GDPR compliance

conman

Hello Opalstack community / support team,

I’m planning to host a Django application in the Frankfurt region and want to ensure GDPR compliance.

Could anyone clarify or provide:

How to obtain the Data Processing Agreement (DPA) for Opalstack?
A list of all subprocessors involved (datacenter, backups, support providers) and their locations?
Whether Standard Contractual Clauses (SCCs) are applied for data transfers to the U.S.?
How to ensure that my server will be located in the EU- can I select this in the backend?

This information will help me complete my GDPR documentation. Any guidance or links would be greatly appreciated.

Thank you!

conman

I saw that others have also asked for information to achieve GDPR conformity. Here they were referred to the privacy policy. Unfortunately this is not sufficient: A Privacy Policy is only informational and does not create a legally binding agreement between the data controller (me) and the processor (Opalstack).

For GDPR, I need a formal Data Processing Agreement (DPA) that:

specifies Opalstack’s obligations (security, sub-processors, deletion of data),
covers any cross-border transfers (e.g., via SCCs),
is formally accepted (signed or acknowledged) by both parties.

klynton

Hey conman,

We don't have a standard GDPR package like this ready to go. We would need to sign DPAs with our providers in order to sign an DPA with you (at least if I'm reading things correctly).

We built our regions to be pretty self contained. US data stays in the US, the German mail and web servers data stays on those servers, all of the European servers save backups to Germany, and we can make sure your server is located in Germany (or any of the other EU countries we support).

We can pretty easily list out our sub-processors, security, deletion of data and where data could cross borders if that's sufficient. If it needs to be a formal agreement it would take a lot more work. Especially if we need to have the same agreements and SCCs with our upstream providers.

Feel free to send us a support ticket so we can dig in further!

conman

Hi klynton,

thank you for the clarification. Since I plan to process sensitive personal data under the GDPR, I need to ensure strict compliance. For that, the following points are essential:

A signed Data Processing Agreement (DPA) between Qpalstack and myself.
If any sub-processors or upstream providers are involved, you would need to have DPAs (and, where applicable, Standard Contractual Clauses – SCCs) in place with them as well.
A clear list of sub-processors and where data is stored and possibly transferred.
Confirmation that my data can be hosted exclusively in the EU (ideally Germany) without being subject to cross-border transfers.

Without these contractual safeguards (especially a DPA and SCCs if data might flow outside the EU/EEA), I cannot legally use Qpalstack for GDPR-compliant processing of sensitive data. Just as a hint: Ideally you could include DPA and SCC into your Terms of Service (like AWS does it)...