When GIOF develops and operates websites, email systems, or other services for clients, I process personal data on the client's behalf. Under the GDPR, this requires a data processing agreement (DPA).

This page explains the principles I work by. The actual agreement is tailored to each engagement and signed with the client.

What I do with the data

Personal data is processed only to deliver the services agreed — nothing else. Access is limited to what's necessary to deliver the work.

Who has access

Only people who actually need it to do the work. Everyone with access is bound by confidentiality.

How data is secured

• Encrypted transmission (HTTPS/TLS)
• Two-factor authentication where available
• Security updates installed continuously
• Regular backups
• Logging of relevant events

Sub-processors

I rely on a small number of established services as sub-processors — typically email providers and hosting. The relevant sub-processors are listed in each agreement, and I notify clients in writing at least 30 days before any change.

If something happens

If a personal data breach occurs, I notify the client within 24 hours. That gives the client room to meet the GDPR's 72-hour deadline for notifying the supervisory authority.

Helping data subjects

If someone requests access to, correction of, or deletion of their data, I help the client handle it. Smaller requests are included. Larger work — extensive deletion requests, regulatory inquiries, data protection impact assessments — is billed by the hour, and I always notify before anything is invoiced.

When the engagement ends

The client chooses: I delete everything and confirm in writing, or I return the data in a usable format and delete afterwards. Backups that rotate out are considered deleted once the cycle completes (normally within 90 days).

I make sure the handover is clean, so clients aren't locked in.

Audit

Clients can audit me up to once a year, during normal business hours. I can also provide certifications or documentation in lieu of an on-site audit, where that meets the need.

Where data is processed

Mainly in the EU/EEA. Where something has to go outside (a CDN, for example), I rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal basis.

Need the actual agreement?

When GIOF delivers services that involve processing personal data, a DPA is signed with the client. Get in touch to receive the template, or to discuss a specific engagement.