Table of Contents

Data processing agreement for cloud backups — clauses & procurement checklist

When buying backup services you should treat the data processing agreement for cloud backups as a core part of risk assessment. This guide explains the DPA clauses that matter for backup providers and gives a concise procurement checklist with the proof points to request.

Ask for certificates, audit reports and sample logs when reviewing a DPA.

Why DPAs matter for backup services

Backup providers are processors that store, transmit and restore your data. A DPA codifies how they handle personal and business data, sets responsibilities (security, breach handling, subprocessors) and defines controls you can verify. For legal context, see the GDPR Article 28 on processors and general security frameworks like the NIST Cybersecurity Framework.

Key DPA clauses every buyer should check

Below are clauses that are especially relevant to backup and restore services, with the specific proof points to request during procurement.

1. Roles, scope and purpose

Clause: Clear statement that you are the Controller and the vendor is the Processor, and the DPA covers backups, restores and support access.
Proof points: Signed DPA with scope examples and permitted processing activities.

2. Security measures (technical & organisational)

Clause: Specifics on encryption (in transit and at rest), key management, access controls, MFA for admin consoles, and vulnerability management.
Proof points: Encryption standards (e.g., TLS 1.2+, AES-256), description of key custody (customer-managed keys vs provider keys), SOC 2 Type II / ISO 27001 certificate, and recent pentest summary.

3. Subprocessors and third-party storage

Clause: Requirement to notify and obtain authorisation for new subprocessors and a current subprocessors list.
Proof points: Current subprocessors list (storage vendors, support providers) and contractual flow-down terms.

4. International data transfers

Clause: Mechanism for cross-border transfers (SCCs, adequacy decisions, or explicit safeguards).
Proof points: Copy of SCC addendum or transfer mechanism documentation.

5. Data retention, deletion and portability

Clause: Retention periods, deletion/return obligations after termination, and export/portability provisions.
Proof points: Export process docs, timelines for deletion, and verification methods (e.g., deletion certificates).

6. Incident and breach notification

Clause: Timeframes for notification, details to be provided, and assistance for controller obligations (investigation, communication with regulators/data subjects).
Proof points: Incident response plan summary and SLAs for breach notification (e.g., within 72 hours).

7. Audit, monitoring and access to records

Clause: Right to audit, frequency, and permitted scope; obligations to provide audit reports.
Proof points: Recent audit reports (SOC 2 Type II), willingness to allow customer or auditor inspections, and sample logging output.

8. Liability, indemnity and insurance

Clause: Limits on liability, indemnity for data breaches and proof of cyber insurance.
Proof points: Insurance certificate (cyber liability), and clear liability carve-outs that do not unduly limit remedy for data loss.

How to read a DPA for backup services (quick guide)

Follow this practical approach to review a DPA efficiently:

Scan the scope: confirm backups/restores and support are included.
Map clauses to risks: encryption, access, subprocessors and breach response.
Extract measurable commitments: notification times, deletion windows, audit frequency.
Request proof: certificates, audit reports and sample logs — don’t accept vague statements.

What to ask a backup provider during a security review

Use these specific questions to probe capabilities and confirm the DPA matches reality.

Do you encrypt backups in transit and at rest? Who controls the keys?
Can we use customer-managed encryption keys (bring your own key)?
Who are your subprocessors and where is our data stored?
Do you maintain immutable or air-gapped copies to resist ransomware?
What is your incident response process and breach notification SLA?
Can we review SOC 2 Type II / ISO 27001 reports and recent pentest summaries?

SLA checklist when buying a backup service

An SLA should be precise about availability and restore performance. Check these items:

Uptime guarantee for backup control plane (e.g., 99.9%) and associated credits.
Recovery Time Objective (RTO) targets for different data classes.
Recovery Point Objective (RPO) options and achievable retention windows.
Restore throughput guarantees and test restore schedules.
Support response and escalation times for restore-critical incidents.
Change management windows and notification obligations.

Audit logs for backup and restore activities — what to require

Logs are vital evidence of who accessed or changed backups. Ask for:

Immutable audit logs capturing: backup creation, deletion, restoration, access by support staff and API key usage.
Log retention policy (minimum 90 days, preferably 1 year depending on compliance needs).
Time-synchronised timestamps and exportable logs in standard formats (JSON/CSV) for independent review.
Proof points: sample (redacted) logs, log integrity controls (hashing), and log access controls.

Sample procurement checklist (summary you can use)

Request the following documents and confirmations during procurement:

Signed DPA with explicit backup/restore scope.
Subprocessor list and data location map.
SOC 2 Type II or ISO 27001 certificate and last audit report summary.
Pentest summary and remediation history.
Sample audit logs and description of retention/integrity controls.
Incident response plan and breach notification SLA.
SLA showing RTO/RPO, availability, and restore testing schedule.
Evidence of cyber insurance and liability terms in the DPA.

Next steps and internal links

Use this guide together with operational testing. Schedule a restore test and request live log exports before final sign-off. For related reading on choosing the right service, see our pages on Backup for Small Business and Backup for Individuals. You can also review AgooCloud’s own Data Processing Agreement (DPA) for a model DPA.

Conclusion

Reviewing the data processing agreement for cloud backups with a procurement checklist and concrete proof requests reduces risk and speeds vendor selection. Insist on measurable commitments, audit evidence and test restores — then document the results. If you need help reviewing a vendor DPA or running restore tests, contact AgooCloud for support.

FAQs

What is a data processing agreement for cloud backups?

A data processing agreement for cloud backups is a contract between the data controller (you) and the backup provider (processor) that defines how backup data is processed, protected, transferred and deleted.

How do I read a DPA for backup services?

Focus on scope, security measures, subprocessors, breach notification, audit rights, retention/deletion and liability. Extract measurable SLAs and ask for certificates and sample logs to verify claims.

What should I ask a backup provider during a security review?

Ask about encryption and key management, subprocessors, immutable backups, restore testing, pentest results, SOC 2/ISO certification and breach notification SLAs.

What belongs in an SLA checklist when buying a backup service?

Key SLA items are availability, RTO/RPO targets, restore throughput, support/response times, credits for failures, and scheduled restore testing.

Which audit logs for backup and restore activities should I require?

Require immutable, exportable logs showing backup creation, deletion, restores, admin and support access, and API actions, with a clear retention policy and integrity controls.

DPA for Cloud Backups: Checklist & Clauses