Short answer: Yes. Professional web scraping vendors sign both Data Processing Agreements (DPAs) and Non-Disclosure Agreements (NDAs), but they protect different things. A DPA governs how personal data is handled under privacy law. An NDA governs business confidentiality. Enterprise clients typically require both before a scraping engagement begins.
Key takeaways:
- DPAs are legally required under GDPR when a scraping vendor processes personal data.
- NDAs protect proprietary business information, such as scraping targets, competitive intelligence methods, and client strategy.
- Reputable scraping vendors publish DPAs as standard service terms. NDAs are negotiated per engagement.
- Not all scraped data triggers a DPA. Public commercial data (prices, listings, inventory) often does not contain PII.
- Failing to sign a DPA when one is required exposes the controller (your organization) to GDPR liability, not just the vendor.
What Is a DPA and When Does a Scraping Vendor Need to Sign One?
A Data Processing Agreement (DPA) is a legally binding contract between a data controller (your organization) and a data processor (the scraping vendor). It governs how personal data is collected, stored, and handled. Under GDPR Article 28, a DPA is mandatory whenever a third party processes personal data on behalf of another organization.
For web scraping, this becomes relevant when the scraped dataset includes Personally Identifiable Information (PII), such as names, email addresses, phone numbers, social media profiles, or any data that can identify an individual. If a scraping vendor collects such data on your behalf, a DPA must be in place before that processing begins.
A DPA typically covers the categories of personal data being processed and the purposes of processing, technical and organizational security measures the vendor must implement, obligations around
- Breach notification (usually within 72 hours under GDPR)
- Data subject rights (enabling individuals to request access, correction, or deletion of their data),
- Sub-processor disclosures (identifying any third-party services the vendor uses)
- Data retention and deletion timelines
- Cross-border data transfer mechanisms, such as Standard Contractual Clauses (SCCs).
What Is an NDA and Why Does It Matter for Scraping Engagements?
A Non-Disclosure Agreement (NDA) is a confidentiality contract that prevents a vendor from disclosing your proprietary business information to third parties. In scraping engagements, this protects the websites or data sources being targeted, your competitive intelligence strategy and use cases, proprietary data pipelines or delivery specifications, commercial terms and pricing arrangements, and any client data or internal documents shared during scoping.
NDAs in scraping contexts are typically mutual. Both parties agree not to disclose the other’s confidential information. They are negotiated separately from DPAs and are not mandated by regulation. They are a business practice driven by competitive sensitivity.
An important distinction: an NDA protects confidential business information. It does not substitute for a DPA when personal data is involved. If your NDA is covering data that also contains PII, the NDA’s confidentiality provisions may not be sufficient to satisfy GDPR requirements. You still need a DPA.
DPA vs. NDA: The Key Differences at a Glance
| Factor | DPA | NDA |
| Purpose | Governs personal data processing | Protects business confidentiality |
| Legal trigger | Required by GDPR / CCPA when PII is processed | Negotiated, not legally mandated |
| Scope | Personal data only | Any confidential business information |
| Regulatory body | Data protection authorities (e.g., ICO, CNIL) | Contract law / civil courts |
| Typical duration | Term of the service agreement | Defined period (often 2–5 years) |
| Who signs | Both parties as controller and processor | Both parties as disclosing/receiving party |
| Breach consequences | Regulatory fines up to 4% of global turnover | Civil litigation / injunctive relief |
When Is a DPA Not Required in Web Scraping?
Not every scraping engagement involves personal data. Many enterprise-grade scraping projects target product prices and availability from e-commerce platforms, business listings and commercial contact data (company-level, not individual), news articles, job postings, or market data feeds, and real estate listings or financial data from public sources.
When the output contains only structured commercial data with no names, emails, or individual identifiers, GDPR’s DPA requirement is typically not triggered. However, even in these cases, organizations should document their assessment clearly in case of a regulatory inquiry.
As a rule: if there is any ambiguity about whether the data contains PII, treat it as if it does, and request a DPA.
What Enterprise Clients Should Require from a Scraping Vendor
Before onboarding a scraping vendor, enterprise procurement and legal teams should verify the following:
DPA checklist:
- Does the vendor have a published, GDPR-compliant DPA template?
- Does the DPA name their sub-processors (proxy providers, cloud infrastructure)?
- Does it include breach notification timelines (72 hours for GDPR)?
- Does it cover data subject rights assistance?
- Does it include provisions for cross-border data transfers?
NDA checklist:
- Is the NDA mutual or one-sided?
- Does it cover scraping targets and data delivery specifications as confidential information?
- Is there a clear definition of what constitutes confidential information?
- Does it specify a duration and a procedure for returning or destroying confidential materials?
Additional vendor qualifications to review:
- SOC 2 Type II certification for data handling security
- CCPA compliance frameworks for US-based data
- Data minimization policies. Does the vendor collect only what you need?
- Clear data retention and deletion procedures
Frequently Asked Questions
Does a scraping vendor need a DPA if they only scrape public data? Not necessarily. If the public data contains no PII, GDPR’s DPA requirement does not apply. However, if public pages contain names or identifiable profiles, a DPA is required regardless of the data being publicly accessible.
Can an NDA replace a DPA? No. An NDA protects business confidentiality under contract law. A DPA is a regulatory instrument under data protection law. They serve different functions and must be separate documents.
What happens if we scrape personal data without a DPA? Under GDPR, the data controller (your organization) bears primary liability. Fines can reach €20 million or 4% of global annual turnover, whichever is higher. The absence of a DPA with your processor does not transfer liability to the vendor. It adds to yours.
Are DPAs standard with all scraping vendors? Not all vendors publish DPAs proactively. This is a signal worth noting during vendor evaluation. Mature enterprise-grade providers will have a DPA template ready. Smaller or less compliance-aware vendors may not.
How long does it take to sign a DPA with a scraping vendor? For vendors with a standard DPA template, this can be completed in hours. For custom negotiations involving sub-processor disclosures or specific security addenda, allow 1–3 weeks for legal review.
