Data Processing Agreement
If your organization processes the personal data of EU residents, GDPR Article 28 requires a written agreement between you (the controller) and any processor handling that data on your behalf.
Kostenx provides a standard Data Processing Agreement that aligns with GDPR requirements and incorporates the EU Standard Contractual Clauses where relevant. We can sign it bilaterally on request.
What's in our DPA
- Description of the processing (personal data categories, data subjects, purpose, duration)
- Sub-processors we use (Stripe, MongoDB Atlas, Vercel) and notification of changes
- Technical and organizational security measures
- International data transfer safeguards (SCCs, EU-US Data Privacy Framework)
- Data subject rights handling (access, deletion, portability)
- Breach notification procedures
- Audit rights and termination provisions
How to request
Email dpa@kostenx.com with:
- Your company legal name and registered address
- The Kostenx account email associated with your subscription
- Name and email of the signing authority
We typically send the countersigned agreement within 5 business days.
For a higher-volume engagement (multiple seats, custom data retention, or specific regulatory needs like HIPAA or SOX), include details and we will tailor the agreement.