GDPR DPA Generator
Generate a minimal, accurate DPA by scanning the project rather than interviewing the user.
Workflow
Step 1: Discover Sub-processors
Scan the project for service fingerprints. Check ALL of the following (not just package.json — this must work for any language):
Dependency files (read whichever exist):
- •Node.js:
package.json,package-lock.json,yarn.lock,pnpm-lock.yaml - •Python:
requirements.txt,pyproject.toml,Pipfile,setup.py - •Ruby:
Gemfile - •Go:
go.mod - •Rust:
Cargo.toml - •PHP:
composer.json - •Dart/Flutter:
pubspec.yaml
Infrastructure and config files:
- •
docker-compose.yml,Dockerfile - •
.env.example,.env.sample,.env.template - •
coolify.yaml,render.yaml,railway.toml,fly.toml - •Any
*.config.*,*.toml,*.yaml,*.ini
Source code signals:
- •Import/require statements for known SDK packages
- •Direct HTTP calls to known API endpoints (
api.stripe.com,sentry.io,api.resend.com, etc.) - •Environment variable names that reveal services (
STRIPE_SECRET_KEY,SENTRY_DSN,RESEND_API_KEY, etc.)
Cross-reference every discovered service against references/sub-processors.md to get GDPR metadata.
Step 2: Identify Personal Data Types
Scan schema files, models, and form handlers to identify what personal data is actually processed:
- •User identity: name, email, username, phone
- •Location: address, IP address, coordinates
- •Financial: payment methods, transaction history
- •Behavioral: activity logs, session data, analytics events
- •Device: user agent, device ID
- •Sensitive: health data, biometrics (flag these — Article 9 requires explicit consent)
Step 3: Flag Issues
Before generating, list any issues found:
- •Services detected but NOT in sub-processors.md (unknown sub-processor — user must add manually)
- •Services using non-EU regions when EU region is available (flag with recommended config)
- •Sensitive data (Article 9) detected without evidence of explicit consent mechanism
- •Services where DPA URL could not be confirmed (mark as "verify link")
- •No
.env.examplefound — sub-processor list may be incomplete
Step 4: Generate the DPA
Use references/dpa-template.md as the template. Fill in:
- •Annex A (Sub-processors): list every identified sub-processor with their role and DPA link
- •Data types section: the personal data categories found in Step 2
- •Purpose of processing: inferred from the project (auth, payments, error tracking, etc.)
- •Leave
[YOUR COMPANY NAME]and[CUSTOMER COMPANY NAME]as placeholders - •Leave
[DATE]as a placeholder - •Add a note at the top: "Generated from project scan — review before use. Not legal advice."
Output the DPA as a Markdown document ready to save as DPA.md in the project root.