A Data Processing Agreement (DPA) is a contract required under GDPR (and similar regimes) between a data controller and a data processor, governing how personal data is processed, protected, and returned or destroyed at contract end.
What a DPA covers
Scope and purpose of processing, categories of data and data subjects, security measures, sub-processor arrangements, cross-border transfer mechanisms, breach notification, and post-termination handling. DPA content is heavily prescribed by GDPR Article 28.
The portfolio compliance angle
Every vendor that processes personal data needs a DPA. Portfolio-level tracking - which vendors have current DPAs, which are pending, which need renewal - is a specific contract-repository responsibility.