Skip to main content

Data protection and privacy

Data processing agreement (DPA)

Data processing agreement (DPA)

Overview

As an EU based company, Flexopus need to comply with the EU GDPR regulations. Besides many other measures, Flexopus need to sign a so-called data processing agreement (DPA) with each client. In the data processing agreement, Flexopus acts as a data processor and the customer is the data controller.

GDPR Article 28, Section 3, explains the eight topics that need to be covered in a DPA in detail. In summary, here’s what you need to include:

  • The data processor agrees to process personal data only on written instructions of the data controller
  • Everyone who comes into contact with the data is sworn to confidentiality.
  • All appropriate technical and organizational measures are used to protect the security of the data.
  • The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
  • The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
  • The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
  • The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
  • The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.

Flexopus provide a standardized application specific DPA document for the client that can be signed digitally as well as per hand.

💡
Note! Singing the DPA document can be done after the license agreement is signed.
Important! Signing the DPA is the responsibility of both parties!

Data sub-processors

The direct data sub-processors are also listed in the DPA document. It's important the sub-processors of Flexopus also comply with the GDPR and that Flexopus signs a DPA with the sub-processors as well. This way, the data processing chain can be controlled and validated top to down, if necessary.

Flexopus carefully selects the sub-processors having access to the data of our customers, no matter for which task. In the selection process of the sub-processors, we prefer to work together with EU based companies being directly under the GDPR jurisdiction or using internal self-hosted services that do not require a third party for the data processing.

Sign DPA

To sign the Data Processing Agreement in Flexopus:

  1. Navigate as an administrator to Dashboard > Settings > Data Processing Agreement.
  2. You can choose to sign the agreement either manually or digitally.

This ensures compliance with data protection regulations and formalizes the processing of data within Flexopus.

Data processing agreement

To complete your Data Processing Agreement (DPA) in Flexopus:

  1. Fill out your company details.
  2. Select the language of your DPA document (currently available in German and English).
  3. Choose your preferred signing method: manually or digitally.

This finalizes the agreement in line with your company’s requirements.

Select language and sign type

Sign DPA digitally

Selecting the digital version of the DPA, you need to configure the following parameters:

  1. Affected group of people:
    Select the group of people affected by the DPA. Default categories include:
    • Employees & coworkers
    • Freelancers & suppliers
    • Customers
      You can also add custom categories based on your specific use case.
  2. Persons authorized to issue instructions due to the DPA:
    Define which users can issue instructions to Flexopus, such as deleting data. By default, all administrators are authorized, but you can also assign additional users by name.
  3. Authorized users to sign the DPA:
    Choose a user who is authorized to sign the DPA digitally. This user will get limited admin access to sign the document, without needing full admin rights.
  4. Save changes:
    After saving, you can generate a draft document to review the details. Once everything is configured, inform the authorized user to navigate to this page.
  5. Signing the DPA:
    The authorized user will find a Sign DPA button on the page. They are required to scroll through the document and review it once more. After finalizing the DPA, Flexopus will record the user's IP address, digital footprint, user profile, date, and the version of the signed DPA.

This ensures compliance with data protection regulations and flexibility in managing authorized users and instructions.

💡
Note: In case Flexopus provides a newer DPA version, we may ask you to sign the newer DPA as well. It's a common benefit to have an up-to-date DPA.

Sign DPA manually

If digital signing of the DPA is not possible in your organization, you can opt for manual signing. To proceed with this option, follow these steps:

  1. Select the manual signing option.
  2. Manually fill out the following sections of the DPA:
    • Affected group of people
    • Persons authorized to issue instructions due to the DPA
    • Authorized users to sign the DPA
  3. Once these sections are completed, have the document signed manually.
  4. Upload the signed document into Flexopus.

After uploading, the document will be reviewed by the Flexopus team to ensure compliance.

💡
Note: Please do not delete parts of the DPA without communicating it to us.