TRUST · DPA

Data Processing
Agreement (DPA).

As Itamite customer, you are controller and we are processor per GDPR Art. 28. Here we explain the standard Itrion DPA contract: roles, mutual obligations, customer rights, sub-processors and international transfers. Ready to sign without prior negotiation.

See pricing Request DPA

Why you have a DPA with us

When you use Itamite, you share personal data with us: names, emails, IPs, employee identifiers, ICT activity records, audit logs, potential remote session content. GDPR Art. 28 requires binding contract with controllers establishing: subject matter and duration of processing, nature and purpose, type of personal data and categories of data subjects, controller obligations and rights.

Our standard DPA is pre-signed by Itrion and available for your electronic signature at onboarding as Business or Professional customer. For Enterprise: DPA with additional negotiable clauses (in-situ audit clause, extraordinary inspection right, sector-specific clauses, extended retention, mandatory BYOK). Enterprise legal review timeframe: 1-3 weeks.

For United States, United Kingdom and other countries without adequacy decision: we automatically add Standard Contractual Clauses (SCC) Module 2 controller-to-processor + Annex with transfer details + Transfer Impact Assessment (TIA) on request. No SCC surcharge. UK Addendum available for UK customers.

DPA CONTENT

What the DPA covers

Roles and responsibilities

You = controller, you determine purposes and means. Itrion = processor, treats data only per your documented instructions. Itrion will not use your data for other purposes (no AI training, no cross-marketing, no sellable anonymous aggregates).

Data type and categories

Personal data processed: names, emails, IPs, unique employee identifiers, technical endpoint data (OS version, installed software, critical file hashes), audit logs. Special categories (Art. 9): only if your organization introduces them in notes/comments — Itamite doesn't request them.

Sub-processors

Public list at /sub-processors. 30-day notification before any addition/change/removal. Itrion responsible for sub-processor acts as if own. Art. 28 contract signed with each.

International transfers

By default: 100% EU (Madrid + Frankfurt + Roubaix). If you activate optional non-EU sub-processors: SCC Module 2 + TIA + supplementary technical measures. UK Addendum for UK customers. NZ adequacy decision applies for SMTP2GO.

Customer rights

Right to free annual documentary audit. Right to on-site audit for Enterprise (cost per contract). Right to receive copy of impact assessments and certifications. Right to early termination without penalty if we add sub-processor you don't accept.

Terms and termination

DPA valid while you have active tenant. After termination: 90-day grace for data download. After: secure deletion NIST 800-88 with verifiable certificate. Audit logs retained per your tenant policy (default 12 months, up to 10 years Enterprise).

Additional Enterprise clauses

For Enterprise customers: in-situ audit clause with 30-day notice and contracted cost. Extraordinary inspection clause without notice in case of confirmed security incident. Extended retention clause up to 10 years for regulated sectors (banking, healthcare, PA). Mandatory BYOK (Itrion has no access to encryption keys). Restricted geographic location clause (datacenter in specific country). Exit plan clause with extended timeframe and auditable export format. Additional for regulated sectors: HIPAA BAA if you treat US PHI. DORA Art. 30 clauses if you're financial entity under DORA. ENS High Category clauses for Spanish PA. CCN-STIC 105 Annex for PA with classified data.

  • Standard DPA pre-signed, ready for electronic signature
  • SCC Module 2 + automatic TIA for non-EU transfers
  • UK Addendum for UK customers, no cost
  • HIPAA BAA available for US healthcare entities
  • DORA Art. 30 + ENS High + CCN-STIC 105 clauses for regulated sectors
FAQ

DPA questions

Do I have to sign the DPA?
Yes, mandatory for all customers (Business, Professional, Enterprise) per GDPR. Without signed DPA we cannot provide service. For Business and Professional: standard DPA electronically signed at onboarding. For Enterprise: negotiable DPA with additional clauses.
Can I modify the standard DPA?
For Business/Professional: no. Standard DPA has necessary and sufficient clauses for GDPR. Modifications imply legal negotiation only viable for Enterprise. For Enterprise: yes, additional negotiable clauses with your legal team.
Is Itrion controller or processor?
For YOUR employees/endpoints data: Itrion is processor (you are controller). For YOUR company data as Itamite customer (billing data, commercial contacts): Itrion is joint controller with you per GDPR Art. 26 in some cases. DPA covers both roles.
What happens to data on contract termination?
90-day grace after termination for download via API. After 90 days: secure deletion NIST 800-88 Purge with verifiable certificate. Audit logs retained per your configured tenant policy (default 12 months, up to 10 years Enterprise). Backups deleted from all datacenters after 90-day grace.

Request standard DPA

We send you Itamite-Itrion DPA v2.1 in 24h. Available in Spanish + English.

See pricing Request DPA