Sign your GDPR DPA in the Deskwoot dashboard, in under a minute

Every help-desk vendor talks about being "GDPR-ready". Most of them mean the customer can request a DPA via email, wait three business days, get a PDF back, sign it manually, scan it, email it back, and wait three more days for a counter-signature. We thought that was ridiculous, so we made it self-serve.

Starting today every Deskwoot account can sign their Article 28 Data Processing Agreement directly in the dashboard. Open Settings, Legal, DPA, fill in three fields, click Accept, and get a fully signed PDF in your inbox immediately. Done.

Why a DPA matters

If you process personal data of EU or EEA residents through any third-party tool, and a help-desk that stores customer emails and chat transcripts qualifies, Article 28 of the GDPR requires a written contract between you (the controller) and the third party (the processor). Without a DPA in place you are operating outside the law, which gets ugly fast if a customer files a Subject Access Request, a regulator audits you, or a data breach happens at a vendor and your incident response has nothing in writing.

Why "electronic" is fine

Article 28(9) GDPR explicitly allows electronic conclusion of the DPA. It does not require a wet-ink signature. What it does require is verifiable proof that the right person at the controller side knowingly accepted the terms. That is what our acceptance flow captures.

What we capture at signature time

On every acceptance, alongside the obvious fields (signer email, name, role, company, country) we also store:

• Acceptance timestamp and DPA version
• IP address and the full x-forwarded-for chain
• User-agent and Sec-CH-UA browser, platform, and mobile flags
• Cloudflare CF-Ray ID and CF-IPCountry, region, and city. These headers are stripped from visitor-supplied requests at the edge and re-set by Cloudflare, so they are tamper-resistant in production.
• Accept-Language preference, DNT flag, and Referer URL
• SHA-256 hash of the rendered PDF, so we can prove the file you downloaded is bit-identical to the one we counter-signed

All of it is double-stored. Once on the DpaAcceptance row in your account, once in your audit log under dpa.accept. If anyone ever disputes the signature later, both records would have to be tampered with at the same time to fake a denial.

Sub-processors and the SCC chain

The DPA's Annex B lists every sub-processor we use. Railway for hosting, Anthropic for AI, Stripe for payments, Twilio for email, Cloudflare for CDN and DNS, PostHog for analytics, EasyPost for shipment lookups. For each one we surface the data category, the GDPR transfer mechanism, the privacy policy, and where the sub-processor publishes their own customer DPA, a direct link to it. Reviewing your full SCC chain takes five clicks instead of an afternoon of legal-page archaeology.

What about updates?

If we add a new sub-processor or change transfer mechanisms, we bump the DPA version and the dashboard prompts you to re-sign on next visit. Your old acceptance stays in your history. Superseded but not deleted, so the audit trail is continuous.

Available now

Live for every Deskwoot account on every plan. The signed PDF is also re-rendered on demand from the immutable acceptance row, so even if our PDF generator gets a fresh design later, your archived copy can be re-fetched by hash.