You need to include all the provisions listed in Article 28 GDPR.
From the controller’s side the agreement should define:
the subject-matter and duration of the processing,
the nature and purpose of the processing,
the type of personal data and categories of data subjects and the obligations and rights of the controller.
From the processor’s side, the agreement shall ensure that the processor:
processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country
ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
takes all measures required pursuant to Article 32;
will not engage a subprocessor without previous written authorization
taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to requests for exercising the data subject’s rights
assists the controller in ensuring compliance with the obligations of security;
at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires the storage of the personal data;
makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.