for new subprocessors. Legal-review checklist: - confirm role classification - confirm processing scope - confirm subprocessor controls - confirm transfer mechanism - confirm TOMs - confirm breach timeline - confirm deletion/return process - confirm audit rights - confirm liability alignment - confirm order of precedence with main agreement Audit-ready review record: Reviewer: [Name] Date: [Date] Documents reviewed: DPA only Review scope: GDPR contract triage Final status: Not ready for approval. Vendor clarification and legal/privacy review required. Final triage recommendation: Do not treat this DPA as ready for signature until the missing schedules, subprocessor information, security measures, transfer mechanism, and deletion terms are clarified and reviewed by legal/privacy counsel.