Data Processing Agreement (DPA)
Overview
As an EU based company, Flexopus need to comply with the EU GDPR regulations. Besides many other measures, Flexopus need to sign a so-called data processing agreement (DPA) with each client. In the data processing agreement, Flexopus acts as a data processor and the customer is the data controller.
GDPR Article 28, Section 3, explains the eight topics that need to be covered in a DPA in detail. In summary, here’s what you need to include:
- The data processor agrees to process personal data only on written instructions of the data controller
- Everyone who comes into contact with the data is sworn to confidentiality.
- All appropriate technical and organizational measures are used to protect the security of the data.
- The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor (pursuant to Sections 2 and 4 of Article 28).
- The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
- The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
- The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
- The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.
Our DPAs is available directly as part of the registration process / of the official quote, to ensure that the document is available to customers in advance.
By registering/accepting the quote, you confirm the General Terms and Conditions as well as the Data Processing Agreement – thereby ensuring that the agreement is properly concluded in accordance with the GDPR.
You can access the document again via the following link: https://www.flexopus.com/en/legal-page/auftragsverarbeitungsvertrag
Data sub-processors
The direct data sub-processors are also listed in the DPA document. It's important the sub-processors of Flexopus also comply with the GDPR and that Flexopus signs a DPA with the sub-processors as well. This way, the data processing chain can be controlled and validated top to down, if necessary.
Flexopus carefully selects the sub-processors having access to the data of our customers, no matter for which task. In the selection process of the sub-processors, we prefer to work together with EU based companies being directly under the GDPR jurisdiction or using internal self-hosted services that do not require a third party for the data processing.