Article 28 GDPR and the shape of a processor
What a processor agreement is required to contain says a lot about what a processor is.
Article 28 of the GDPR does something quietly structural: it tells you what a data processing agreement must contain, and in doing so it describes the shape of a processor. Subject matter and duration. Nature and purpose. Categories of data and of subjects. The controller's documented instructions. Confidentiality, security, sub-processing, assistance, deletion, and audit. The list is a portrait.
Reading a processor agreement well means reading it against that portrait and noticing what is thin. A deletion obligation that is vague about timing. A sub-processor clause that grants general authorisation without a mechanism to object. An audit right that exists on paper but is hedged into irrelevance. Each gap is a place where the contract falls short of the shape the regulation expects.
The interesting cases are the ones where the agreement is technically complete but practically hollow — every required element present, each one drafted to do as little as possible. Compliance as a checklist is easy to pass and easy to see through. The question is not whether the clause exists but whether it would do anything.
A platform that processes documents in memory and retains nothing sits comfortably against several of these requirements by construction rather than by clause — deletion is not a promise to schedule when there is nothing to delete. This is a thematic note on how to read such agreements, not legal advice on any specific arrangement.