Data Processors and their DPA resources
This collection aims to help you with establishing GDPR compliance by concluding the required Data Processing Agreements (DPA) between you and the services processing personal data on your behalf (“Data Processors”).
The list is curated by Joschi Kuphal, Sebastian Greger and Baltasar Cevc and complements their current workshop series about data protection and ethical design issues. ⚠ It is meant as a tool to get a quick entry and first orientation only. It does not replace a thorough and independent check of your individual legal requirements. ⚠
Contribute
Please send in pull requests (learn how) for updates and additions. For instance, you may suggest additional data processors, resources or URLs to conversations and official statements on the web. Please understand that we can only accept URLs that point to the data processors’ official websites or social media profiles (we will only quote non-published information as comments that we have retrieved ourselves first-hand). Thanks for your support! 🙇
Alphabetical list
| Data Processor | Status | Resources | Comment |
|---|---|---|---|
| 1und1 | 🔍 | German DPA | |
| Adobe | 🔍 | English Online Form | |
| Algolia | ✅ | English DPA (PDF) GDPR information |
|
| All-Inkl.com | ✅ | Pre-filled download from customer’s Members Area (Stammdaten › Auftragsverarbeitung). | |
| Amazon AWS | ✅ | English website German website |
|
| Atlassian Cloud | ✅ | English website | DPA available on request for Atlassian Cloud customers |
| Automattic | ✅ | English Support Article, DPA on individual request for paid plans of WordPress.com, Jetpack, WooCommerce.com, Akismet, PollDaddy | |
| billbee | ⌛ | German blog post about their future plans regarding their GDPR implementation. | |
| Cloudflare | ✅ | English DPA (PDF) | |
| DigitalOcean | ✅ | English DPA Detailed information about data security |
|
| DomainFactory | ✅ | German DPA (PDF) German blog posts 1, 2 |
|
| Dropbox | 🔍 | English DPA for Business Accounts (PDF) | Only Business accounts are supported; Standard, Plus and Professional accounts do not have the ability to sign a DPA. |
| etracker | ✅ | German DPA | The DPA can be concluded online under account settings |
| Eventbrite | ✅ | Data Processing Addendum (DPA) for Organizers | Privacy Shield; It should be double-checked in how far the addendum is truly and reliably binding |
| Fullstory | ✅ | Online Form | Privacy Shield |
| Gravatar | ⌛ | English Support Article | Part of Automattic |
| Github | ⌛ | English forum entry Contact form |
Privacy Shield. DPA for organisations available on request via support contact. |
| Gmail (via G Suite) | ✅ | G Suite Administrator Help (multiple languages) | |
| Google Analytics | ✅ | DPA instructions | |
| Google Maps API | ✅ | Controller-Controller Data Protection Terms | Joint Control Contract (JCC, Art. 26) |
| Hetzner | ✅ | English news article German news article |
|
| Host Europe | ✅ | German DPA | |
| Hotjar | ✅ | English DPA | |
| Hubspot | ✅ | English DPA | |
| Issuu | ⌛ | — | “we are working on becoming GDPR compliant” and we “will update them as soon as we have all of our changes and new policies in place” |
| KeyCDN | ⌛ | General Information English Tweet stating they will provide a DPA which will be available in May |
“Our privacy team is continually reviewing our features and practices to ensure we support our customers with their GDPR compliance requirements.” |
| ✅ | English DPA French DPA German DPA Spanish DPA Portuguese DPA |
Privacy Shield; DPA incorporated into the “LinkedIn Contract” | |
| Mailjet | ✅ | English FAQ | |
| Mailchimp | ✅ | English Online Form | Privacy Shield |
| Mandrill | ✅ | English Online Form | |
| Manitu | ✅ | German website DPA available online | |
| Mapbox | ✅ | Can be obtained via email to privacy@mapbox.com | |
| MaxCDN | ✅ | English website | |
| MaxCluster | ✅ | Download via Customer Backend | |
| micropayment | ✅ | Online Form for registered / logged-in users | |
| Mittwald | ✅ | Comment in German blog post, available from customer service | |
| Mouseflow | ✅ | Contact form | |
| Netcup | ✅ | German Wiki | |
| Netlify | ✅ | English DPA | Privacy Shield |
| Newsletter2Go | ✅ | German Website | |
| Postmark | ✅ | English Website, DPA available online | Privacy Shield “We reviewed our data processing activities, and are making any changes that are needed in advance of the GDPR effective date.” |
| Salesforce | ✅ | English Website, English DPA (PDF) | Privacy Shield |
| Scopevisio | ✅ | German DPA | |
| Simplecast | ✅ | Data Processing Addendum | DPA – Including EU Standard Contractual Clauses) |
| Slack | ✅ | Data Processing Addendum | Privacy Shield |
| Strato | ✅ | German Website | |
| Stripe | ✅ | Data Processing Addendum (you need to be logged into your account to accept it) English Privacy Shield Policy Stripe Services Agreement (multilingual) |
Privacy Shield |
| TinyLetter | ✅ | English Online Form | Privacy Shield; part of Mailchimp |
| Toggl | ⌛ | — | Promises to be “fully be GDPR compliant by the May deadline”, but “doesn’t feel that a DPA is needed at this time”. At the moment it’s unclear how this solution will look like and whether it’s going to be truly GDPR compliant. |
| Trello | ⌛ | English forum entry stating that there will be a DPA until May 2018 Trello and GDPR (multiple languages) Revised Privacy Policy (multiple languages; effective as of May 25th, 2018) Trust @ Trello |
Privacy Shield; part of Atlassian |
| Twilio | 🔍 | Online Form (Preview) (English) | Privacy Shield |
| TypeKit | 🔍 | Online Form (English) | Part of Adobe |
| Travis CI | ✅ | English DPA | |
| Uberspace | ✅ | German DPA, can be signed via the dashboard | |
| Vercel | ✅ | English DPA | |
| Webgo | ✅ | Online Form | |
| WebhostOne | ✅ | German FAQ | |
| Wordpress.com | ✅ | English Support Article, DPA available on request for paid plans | Run by Automattic |
| WPengine | ⌛ | English DPA | |
| Zapier | ⌛ | English support article GDPR Compliance Updates |
“We at Zapier wholeheartedly support the privacy rights of our customers and our users and are proactively working toward GDPR compliance by May 25th, 2018.” |
| Zendesk | ⌛ | English FAQ support article | “Zendesk will be compliant with the GDPR when it becomes enforceable in May 2018.” |
Legend
| Symbol | Meaning |
|---|---|
| ❓ | It’s currently unknown whether or not this service provides a GDPR compliant DPA |
| ⌛ | As far as the curators know, the data processor is busy with unspecified preparations for what they believe is GDPR-compliant; this may or may not include a DPA |
| 🔍 | The curators are currently reviewing the specified resources |
| ✅ | This service provides a DPA that it declares to be GDPR compliant |
| ❌ | This service doesn’t provide a GDPR compliant DPA (whether or not that’s a valid state) |