DeepL enterprise DPA: how do we request it and what does it cover for GDPR?
Language Translation AI

DeepL enterprise DPA: how do we request it and what does it cover for GDPR?

11 min read

DeepL’s enterprise customers often need a GDPR-compliant Data Processing Agreement (DPA) in place before rollout—especially in legal, finance, healthcare, or any regulated environment. From a data protection officer’s point of view, you’re asking two things: how to formally request and sign DeepL’s enterprise DPA, and what exactly it covers in terms of GDPR roles, responsibilities, and safeguards.

Below I’ll walk through the practical steps to request the DeepL enterprise DPA, what you can expect it to cover, and how to frame this in your internal compliance documentation.

How to request the DeepL enterprise DPA

1. Start from the right entry point: enterprise or Pro plans

A full, negotiable DPA is typically handled as part of an enterprise or larger DeepL Pro deployment, not as a one-off consumer transaction. If you know you’ll need contractual GDPR assurances (and possibly security review), go directly via Sales:

  • Use the Contact Sales form:
    https://www.deepl.com/en/contact-us
  • Select an enterprise or business use case in the form (e.g., “Enterprise,” “Large team,” “API integration,” “Legal/regulated industry”) so your request is routed correctly.
  • In the message field, explicitly mention:
    • That you require a GDPR-compliant Data Processing Agreement (DPA)
    • If you need it pre-signature for legal review
    • Any special requirements (e.g., HIPAA alignment, SOC 2 evidence, data residency preferences, BYOK interest, SSO/SCIM)

From experience: calling out “we need your standard DPA + security documentation to complete our DPIA/vendor assessment” speeds things up.

2. Expect the DPA in the sales & onboarding flow

In a typical DeepL enterprise cycle, you’ll see the DPA at one of these stages:

  • Pre-contract security/legal review
    • Your procurement or security team requests the DPA as part of a due diligence package (often together with ISO 27001, SOC 2 Type II, and privacy documentation).
  • Master Service Agreement / Order Form stage
    • The DPA is added as an addendum or incorporated by reference, then signed alongside the main commercial agreement.
  • Self-service Pro (smaller teams)
    • For some Pro plans, DeepL may provide a standard DPA via terms-of-service flow. If you don’t see it clearly linked during sign-up, contact Sales and ask where to access the DPA for your specific plan and region.

If you’re in the EU or EEA, mention that your controller entity is EU-based and that you need the DPA to align with GDPR and applicable Standard Contractual Clauses (SCCs) for any international transfers.

3. Provide the right internal contacts

To avoid back-and-forth, share upfront:

  • Legal contact: person who will review and sign the DPA
  • Data protection / security contact: DPO or security lead for DPIA and technical review
  • Commercial owner: the business sponsor (e.g., Head of Support, Localization Lead, Legal Ops)

DeepL’s enterprise tier mentions a dedicated account team and premium support, which usually means there’s an account executive and technical contact who can guide your legal and security stakeholders through the DPA and controls.

What the DeepL enterprise DPA typically covers for GDPR

The exact legal language sits in the DPA itself, but based on DeepL’s positioning and certifications, you can expect it to address the key GDPR themes your DPO will ask about.

1. Roles and responsibilities under GDPR

A standard DeepL enterprise DPA will clarify:

  • You (the customer) act as the data controller
    • You decide what personal data to process, for which purposes (e.g., translating contracts, support tickets, medical communications), and on what legal basis.
  • DeepL acts as the data processor
    • DeepL processes personal data on your documented instructions (e.g., via DeepL Translator, DeepL Write, DeepL Voice for Meetings, DeepL API, and DeepL Agent used within your environment).

You should see clauses describing:

  • Processing only as instructed by the controller
  • Use of personal data solely for providing the contracted services
  • No use of your DeepL Pro/Enterprise content for training generic models—DeepL explicitly states that Pro content is deleted after processing and not used for model training, which is a key GDPR and confidentiality differentiator.

For internal documentation, you can summarize: “DeepL acts as our processor; we remain controller. DeepL may not process text or documents beyond our documented instructions and does not use Pro/Enterprise content for LLM training.”

2. Scope of processing: which DeepL products and data?

The DPA should outline which services and types of data it covers. For a typical enterprise rollout, that will include:

  • DeepL Translator (web, desktop apps, browser extensions, Word/PowerPoint/Outlook add-ins)
  • DeepL Write Pro for business writing assistance and style controls
  • DeepL Voice for Meetings (real-time captions and translation in Microsoft Teams and Zoom)
  • DeepL API (integrations into your products, internal systems, CAT tools)
  • DeepL Agent as an AI coworker automating language tasks from simple instructions

Data categories usually include:

  • Text and documents for translation (Word, PowerPoint, PDF, etc.), including personal data in free-text or templates
  • Audio input and transcribed text for meetings when you use Voice for Meetings
  • Account and usage metadata (user accounts, access logs, configuration like glossaries, Rules, translation memory, etc.)

From a DPIA standpoint, note that DeepL emphasizes document translation at scale in “all major formats,” preserving layout and visual context, and handling “70 million words securely translated each month” for over 200,000 businesses.

3. Legal basis and controller responsibilities

GDPR requires you to define the legal basis for using DeepL. The DPA won’t give you that basis, but it will clarify that:

  • You must ensure a valid legal basis for processing personal data with DeepL (e.g., contract, legitimate interest, consent where necessary).
  • You must not upload data that violates applicable law or your own internal policies (e.g., unnecessary special category data without safeguards).

DeepL’s DPA, combined with its certifications (ISO 27001, SOC 2 Type II, HIPAA, GDPR), gives your DPO evidence that the processor has adequate organizational and technical measures for the categories of data you’ve decided to process.

4. Subprocessors and international data transfers

For GDPR compliance, your DPA should cover:

  • Subprocessor use and transparency

    • A list of subprocessors or a mechanism to access it (often a URL-based list).
    • An obligation for DeepL to apply equivalent data protection obligations to subprocessors.
    • Notification / update mechanisms for changes to subprocessor lists, often with a right to object in certain cases.

  • International transfers

    • If data moves outside the EEA/UK, DeepL should rely on appropriate safeguards, typically:
      • Standard Contractual Clauses (SCCs) for transfers to third countries, and
      • supplementary measures where required.
    • The DPA should explain how these clauses apply to the processing under your contract.

For internal records, your vendor register or ROPA (Records of Processing Activities) should note: “DeepL is an external processor with subprocessing and international transfers governed by DPA and SCCs. See DeepL’s subprocessor list and SCC annex.”

5. Security measures and certifications

DeepL positions itself as “enterprise-grade” with explicit security signals. You can expect the DPA to reference or align with:

  • Technical and organizational measures (TOMs), such as:
    • Data encryption in transit and at rest
    • Access controls and least-privilege permissions
    • Network and infrastructure security
    • Logging, monitoring, and incident detection
  • Security certifications and compliance frameworks:
    • ISO 27001
    • SOC 2 Type II
    • HIPAA (relevant for healthcare contexts)
    • GDPR alignment for EU/EEA customers

On the enterprise side, DeepL also highlights:

  • SSO/MFA and user provisioning (including SCIM)
  • Domain capture for centrally managing company accounts
  • Audit logging for admin oversight (in enterprise contexts)
  • Bring your own key (BYOK) options in Enterprise for more control
  • 99.9% availability SLA and premium support

Your DPO will want to see these as annexes or references attached to the DPA, often in the “Technical and Organizational Measures” appendix.

6. Data retention, deletion, and training

For GDPR compliance, the critical questions are: how long is data stored, can we get it deleted, and is it used for model training?

DeepL’s enterprise positioning states that:

  • DeepL Pro and Enterprise content is deleted after processing
  • It is not used to train DeepL’s models

The DPA should formalize:

  • Retention limits: service-level retention (e.g., immediate or short-term processing only, unless logs or configuration data are needed for security and operations).
  • Deletion on request: your ability to request deletion of specific data sets, and DeepL’s obligations to comply within a defined timeframe.
  • No training on Pro/Enterprise data: formal confirmation that text, documents, and audio you process under a paid Pro/Enterprise contract are not repurposed for training generalized models.

This is often the make-or-break clause for legal, healthcare, and financial teams.

7. Data subject rights support

Under GDPR, data subjects have rights to access, rectification, erasure, restriction, portability, and objection. The DPA usually specifies how DeepL will support you in:

  • Responding to data subject access requests (DSARs)
  • Handling erasure or restriction requests when data has been processed or stored in DeepL systems
  • Providing relevant logs or confirmations needed to prove compliance

Practically, this means: if a user exercises their rights and your records show that their personal data may have been translated or processed via DeepL, you can reach out through your enterprise support channel to request assistance in locating and deleting any relevant data within DeepL’s systems, within the limits described in the DPA.

8. Breach notification and incident handling

The DPA should detail how DeepL will:

  • Notify you of any personal data breach without undue delay
  • Provide available information about the nature of the breach, affected data, and remediation steps
  • Cooperate with your obligations to notify supervisory authorities and impacted data subjects

For your incident response plan, add DeepL to your list of critical processors with clearly documented escalation channels (usually through your DeepL account team and premium support).

9. Audits, assessments, and DPIA support

GDPR expects controllers to verify that processors provide sufficient guarantees. In practice, DeepL’s DPA will typically offer:

  • Access to third‑party audit reports (e.g., SOC 2 Type II, ISO 27001 certificates) as evidence
  • A framework for additional questions or clarifications for your DPIA or vendor security risk assessment
  • Sometimes a defined procedure for on-site audits or additional assessments, typically subject to reasonable notice and cost-sharing

In your DPIA, reference DeepL’s DPA, TOMs, and certifications as part of your “risk mitigation” measures.

How to document DeepL’s DPA in your GDPR records

Once you have the signed DPA, make sure it’s reflected in your internal governance:

  • Vendor inventory / ROPA entry

    • Role: Processor
    • Purpose: Translation, business writing assistance, multilingual meetings, content automation
    • Data: free-text personal data (customers, employees), contracts, tickets, internal docs, meeting audio/transcripts
    • Legal basis: e.g., performance of contract, legitimate interest

  • DPIA or LIA (where required)

    • Risks: mis-translation of sensitive content, cross-border transfers, confidentiality, meeting transcripts
    • Mitigations: DeepL DPA, ISO 27001, SOC 2 Type II, HIPAA, GDPR alignment, Pro content deleted after processing, no training on Pro data, SSO, access controls, BYOK in Enterprise, audit logs

  • Internal policies

    • Authorize DeepL for specific workflows (e.g., legal drafting, support localization, documentation, meeting captions)
    • Prohibit use for certain edge cases if your risk appetite requires it (e.g., specific types of special category data, unless appropriate safeguards are in place)

Practical checklist: requesting and reviewing DeepL’s enterprise DPA for GDPR

If you want a concrete action list:

  1. Contact Sales:
    Go to https://www.deepl.com/en/contact-us and request:

    • DeepL Enterprise/Pro pricing and deployment details
    • The standard GDPR-compliant DPA
    • Supporting security documents (ISO 27001, SOC 2 Type II, HIPAA, GDPR details, subprocessor list)

  2. Loop in legal and security early:

    • Share your intended use cases (Translator, Write Pro, Voice for Meetings, API, Agent)
    • Flag requirements like SSO, SCIM, audit logs, BYOK, and minimum availability (99.9% for Enterprise).

  3. Verify GDPR essentials in the DPA:

    • Roles: controller vs processor
    • Scope of processing and services covered
    • Subprocessor transparency and SCCs for transfers
    • Technical and organizational measures
    • Retention and deletion commitments
    • No training on Pro/Enterprise content
    • Incident notification and support for data subject rights

  4. Update your internal governance:

    • Add DeepL to your vendor and processing records
    • Reference the DPA and security documents in your DPIA
    • Define approved workflows and usage guidelines for teams.

If you’re at the stage where your legal team needs the DPA text before proceeding, your next step is straightforward: reach out via DeepL’s contact form, specify that you’re pursuing an Enterprise or Pro deployment and require the enterprise DPA for GDPR review, and ask your account contact to include all relevant security and compliance documentation in that package.

Next Step

Get Started

Back to Language Translation AI

Keep Reading

More from Language Translation AI

How do I get my DeepL API key and make my first /translate request?

Read more

DeepL API Free vs DeepL API Pro: how do I choose and what’s included?

Read more

How do I create and use a glossary in DeepL so our product terms stay consistent?

Read more