dpa-reviewlisted

# DPA Review ## Purpose Produce a structured, attorney-ready review of a data processing agreement (DPA) or data processing addendum. A DPA governs the relationship between a controller and a processor (or between a processor and a sub-processor) when personal data is processed on behalf of another party. This skill assesses role designation, scope and instructions, security obligations, sub-processor terms, data subject rights assistance, breach notification, audit rights, cross-border transfer mechanisms, deletion and return obligations, and the liability and indemnity interplay with the main commercial agreement. It produces draft legal work product for attorney review — not legal advice. Which privacy laws, frameworks, or regulations apply — and what they require — are attorney-verification items. This skill organizes the review; it does not assert what any law mandates. ## Use When - A user asks to "review this DPA," "redline the data processing addendum," or "flag the risks in this data processing agreement." - The organization is being asked to sign a vendor DPA or is preparing its own DPA for a customer. - A DPA has been updated by the other party and the user needs to identify what changed and whether new risks arise. - A DPA is being negotiated and the user wants a structured issue list before the next round. - An internal team (legal ops, procurement, privacy) needs a first-pass risk summary before attorney review. - Due diligence on a transaction requires ass