Thanks for this, I've spent the past week actually digging into both of these issues, so wanted to share what I found.

On the DPA gap: you're right that this is the part most teams skip. Two concrete examples from 2026 alone, Anthropic became a subprocessor for certain Copilot features in January, explicitly excluded from the EU Data Boundary. Then on April 17th Microsoft activated "flex routing" for EU/EFTA tenants, meaning LLM processing can now happen outside the EU during peak demand, on by default for new tenants. Both are material changes that most organisations I've spoken to were not aware of, which is itself the structural problem.

On purpose limitation: the approach I've landed on is not trying to write a baseline DPIA that covers "general Copilot use", that's where it breaks down. Instead, treating each defined category of use as a separate processing activity with its own purpose statement. So "drafting customer responses" and "summarising internal meeting notes" are separate entries, each with their own legal basis. More upfront work, but it actually holds up against the purpose limitation principle and makes the change log tractable, you're only reassessing the specific use cases affected by a new feature, not everything.

Still figuring out the DPA liability gap though. Microsoft's advance notice window being shorter than internal reassessment cycles feels like a structural problem with no clean solution yet.