Join
1
4 Comments

Who needs to provide the DPA? Our customers or us (as the vendor)?

by Kevin Yun

When selling our SaaS as a vendor to Enterprise (all have presence in Europe), I'm getting confused on the DPA (Data Processing Agreement) protocol.

The scenarios have always been different:

  • One company sent us their own DPA, and sent us our own slightly amended Terms of Conditions + Privacy Policy. We confirmed and signed.
  • One company sent us a DPA. We confirmed and signed. They asked us for a DPA -- told them we didn't have one, only our Terms of Conditions + Privacy Policy.
  • One prospect's #1 priority was making sure we had a DPA. He did email his legal team on our demo call saying if they could send us a DPA to sign. He said it was typical responsibility as a vendor to send a DPA to customers to sign.

Are we, the vendor, responsible to provide a DPA for customers to sign?

Avatar for Kevin Yun Kevin Yun
on July 19, 2019
Say something nice to kevin…
Post Comment
  1. 2

    Hi Kevin,
    Firstly, I have no legal background, but I was the person responsible for implementing various GDPR related things including revising our DPA in our European SAAS company.

    In our company I have used our own (vendor) template, had customers who sent us their DPA that they require to be used and also negotiated a new DPA where the content has been adapted between the customer provided and the vendor provided DPA.

    My strong recommendation, if you are not only focusing on enterprise customers, would be to create an official vendor DPA for your company. That way you can streamline the DPA process, e.g. by having the customers sign the DPA as part of the onboarding process in your platform. "Automating" this process is not possible if you get the DPAs from the customers.

    If you go the route of creating your own DPA, try and keep it as "fair" as possible, otherwise, there will be too many customers that won't sign your DPA.

    Another thing to consider, if you are using the customer provided DPA; what happens when you have e.g a data breach? Well, while you have the stressful situation of dealing with a data breach, you then have to go read all the customer provided DPAs to see if you promised something unique in the reporting to the customer, a special way of reporting, etc.

    Of course, if you are dealing with large enterprise customers then sometimes you have to play by their rules. But make sure you charge them enough to be worth it :)

    User Avatar guest_io
    ·
    7 years ago
    ·
    Reply
    1. 1

      Thanks -- this is super helpful. Getting our own DPA seems like it's confirmed within our TODO list now.

      Avatar for Kevin Yun kevin
      ·
      7 years ago
      ·
      Reply
  2. 2

    Typically I'd expect the Vendor to supply it, but it's like any contract as long as it's signed by both parties then either party can provide it

    I'd personally have a stock DPA that you use as standard, then if a certain customer has issues with it then make amendments as required.

    User Avatar td_evans
    ·
    7 years ago
    ·
    Reply
    1. 1

      Thanks for the info!

      Avatar for Kevin Yun kevin
      ·
      7 years ago
      ·
      Reply
Trending on Indie Hackers
Fixing broken scrapers instead of working on my actual product. So I made it my problem. User Avatar 43 comments I built a WhatsApp AI bot for doctors in Peru — launched 3 weeks ago, 0 paying customers, and stuck waiting for Meta to approve my app User Avatar 41 comments I Built a Habit Tracker SaaS Alone in 6 Weeks (No CS Degree, No Team). Here's Exactly How User Avatar 41 comments I built an open-source PII masking layer for LLM APIs — early traction, looking for design partners User Avatar 33 comments From broke and burned out as a PM, to launching my SaaS and optimizing my health User Avatar 27 comments How to see revenue problems before they get worse User Avatar 27 comments