Is a Data Processing Agreement (DPA) with AWS mandatory?

Yes. As soon as personal data is processed on AWS, a Data Processing Agreement under Article 28 GDPR is mandatory. AWS provides the AWS Data Processing Addendum (AWS DPA), which applies automatically to all customers using AWS services for GDPR-relevant processing. The DPA can be accepted through the AWS console and includes Standard Contractual Clauses for third-country transfers.

May AWS transfer data to the United States?

AWS may transfer customer data to third countries if required to deliver a service. For third-country transfers, AWS relies on Standard Contractual Clauses (SCCs) under Article 46 GDPR and the EU-US Data Privacy Framework. Customers can restrict data processing to European regions through region selection and AWS Service Control Policies.

What audit rights do customers have against AWS?

AWS does not permit physical data centre audits by individual customers, but provides extensive audit reports via AWS Artifact: SOC 1/2/3, ISO 27001, BSI C5 Type II, PCI DSS and others. Data protection authorities recognise this approach as equivalent to on-site audits.

Cloud Contracts under German Law: Negotiating IT Procurement Correctly — Regulatorik Cloud

Cloud contracts are not standard IT procurement. For German companies, GDPR obligations, NIS2 supply chain requirements, DORA contract clauses for financial institutions, and sector-specific requirements from BaFin, BSI, or state ministries all apply. This article explains which contractual elements must be reviewed and shaped when using AWS for regulated workloads — from data processing agreements through data residency to exit strategies.

The AWS Contract Framework: An Overview

The AWS Customer Agreement forms the legal framework of the relationship between AWS and the customer. It is supplemented by:

AWS Data Processing Addendum (DPA): Governs the processing of personal data under Article 28 GDPR. The DPA applies automatically to all customers using AWS services for GDPR-relevant processing. It contains Standard Contractual Clauses (SCCs) for third-country transfers and a list of sub-processors.
AWS Service Level Agreements (SLAs): Each AWS service has its own SLA defining availability targets (e.g. 99.99% for Amazon S3) and service credits if targets are missed. SLAs are publicly available and contractually binding.
AWS Acceptable Use Policy (AUP): Defines prohibited uses (e.g. illegal content, attacks on third parties). For regulated workloads: ensures no prohibited applications are running.
AWS Artifact: Delivery platform for compliance documents: SOC reports, ISO certificates, BSI C5 attestations, PCI DSS attestations. Customers can download these for their own audits.

Data Processing Agreement: What to Review

The AWS DPA fundamentally satisfies the requirements of Article 28 GDPR. For regulated organisations, the following DPA points require particular scrutiny:

Purpose limitation: AWS processes customer data only to deliver the contracted services. Customer data is not used for AI training or product improvement unless the customer explicitly activates such services.
Sub-processor transparency: AWS maintains a public list of authorised sub-processors. Customers are notified of changes and have a right to object.
Third-country transfers: AWS relies on SCCs and the EU-US Data Privacy Framework. Customers with strict data sovereignty requirements should restrict workloads to EU regions (eu-central-1 Frankfurt, eu-west-1 Ireland, eu-west-3 Paris).
Deletion obligations: AWS deletes customer data after contract termination within defined periods. Customers must implement their own data deletion processes for statutory retention periods and data subject erasure rights.
Data breach notification: AWS notifies the customer of data breaches (not directly to authorities — that is the customer's responsibility). The 72-hour reporting obligation to the supervisory authority rests with the customer.

SLA Negotiation: What Regulated Workloads Require

AWS provides standard contracts — for regulated workloads, standard SLAs are often a starting point, not the end goal. The following table shows typical requirements and AWS responses:

Regulatory requirement	AWS standard SLA	Recommendation for regulated workloads
High availability (NIS2 business continuity)	99.99% for S3; 99.95% for EC2 Multi-AZ	Multi-Region architecture for RTO < 15 min; contractually define own SLAs
Data residency (GDPR, BSI)	Region selectable, no automatic failover to other regions	Service Control Policies enforce EU regions; document in contract
Audit rights (NIS2, DORA, GDPR)	AWS Artifact: SOC, ISO, C5 reports	Additional evidence via AWS Security Hub and AWS Config
Incident reporting obligation (NIS2 24h)	AWS Security Bulletins; AWS Support (Business/Enterprise)	Subscribe to Enterprise Support; configure security notifications via AWS Health
Sub-processor transparency (DORA Art. 30)	Public sub-processor list; 30 days advance notice	Document sub-processor list in DPA; maintain change log

Enforcing Data Residency Technically

Regulatory data residency requirements — from GDPR, BSI IT-Grundschutz, or sector-specific rules — can be enforced on AWS through technical controls that work independently of contractual commitments:

AWS Organizations + Service Control Policies (SCPs): SCPs enforce that specific AWS regions outside the EU cannot be used. Even if an employee accidentally attempts to start a service in us-east-1, the SCP blocks the API call.
AWS Config Rules: Config rules flag every resource created in a non-permitted region. Combined with AWS Config Conformance Packs, a complete compliance dashboard for data residency can be built.
AWS IAM Condition Keys: IAM policies using the condition key aws:RequestedRegion restrict resource creation to defined regions — granularly down to service level.
Data encryption with AWS KMS: Customer Managed Keys (CMKs) in AWS KMS are region-specific. Data encrypted with a Frankfurt CMK can only be decrypted in eu-central-1 — a technical data sovereignty guarantee.

Exit Strategy: Portability and Data Return Obligations

Regulators and supervisory authorities increasingly require documented exit strategies for cloud services. DORA makes exit plans an explicit contractual obligation for financial institutions (Art. 30(g)). BSI IT-Grundschutz addresses the topic in building block OPS.2.2 (Cloud usage).

An exit strategy for AWS typically covers:

Data export mechanisms: AWS enables export of all customer data: S3 buckets via AWS DataSync, databases via AWS Database Migration Service, complete account inventories via AWS Config. For very large data volumes, AWS Snowball is available for physical data migration.
Portability formats: Standard data formats are the rule for AWS-managed services: PostgreSQL-compatible Aurora, S3-compatible object storage, open container standards. Proprietary formats should be avoided or encapsulated through abstraction layers.
Transition periods in the contract: The AWS Customer Agreement provides 90 days after contract termination for data export. Regulated organisations should contractually secure longer periods or implement automated backup processes.
Exit plan documentation: The exit plan must be documented, regularly tested, and kept current — not just as a contract document, but as an operational runbook with clear responsibilities and escalation paths.

Sector-Specific Contract Requirements

Beyond general GDPR requirements, certain industries face additional contractual obligations:

Sector	Regulation	Specific contractual requirement
Financial services	DORA, MaRisk, BAIT	DORA Article 30 clauses, audit rights, BaFin reporting channels, sub-service register
Healthcare	GDPR, KHZG, SGB V	Extended DPIA, processing on German servers, social data-specific DPA clauses
Public administration	BSI IT-Grundschutz, EVB-IT	EVB-IT Cloud contract, BSI C5 attestation, processing in German data centres
Critical infrastructure	NIS2, KRITIS Regulation	NIS2 supply chain requirements, cloud provider security concept, reporting obligations

Frequently Asked Questions About Cloud Contracts

Is a Data Processing Agreement with AWS mandatory?: Yes. As soon as personal data is processed on AWS, a DPA under Article 28 GDPR is mandatory. The AWS DPA applies automatically and can be accepted through the console.
May AWS transfer data to the United States?: AWS may transfer data to third countries if required. AWS relies on SCCs and the EU-US Data Privacy Framework. Customers can restrict processing to EU regions via Service Control Policies.
What audit rights do customers have against AWS?: AWS does not permit physical audits but provides extensive audit reports via AWS Artifact: SOC 1/2/3, ISO 27001, BSI C5 Type II, PCI DSS. Data protection authorities recognise this approach.
What happens to my data if I terminate my AWS contract?: The AWS Customer Agreement provides 90 days for data export after termination. After that, data is deleted. A documented exit strategy with data export tests is mandatory for regulated organisations.

Storm Reply: Cloud Contract Advisory and Compliance

Storm Reply — AWS Premier Consulting Partner in the DACH market — supports organisations in fully structuring regulatory-compliant cloud contracts: DPA review, data residency enforcement, audit rights implementation via AWS Audit Manager, and documented exit strategies.

With the AWS Security Competency and more than 1,500 AWS certifications in the Reply Group, we combine deep AWS technical knowledge with thorough understanding of the German and European regulatory landscape.

Sources

Structure GDPR-compliant cloud contracts?

Storm Reply reviews your AWS contract structures and implements regulatory-compliant data residency and audit mechanisms.

Get in touch

Cloud Contracts under German Law: Negotiating IT Procurement Correctly