Skip to main content

Data protection and privacy

Data processing agreement (DPA)

Overview

As an EU based company, Flexopus need to comply with the EU GDPR regulations. Besides many other measures, Flexopus need to sign a so-called data processing agreement (DPA) with each client. In the data processing agreement, Flexopus acts as a data processor and the customer is the data controller.

GDPR Article 28, Section 3, explains in detail the eight topics that need to be covered in a DPA. In summary, here’s what you need to include:

  • The data processor agrees to process personal data only on written instructions of the data controller
  • Everyone who comes into contact with the data is sworn to confidentiality.
  • All appropriate technical and organizational measures are used to protect the security of the data.
  • The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
  • The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
  • The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
  • The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
  • The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.

Flexopus provide a standardized application specific DPA document for the client that can be signed digitally as well as per hand.

💡
Note! Singing the DPA document can be done after the license agreement is sign.
Important! Signing the DPA is the responsibility of both parties!

Data sub-processors

The direct data sub-processors are also listed in the DPA document. It's important the sub-processors of Flexopus also comply with the GDPR and that Flexopus signs a DPA with the sub-processors as well. This way, the data processing chain can be controlled and validated top to down, if necessary.

Flexopus carefully selects the sub-processors having access to the data of our customers, no matter for which task. In the selection process of the sub-processors, we prefer to work together with EU based companies being directly under the GDPR jurisdiction or using internal self-hosted services that do not require a third party for the data processing.

Sign DPA

Navigate in Flexopus as an administrator to Dashboard > Settings > Data Processing Agreement. Here you can sign the data processing agreement manually or digitally.

Data processing agreement

Fill out your company details, then select the language of your DPA document. Currently, we provide a german and an english DPA version.

The select the way you wish to sign the DPA: manually or digitally.

Select language and sign type

Sign DPA digitally

Selecting the digital version of the DPA, you need to configure the following parameters:

Affected group of people
This people will be affected by the data processing agreement. Select the group of people that are going to use Flexopus. The standard categories like employees & coworkers, freelancers & suppliers, customers are listed by default, however your use case may differ, therefor you can enter another list of affected group of people as well.

Persons authorized to issue instructions due to the DPA
Define which users are authorized to instruct Flexopus to issue instruction to Flexopus. Such us delete all data etc. This may change over the time, therefor we defined it dynamically, so that all administrators are authorized to issue instruction. This way, our support team can support your organization's need more flexible, however you can define additional users also by name.

Authorized users to sign the DPA
Since the document is going to be signed digitally, you need to authorize a user to sign the document. This use will get access to the admin dashboard to sign the DPA. You don't need to grant full admin rights just to sign the DPA.

Save the changes. After saving, you can generate a draft document to see the changes. After configuring the steps, just inform the user that suppose to sign the DPA document. Navigating to this page, he will find a Sign DPA button. It's required to scroll through the document once again. After finalizing the DPA, Flexopus will save the user's IP address, digital footprint, user profile, date, and the version of the signed DPA.

The signed DPA will be available immediately. You can download it.

💡
Note: In case, Flexopus provide newer DPA version, we may ask you to sign the newer DPA as well. It's a common benefit, to have an up-to-date DPA.

Sign DPA manually

Signing the DPA may be not possible digitally in your organization, since the person authorized to sign such a document required more like a PDF or a printed document. For this reason, we offer the manual signing option.

In case you select this option, make sure you fill out the following parts of the DPA manually as well:
Affected group of people
Persons authorized to issue instructions due to the DPA
Authorized users to sign the DPA

After that, you can let the document be sign manually. Then you can upload the document into Flexopus. The document will be reviewed by our team.

💡
Note: Please do not delete parts of the DPA without communicating it to us.