Avatar Mike Noordermeer Data Processing Agreement available

Mike Noordermeer | Published May 1, 2018

Eveoh now has a standard Data Processing Agreement available for all customers. We strongly urge all customers to sign this agreement as having a Data Processing Agreement in place is required under the GDPR.

Our template Data Processing Agreement (DPA) is now available. We ask all our customers to review this document and contact us to retrieve a signed copy of the document before the 25th of May 2018. This document was carefully drafted in cooperation with ICTRecht and meets all requirements under the GDPR. It also accurately reflects the way we work and protects the interest of both the Controller (you) and Processor (us).

Information Security Policy

Part of the Data Processing Agreement is our Information Security Policy. This policy defines the security measures we take to protect your and your users’ data.

Exceptions

We feel a DPA should be in place with all our customers. Only for customers where we do not handle any personal data (e.g., customers where we do not have any administrative access to MyTimetable or the underlying servers) a DPA is not required.

Signing the DPA

To sign the DPA, please send an email to support@eveoh.nl stating your point of contact (signee). We will send you a signed copy of the agreement and ask you to return a countersigned copy.

Other Data Processing Agreements

Some customers approach us with their own Data Processing Agreement templates. For various reasons, we cannot sign these documents. Some of these reasons include:

  • Having multiple DPAs in place makes it impossible to define a consistent Information Security Policy and be compliant with all different DPAs.
  • Having multiple DPAs in place makes it impossible for our subprocessors to agree to everything from the DPAs we have signed, something that is required under the GDPR.
  • Some DPAs place requirements on us that we can or do not want to meet, including:
    • Unlimited liability and/or indemnity provisions
    • Yearly audit requirements (under the GDPR, a Controller has the right to perform an audit, but cannot demand an audit from a Controller)
    • Clauses that go against the GDPR
    • Clauses that cannot be (realistically) implemented
  • As a small company, we cannot let our lawyers review each and every customer DPA, that would simply be too costly. Our customers generally have much more resources available internally to perform such reviews.

We hope you understand this position. If you have any further questions, feel free to contact us through support@eveoh.nl.