DPA for tools using employee's data

Camille Morin Conversation starter


I am using Vanta for ISO 27001 et GDPR compliancy. However when i configured the risk for a vendor with employee's data, a DPA is not asked. Why ?

Thanks for your help. 
Best regards, 


1 comment

  • Comment author
    Shannon Idea generator Vanta Team Member Conversation starter

    Hi, Camille Morin! Pardon the delay - I wanted to reach out to our support specialists and make sure to get you the best answer. 

    Vanta's system determines the need for a Data Processing Agreement (DPA) based on a vendor's specific data-processed attributes. For a DPA to be required, your domain must be enrolled in CCPA or GDPR, and the vendor must have customer data in its data-processed attributes list.

    In your case, if the vendor only has employee data and not customer data, the system might not flag a DPA as necessary. However, it's always a good practice to have a DPA with vendors handling any personal data, including employee data.

    Let me know if you need any additional information!


Please sign in to leave a comment.