DeepL Data Processing Agreement (DPA) — GDPR Analysis
Does DeepL have a Data Processing Agreement (DPA) under Article 28 GDPR?
Yes. DeepL is a German company headquartered in Cologne and offers a DPA, EU-based processing for paid API plans, and strong GDPR commitments. German buyers should still verify the DPA, confirm data-not-for-training protections, and assess whether the free plan is appropriate for business use.
- DeepL SE is a German company — EU-based infrastructure, DPA, and GDPR commitments are available for paid API and Pro plans.
- The free DeepL plan stores translations for quality improvement — do not use it for personal data, confidential documents, or business-sensitive content.
- For regulated sectors, verify whether DeepL Pro or API Advanced provides the contractual guarantees and data localisation you require.
DeepL DPA questions come from compliance and legal teams who need to know whether DeepL can be used for translating internal documents, customer communications, contracts, and other business content in Germany — and whether the data processing setup is GDPR-defensible. As of April 5, 2026, the answer for most paid plan users is more straightforward than for many US-based AI tools: DeepL SE is a German company headquartered in Cologne, offers EU-based processing for paid API and Pro customers, and provides a Data Processing Agreement that explicitly commits to not training on customer translations.
That makes DeepL one of the stronger default options for German companies needing an AI translation tool. But the legal position varies significantly by plan, and free-plan use for business data is genuinely problematic.
Short answer
DeepL is a workable choice for German companies on paid plans, with important conditions:
- Obtain and sign the DeepL DPA — it formalises the processor relationship and training exclusions.
- Avoid using the free plan for any personal data, confidential content, or business-sensitive documents.
- For regulated sectors, verify the DPA matches your sector-specific data localisation and confidentiality requirements.
This page is general information, not legal advice for a specific implementation. If you are evaluating translation and language AI tools for Germany, also review our guides on AI translation, Cursor, and our AI legal expertise.
Is DeepL GDPR compliant?
For paid plans, the structural position is strong.
DeepL SE is based in Cologne, Germany. Its primary infrastructure for the paid API and DeepL Pro plans is EU-based. For paid customers, DeepL:
- provides a Data Processing Agreement (DPA) under Article 28 GDPR
- commits not to use translations for AI model training
- processes data within the EU for paid API and Pro plans
- maintains ISO 27001 and other security certifications
This makes DeepL’s compliance story clearer than many US-headquartered competitors for German buyers. The German company background is a genuine trust signal, not just marketing — EU-based legal entity, EU-based infrastructure, and GDPR familiarity built in.
However, compliance is not automatic:
- You still need to sign the DPA. The data processing protections only apply once the DPA is executed. Do not assume they apply by default.
- Plan matters significantly. The free consumer plan offers none of the enterprise data protections. DeepL Pro and API plans have different DPA coverage — confirm which products your planned use case requires.
- Content classification still applies. Even with a strong DPA, your legal basis under Article 6 GDPR and the sensitivity of content processed through DeepL remain your responsibility.
The DeepL DPA: what it covers
DeepL’s DPA for paid customers — referred to in German as an Auftragsverarbeitungsvertrag (AVV) — typically covers:
| Element | Coverage |
|---|---|
| Processor role | DeepL acts as a processor for customer translation data |
| No training use | Translations are not used to train DeepL’s AI models for paid plans |
| EU processing | Translation data is processed within the EU for paid API and Pro customers |
| Security | ISO 27001 and additional security measures |
| Subprocessors | List of subprocessors used in translation infrastructure |
| Deletion | Translation data deleted after processing or according to plan terms |
| Article 28 compliance | DPA structured to meet GDPR Article 28 requirements |
Legal teams should still review:
- whether the DPA version covers the specific DeepL product you are purchasing (API, Pro, Teams, Business)
- whether any third-country transfers remain relevant for specific infrastructure components or support access
- whether the DPA’s subprocessor list and objection mechanism meet your internal standards
- whether specific plan-level commitments (storage duration, audit rights, DPIA assistance) are adequate for your risk appetite
How to obtain and sign the DeepL DPA
For companies using DeepL in Germany, obtaining the DPA is straightforward — but it requires a paid plan. The free plan does not include a DPA, and the process should be completed before any personal or confidential data is processed through the tool.
- Choose the right DeepL plan. The DPA is available for API Advanced, Pro, Teams, and Business plans. The free DeepL plan has no DPA and is not appropriate for business use involving personal data.
- Log into your DeepL account. Navigate to Settings → Legal Documents or Data Processing Agreement section. Depending on your plan, the DPA may be labelled differently.
- Review the DPA before signing. Check the subprocessor list to confirm EU-based processing, verify the data deletion terms for your specific plan, and confirm that audit rights meet your internal compliance requirements.
- Sign the DPA electronically or by wet signature. Most companies can accept the DPA electronically through the DeepL portal. Check your internal procurement policy — some regulated sectors require physical signatures or additional internal sign-off.
- Store the signed DPA in your Article 30 records. Under GDPR Article 30, you are required to maintain a record of processing activities. The signed DeepL DPA should be filed as part of your processor documentation.
- Brief internal teams on approved use scope. The DPA applies to the paid plan only. Ensure teams using DeepL understand which plan is approved, that the free plan must not be used for business data, and what content categories fall within the approved scope.
Not sure whether the DeepL DPA meets your sector requirements? Contact Compound Law for a DPA review or compliance assessment specific to your industry.
Free plan vs. paid plan: a critical distinction
This is one of the clearest compliance decisions in the AI tools landscape.
DeepL free plan:
- Translations may be stored and used for quality improvement
- No DPA available
- Not appropriate for personal data, confidential content, or business-sensitive documents
- Intended for personal use
DeepL Pro / API paid plans:
- DPA available and executable
- Translations not used for model training
- EU-based processing
- Appropriate for business use with a signed DPA
German companies that allow employees to use the free DeepL plan for work-related documents — contracts, customer communications, HR materials, legal drafts — are creating real GDPR exposure. The free plan should be blocked or explicitly excluded from business workflows, and the paid plan with an executed DPA should be the only authorised path for any translation involving personal data or confidential content.
EU hosting and data localisation
For German companies with strict data localisation requirements, DeepL’s EU-based infrastructure for paid plans is a significant advantage. Unlike many AI translation competitors that process data in the United States, DeepL SE processes translation data within the EU for its paid API and Pro customers.
This means:
- no Chapter V GDPR transfer issue for the primary translation processing
- no need for SCCs or DPF reliance for the main product workflow
- a German-based legal entity as the contracting party
Still, procurement teams should verify a few edge cases:
- whether any subprocessors involved in infrastructure, security monitoring, or support access are outside the EEA
- whether document storage, if applicable, uses the same EU infrastructure as translation processing
- whether DeepL for Teams or enterprise business accounts have any different data routing
For most German companies, DeepL’s EU hosting story is straightforward for paid plans. Document the DPA, confirm EU processing, and note subprocessors — that is typically sufficient for standard GDPR compliance documentation.
Confidential documents and professional secrecy
A common question for German buyers in legal, healthcare, financial, and public sector contexts is whether DeepL can be used for confidential documents subject to professional secrecy obligations.
The answer for paid plans with an executed DPA is generally more positive than for most other AI translation tools. The key considerations:
- DeepL EU processing means content does not leave the EEA as part of the main translation workflow
- No training use means translated content is not retained for model improvement
- German company status means DeepL is directly subject to German and EU law
For Rechtsanwälte (lawyers), Ärzte (doctors), Steuerberater (tax advisers), and others subject to professional confidentiality under German law — check whether your specific professional rules permit cloud-based translation tools even with a strong DPA. Some professional bodies issue guidance that goes beyond GDPR and may require additional safeguards or prohibit certain SaaS tools for protected content.
For financial institutions and regulated companies, check whether your sector-specific compliance framework (BaFin guidance, sector-specific cloud requirements) requires additional contractual or technical controls beyond the standard DeepL DPA.
Practical compliance checklist
- Use paid plans only for business use. Block the free plan for any work-related translation workflows.
- Execute the DeepL DPA. Do not rely on default protections — sign the DPA before processing personal or confidential data.
- Verify which product the DPA covers. Confirm that the DPA applies to the exact DeepL product your teams will use (API, Pro, Teams, Business).
- Confirm EU processing. Verify that your plan routes translation processing through DeepL’s EU infrastructure and document this for your GDPR records.
- Check subprocessors. Review the subprocessor list in the DPA and confirm no third-country transfers apply to your specific plan.
- Apply content rules. Set internal policies on what content categories may be translated through DeepL and which require additional review.
- Assess professional secrecy. For legal, healthcare, and regulated sectors, check whether sector-specific professional confidentiality rules impose additional conditions.
FAQ
Does DeepL have an AVV / DPA?
Yes. DeepL SE provides a Data Processing Agreement (DPA) — known in German as an Auftragsverarbeitungsvertrag (AVV) — for paid API and Pro customers. It confirms the processor role, EU-based processing, training data exclusions, and Article 28 GDPR compliance.
Is DeepL GDPR compliant?
For paid plans, yes — DeepL SE is a German company with EU-based infrastructure, a DPA, and a no-training-on-customer-data commitment. For the free plan, no: the free plan is not appropriate for business use involving personal or confidential data.
Can German companies use DeepL for confidential documents?
For paid plans with a signed DPA, DeepL is generally appropriate for many confidential document workflows. Professionals subject to sector-specific confidentiality obligations (lawyers, doctors, tax advisers) should additionally check whether their professional body’s rules permit cloud-based translation even with a strong DPA.
Does DeepL train on customer translations?
Not for paid API and Pro customers with an executed DPA. The free plan does not offer this protection. Always verify the current DPA terms for your specific plan.
How do I get the DeepL DPA?
The DeepL DPA is available to paid API and Pro customers through the DeepL account portal under Legal Documents or Data Processing Agreement settings. You do not need to contact DeepL support — it can be accepted electronically. Before signing, review the subprocessor list and confirm that the DPA version covers your specific plan (API, Pro, Teams, or Business).
Is DeepL a German company?
Yes. DeepL SE is headquartered in Cologne, Germany. Its primary translation infrastructure for paid plans is EU-based. This is a genuine compliance advantage for German buyers compared to US-headquartered AI tool vendors.
If your team is evaluating DeepL or other AI translation tools for a German rollout, Compound Law advises businesses on GDPR, AI procurement, DPA reviews, and professional confidentiality. Contact us if you need a DeepL DPA review or compliance assessment for a specific translation workflow.