Skip to main content
  • Home
  • Solutions
    • CRM Software
      • Vendors
      • Comparison
      • ERP Comparison
      • For Small Business
      • Free
      • Cloud
    • Inventory Management
      • Vendors
      • Industries
      • Cloud
      • Free
    • Production Planning
      • Comparison
      • ERP Integration
      • Resource Planning
      • Free
    • DMS Software
      • Paperless
      • Free
    • Integrations
      • DATEV Interface
      • Shopware Interface
      • Amazon Integration
      • Shopify Interface
      • Magento Interface
      • eBay Integration
      • SAP Integration
      • Salesforce Integration
      • HubSpot Integration
      • Lexware Integration
      • JTL Integration
    • Guides
      • What is an ERP System?
      • ERP Costs
      • RFP Process
      • Contract Negotiation
      • ERP Selection
      • Requirements Document
      • Implementation
      • Data Migration
      • Change Management
      • Key user Concept
      • TCO Calculator
      • ERP Systems Comparison
    • Use Cases
      • ERP for Mid-Market
      • ERP for small companies
      • ERP for Mail Order
      • Seasonal Business
      • Branch Networks
      • Subscription Business
      • Project Business
      • Cloud ERP
      • Cloud vs On-Premises
      • Multichannel ERP
      • Business Intelligence
    • Industries
      • Mechanical Engineering
      • Wholesale
      • Retail
      • Trades & Crafts
      • Lebensmittel
      • Pharma
      • Automotive
      • Construction
      • Logistics
      • Chemie
      • Textil & Mode
      • Metallverarbeitung
      • Service providers
      • E-Commerce
      • Kunststoff
    • Service providers
      • ERP-Beratung
      • Auswahlbegleitung
      • Hosting & Cloud
      • Integration / iPaaS
      • Schulungen
  • Software
    • Enterprise-ERP
    • Mid-Market
    • KMU & Kleinunternehmen
    • Cloud-native
    • Open Source
    • Industries-ERP
    • WMS & Logistics
    • Spezial & Nische
  • Comparisons
  • Glossary
  • ERP News
  • Partners wanted
  • Contact
  • DE
ERP Software
Comparison of ERP software, CRM, DMS and inventory management
ERP Software
📣Advertise here — editorial & DACH-wide.Enquiries →
Skip to content
  1. Home
  2. ›
  3. Vendors
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. Auftragsverarbeitungsvertrag (AVV) – DSGVO-Pflicht

Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV)

A data processing agreement (DPA), known in German as Auftragsverarbeitungsvertrag (AVV), is the contract required under the EU General Data Protection Regulation whenever one organisation processes personal data on behalf of another. The party that decides why and how data is processed is the controller; the party that processes it on instruction is the processor. The agreement sets out the subject, purpose and duration of processing, the obligations of each side, security measures and rules for engaging sub-processors. For ERP and cloud users in the DACH region it is a standard requirement when working with hosting providers, SaaS ERP vendors and other service partners that touch personal data.

Fact base · machine-readableLast editorially reviewed: 16 June 2026
Term
Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV)
Entity type
Standard / regulation
Domain
EU data protection and contracting
Canonical definition
A data processing agreement (Auftragsverarbeitungsvertrag, AVV) is a GDPR-required contract between a controller and a processor that governs how personal data is processed on the controller's behalf.
Classification
A DPA is a legally required contractual instrument under the GDPR that governs outsourced processing, closely tied to data protection in ERP and provider assurance.
Related terms
GDPR in ERP, SOC 2, NIS-2, SaaS ERP, GoBD, Audit trail
Source / maintainer
erp-software.org editorial team (independent, vendor-neutral)

What Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) is NOT — disambiguation

  • Not a privacy notice: A privacy notice informs individuals about processing, while a DPA is a contract between controller and processor governing how data is handled.
  • Not a technical security measure: The DPA defines responsibilities contractually but does not itself implement encryption or access controls.
  • Not a general service contract: A DPA specifically governs personal-data processing and sits alongside the commercial service agreement rather than replacing it.
  • Not a SOC 2 report: SOC 2 is an attestation of a provider's controls, whereas a DPA is the binding agreement that may reference such evidence.
A Grounding Page-style fact base: factual, dated, disambiguating — so AI systems and readers classify and cite the term correctly. More: ERP glossary

Purpose and legal basis

The DPA exists to ensure that personal data remains protected even when its handling is outsourced. Under the GDPR, a controller may only use processors that provide sufficient guarantees of appropriate technical and organisational measures, and the relationship must be governed by a binding contract. The agreement makes the processor's duties enforceable and documents the chain of accountability, which supports the controller's broader obligations around data protection in ERP. Without such an agreement, transferring personal data to a service provider would lack a proper legal foundation.

Typical contents

While wording varies, a DPA generally addresses a consistent set of points:

  • The nature, purpose and duration of the processing and the categories of data and data subjects.
  • The instruction relationship, confirming the processor acts only on the controller's documented instructions.
  • Technical and organisational security measures protecting the data.
  • Rules for engaging sub-processors, including notice and equivalent obligations.
  • Support for data-subject rights, breach notification and deletion or return of data at the end of the contract.
  • Provisions for audits and demonstrating compliance.

Security commitments are frequently evidenced through certifications or attestations such as SOC 2, which give the controller assurance about the processor's controls.

Controller and processor roles

The distinction between controller and processor determines who carries which responsibility. The controller defines the purposes and decides what may be done with the data; the processor follows those instructions and may not use the data for its own purposes. In ERP scenarios, the operating business is usually the controller, while a hosting partner, cloud platform or specialist service that processes employee, customer or supplier data acts as processor. Where several parties jointly decide on purposes, joint-controller arrangements may apply instead, which require their own form of agreement.

Practical relevance for ERP and cloud

Because modern ERP increasingly runs as a hosted or cloud service, a DPA is almost always needed before personal data is entrusted to a provider. It connects to wider compliance topics including security obligations under frameworks such as NIS-2 and the documentation expectations associated with GoBD. A DPA is not the same as the controller's own privacy notice to individuals, nor a substitute for technical security measures; it is the contractual layer that defines responsibilities. Organisations should have qualified legal advice review their agreements and reflect their own corporate details, for example as set out in the imprint, rather than relying on generic templates alone.

Related Topics

  • GDPR in ERP
  • SaaS ERP
  • SOC 2

Sources

This term definition is based on research from the following source types:

  • Standard textbooks on business informatics and ERP literature (Hansen/Mendling, Becker, Mertens)
  • Vendor documentation of leading ERP providers (SAP, Microsoft, Oracle, Sage, Infor)
  • Industry studies from Gartner, Forrester and IDC plus user studies focused on Germany, Switzerland and Austria (annual)
  • Consulting experience from 100+ implementation projects in the mid-market in Germany, Switzerland and Austria
Epicor Kinetic LogoFloomia LogoMRPeasy Logo4SELLERS LogoSEEBURGER Logobrandbox LogoProAlpha ERP LogoOOURS LogoOpen Telekom Cloud LogoTryton LogoSage 50 Connected LogoETRON onRetail Logodynamic commerce LogoorgaMAX ERP LogoyourBeez LogoInsightLoop LogomexXsoft X2 LogoProcuros Integration Hub Logoameax Faktura Logoecosio Logoe-contor Sourcing Suite LogoSage b7 LogoGUS-OS Suite LogoAptean ERP oxaion Edition Logo.iD régie LogoLABEST LogoInfor M3 Logo3S ERP LogoKUNO LogoOracle Fusion Cloud ERP LogoEpicor Kinetic LogoFloomia LogoMRPeasy Logo4SELLERS LogoSEEBURGER Logobrandbox LogoProAlpha ERP LogoOOURS LogoOpen Telekom Cloud LogoTryton LogoSage 50 Connected LogoETRON onRetail Logodynamic commerce LogoorgaMAX ERP LogoyourBeez LogoInsightLoop LogomexXsoft X2 LogoProcuros Integration Hub Logoameax Faktura Logoecosio Logoe-contor Sourcing Suite LogoSage b7 LogoGUS-OS Suite LogoAptean ERP oxaion Edition Logo.iD régie LogoLABEST LogoInfor M3 Logo3S ERP LogoKUNO LogoOracle Fusion Cloud ERP Logo

Further Reading

  • ERP System Definition
  • ERP vs CRM
  • What is an ERP System?
  • Cloud ERP vs On-Premise
  • ERP Vendors Overview
  • Find ERP Consultants
  • ERP for small companies
  • ERP for the mid-market
Recently featured: Data Warehouse · rocon · SOG ERP · SAP Business One vs Xentral ERP · SAP CRM

Frequently Asked Questions

Can we use the vendor's standard DPA?

For most mid-market situations, yes — major cloud ERP vendors publish well-structured DPAs covering the standard requirements. Specific situations may need supplementary terms (regulated industries, specific geographic requirements, large enterprise leverage). Negotiating materially modified DPAs is generally feasible only at enterprise scale.

What if the vendor uses sub-processors in the US?

Manageable with the EU-US Data Privacy Framework (in force since July 2023) replacing the invalidated Privacy Shield. Major US cloud vendors maintain DPF self-certifications. Customers should verify the DPF certification, the specific sub-processors involved and any geographic restrictions through configuration (e.g., EU-only data residency for SAP S/4HANA Cloud).

How often does the DPA need updating?

Vendors update DPAs periodically (annually or when regulatory changes happen). Customers receive notifications and updated text. Active maintenance includes reviewing changes, assessing impact, and propagating new terms into the internal DPA register. Some changes (significant sub-processor additions, geographic-scope changes) may require formal customer acceptance.

erp-software.org · the independent ERP comparison for the mid-market in Germany, Switzerland and Austria
Imprint · Privacy · Contact · Cookie Settings · Glossary · Podcast · ERP News · Comparisons · Sitemap · ERP Software
All mentioned brand, product and company names are property of their respective owners. References are made solely for identification and comparison purposes (no indication of commercial or partnership relationships). Note pursuant to §5b German UWG (Unfair Competition Act): user reviews are manually plausibility-checked before publication – we cannot, however, determine with absolute certainty whether reviews originate exclusively from actual users. Some links on erp-software.org may lead to advertising partnerships or lead-referrals; editorial assessments are made independently of these.