Sample report

A real Data Processing Agreement, anonymised. Every name, address, and identifying detail has been replaced. The findings below are the authentic output of the current ReasonQA pipeline against the original document.

← Dashboard

Data Processing Agreement (anonymised sample)

Structural analysis · analysed 5/14/2026, 10:01:29 PM

Upload your own contract

Critical issues found

3 critical · 3 high · 4 medium · 1 low

One or more critical structural defects detected after dialectical calibration — typically incomplete fields, undefined operative terms, missing cross-references, or uncapped exposure.

Risk Register is for review & sign-off. Summary is the forwardable version.

Summary

This is a Data Processing Agreement between Calder Genomics, Inc. (as controller) and Brightpath Data, LLC (as processor) covering the processing of patient genomic data, health data, and employee personal data across multiple jurisdictions. The agreement is structurally comprehensive, incorporating Standard Contractual Clauses, the UK Addendum, and Swiss FADP provisions, with detailed technical and organisational measures in Appendix III. However, it is not fit for execution in its current form due to several significant deficiencies.

Three issues warrant immediate attention. First, the indemnity in Section 11 is uncapped, payable on demand, and expressly disapplies the Services Agreement's liability limitations — creating potentially unlimited financial exposure for SUPPLIER from a single data breach. Second, Section 8.3 requires CLIENT's prior written approval before SUPPLIER can make any breach communication, including mandatory regulatory notifications, which could force SUPPLIER into regulatory non-compliance if CLIENT delays. Third, the DPA is being executed before the underlying Services Agreement exists, meaning the scope of processing, instructions, and commercial terms that the DPA depends on are undefined.

Four further issues are significant and should be resolved: the exclusive a single US state jurisdiction clause conflicts with mandatory jurisdiction provisions in the SCCs and UK Addendum, potentially invalidating the international transfer mechanisms; the SUPPLIER sub-processor list in Appendix II is blank, making any current sub-contractor engagement technically unauthorised; CLIENT holds a subjective immediate termination right with no cure period while SUPPLIER has no equivalent exit mechanism; and the breach notification deadlines conflict between Section 8 (72 hours) and Appendix III (24 hours). Three additional findings — the employee sensitive data classification gap in Appendix 1, the 'best efforts' drafting ambiguity, and the placeholder fields requiring completion — are worth addressing but do not undermine the agreement's core operation.

Risk Register

Completeness

(4)

  1. Connected clauses

    BackgroundThe Master Services Agreement being negotiated will be entered into between CLIENT and SUPPLIER
    DEPENDS ON
    1 (Agreement Date)the date on which the parties entered into the Services Agreement
    DEPENDS ON
    2 (Term)continues in force until... the termination or expiry of the Services Agreement

    What this means

    The Background recital states that the Master Services Agreement 'is being negotiated' and 'will be entered into.' The DPA repeatedly cross-references the Services Agreement for the scope of services, processing instructions, and dispute resolution. If the Services Agreement is never finalised, or is finalised on materially different terms, the DPA's operative provisions may be incomplete or unenforceable.

    The other side's position

    A defender would argue that this is a common sequencing issue in commercial negotiations and that the Agreement Date definition accommodates this by providing three alternative triggers, including the date the Services Agreement is entered into. The DPA can sit dormant until the Services Agreement is executed. This argument has some merit for the timing question, but it does not address the substantive problem: SUPPLIER is being asked to accept binding obligations — including an uncapped indemnity — whose scope is determined by a document that does not yet exist and whose terms are unknown.

    If left unaddressed

    DPA is signed before the Services Agreement is finalised -> Services Agreement negotiations break down or result in different terms -> DPA cross-references to Services Agreement for processing scope and instructions cannot be fulfilled -> SUPPLIER processes data without clear written instructions -> SUPPLIER is in breach of Section 4.2.3 -> CLIENT terminates immediately and claims under the uncapped indemnity.

    Suggested action

    Execute the DPA and Services Agreement simultaneously. Alternatively, include self-contained interim processing instructions in the DPA that apply until the Services Agreement is executed, and add a longstop date after which the DPA lapses if the Services Agreement has not been signed.

    Your decision

Balance

(3)

  1. What this means

    Section 11 requires SUPPLIER to indemnify CLIENT on demand for all Data Protection Losses — a broadly defined category covering direct and indirect costs, regulatory fines, penalties, data subject compensation, and remediation costs. The indemnity expressly disapplies all limitations and exclusions in the Services Agreement. There is no financial cap, no time limit, no contributory fault reduction, and no carve-out for indirect or consequential losses.

    The other side's position

    A defender of this provision would argue that controllers legitimately need robust indemnification from processors for data breaches, particularly where the data includes patient genomic and health information. Regulatory fines can be enormous and the controller bears primary regulatory exposure. However, this argument is substantially weakened by the absence of any proportionality mechanism, the inclusion of indirect losses, the on-demand payment obligation (before adjudication of fault), and the express disapplication of the Services Agreement cap — features that go well beyond standard market practice even for sensitive data processing.

    If left unaddressed

    A data breach occurs involving patient genomic and health data -> CLIENT suffers regulatory fines, data subject compensation claims, and remediation costs -> CLIENT demands indemnification from SUPPLIER under Section 11 -> SUPPLIER cannot invoke any cap or exclusion from the Services Agreement -> SUPPLIER's total liability is unlimited -> a single incident could result in insolvency-level exposure for SUPPLIER.

    Suggested action

    Cap the indemnity at a defined multiple of annual fees paid under the Services Agreement. Consider a separate uncapped carve-out limited to losses caused by SUPPLIER's wilful misconduct or gross negligence. Remove the blanket disapplication of all Services Agreement limitations and introduce a contributory fault mechanism.

    Your decision

Consistency

(2)

Compliance

(1)

  1. What this means

    Section 8.3 requires SUPPLIER to obtain CLIENT's prior written approval before releasing any communication, notice, press release, or report concerning a Personal Data Breach. Under the GDPR (Article 33), UK GDPR, and many US state breach notification laws, processors have mandatory notification obligations to supervisory authorities within fixed timeframes. The blanket prior approval requirement could prevent SUPPLIER from meeting these obligations if CLIENT delays or withholds approval.

    The other side's position

    A defender would argue that the provision is designed to ensure coordinated breach response and prevent premature or inaccurate disclosures that could harm CLIENT's regulatory position or reputation. Controllers have a legitimate interest in controlling breach communications. This argument has some force for press releases and voluntary communications, but it fails entirely for mandatory regulatory notifications: SUPPLIER cannot lawfully be contractually prohibited from complying with mandatory law, and CLIENT has no obligation under Section 8.3 to respond within any specified timeframe.

    If left unaddressed

    A Personal Data Breach occurs -> SUPPLIER prepares a regulatory notification -> SUPPLIER seeks CLIENT's prior written approval under Section 8.3 -> CLIENT delays approval while assessing its own position -> the 72-hour GDPR notification deadline passes -> the supervisory authority investigates the late notification -> SUPPLIER faces a regulatory fine -> SUPPLIER is also liable to CLIENT under the uncapped Section 11 indemnity for any resulting Data Protection Losses.

    Suggested action

    Add a carve-out permitting SUPPLIER to make notifications required by applicable law without prior CLIENT approval, subject to providing simultaneous notice to CLIENT and reasonable advance notice where practicable. Retain the prior approval requirement for voluntary communications such as press releases.

    Your decision

Drafting

(1)

Disclaimer

This report assesses structural completeness and internal consistency. A contract with no structural issues may still contain terms that are commercially unfavourable, legally unenforceable, or inappropriate for your circumstances. The absence of structural findings does not mean the contract is suitable for execution. For advice on whether to sign, consult a qualified solicitor.

ReasonQA is a structural quality check, not a contract review service. It analyses internal consistency, completeness, and structural balance — not commercial reasonableness, market-standard practice, or legal effect.