Deskwoot logoDeskwoot
Sign your GDPR DPA in the Deskwoot dashboard, in under a minute
Back to Blog
gdpr·compliance·dpa

Sign your GDPR DPA in the Deskwoot dashboard, in under a minute

Article 28 DPAs in 60 seconds. Open Settings, fill three fields, click Accept, get a counter-signed PDF in your inbox. With cf-ray, IP, UA, and browser fingerprint captured for non-repudiation.

Deskwoot Team·May 1, 2026·4 min read

Every Deskwoot account can now sign their GDPR Article 28 Data Processing Agreement directly in the dashboard, electronically, in under a minute, with no email loop and no waiting for a countersignature. Most of them mean the customer can request a DPA via email, wait three business days, get a PDF back, sign it manually, scan it, email it back, and wait three more days for a counter-signature. We thought that was ridiculous, so we made it self-serve.

Starting today every Deskwoot account can sign their Article 28 Data Processing Agreement directly in the dashboard. Open Settings, Legal, DPA, fill in three fields, click Accept, and get a fully signed PDF in your inbox immediately. Done.

Why a DPA matters

If you process personal data of EU or EEA residents through any third-party tool, and a help-desk that stores customer emails and chat transcripts qualifies, Article 28 of the GDPR requires a written contract between you (the controller) and the third party (the processor). Without a DPA in place you are operating outside the law, which gets ugly fast if a customer files a Subject Access Request, a regulator audits you, or a data breach happens at a vendor and your incident response has nothing in writing.

Why "electronic" is fine

Article 28(9) GDPR explicitly allows electronic conclusion of the DPA. It does not require a wet-ink signature. What it does require is verifiable proof that the right person at the controller side knowingly accepted the terms. That is what our acceptance flow captures.

What we capture at signature time

On every acceptance, alongside the obvious fields (signer email, name, role, company, country) we also store:

  • Acceptance timestamp and DPA version
  • IP address and the full x-forwarded-for chain
  • User-agent and Sec-CH-UA browser, platform, and mobile flags
  • Cloudflare CF-Ray ID and CF-IPCountry, region, and city. These headers are stripped from visitor-supplied requests at the edge and re-set by Cloudflare, so they are tamper-resistant in production.
  • Accept-Language preference, DNT flag, and Referer URL
  • SHA-256 hash of the rendered PDF, so we can prove the file you downloaded is bit-identical to the one we counter-signed

All of it is double-stored. Once on the DpaAcceptance row in your account, once in your audit log under dpa.accept. If anyone ever disputes the signature later, both records would have to be tampered with at the same time to fake a denial.

Sub-processors and the SCC chain

The DPA's Annex B lists every sub-processor we use. Railway for hosting, Anthropic for AI, Stripe for payments, Twilio for email, Cloudflare for CDN and DNS, PostHog for analytics, EasyPost for shipment lookups. For each one we surface the data category, the GDPR transfer mechanism, the privacy policy, and where the sub-processor publishes their own customer DPA, a direct link to it. Reviewing your full SCC chain takes five clicks instead of an afternoon of legal-page archaeology.

Enjoying this?

Get the Deskwoot newsletter

One email a month. Practical guides on AI customer support, no marketing fluff.

What about updates?

If we add a new sub-processor or change transfer mechanisms, we bump the DPA version and the dashboard prompts you to re-sign on next visit. Your old acceptance stays in your history. Superseded but not deleted, so the audit trail is continuous.

Available now

Live for every Deskwoot account on every plan. The signed PDF is also re-rendered on demand from the immutable acceptance row, so even if our PDF generator gets a fresh design later, your archived copy can be re-fetched by hash.

What is a GDPR data processing agreement in plain terms?

A GDPR data processing agreement (DPA) is a contract between you (the company collecting customer data) and any vendor that processes that data on your behalf (your customer support platform, your email service, your analytics tool). The DPA spells out what the vendor is allowed to do with the data, how they will protect it, and what they will do if something goes wrong.

Article 28 of the GDPR makes the DPA legally required, not optional. Without a signed DPA between you (the controller) and your processor, every byte of EU customer data flowing through that vendor is non-compliant. The DPA is what gives you the documented audit trail to show a regulator that your data handling is governed, not casual.

What are the 7 principles of GDPR?

The 7 principles of GDPR Article 5: lawfulness, fairness, and transparency (process data only when you have a legal basis and tell people clearly); purpose limitation (collect data for a specified reason, do not repurpose it later); data minimization (collect only what you actually need, not everything you could collect); accuracy (keep the data up to date, fix errors when found); storage limitation (delete data when it is no longer needed); integrity and confidentiality (protect against unauthorized access and loss); and accountability (be able to demonstrate compliance, not just claim it).

Article 28 (data processor obligations) flows from the 7th principle: as a controller you must be able to prove every processor handles data under the same rules. The signed DPA is the document that proves it. Deskwoot's DPA covers all 7 principles in plain text and can be signed in under a minute directly in the dashboard.

Frequently asked questions

Quick answers on the topics covered above.

What is a GDPR DPA (Data Processing Agreement)?

A GDPR DPA is the contract required under Article 28 between a data controller (you) and a data processor (your support vendor) that defines what personal data the processor handles, how they protect it, and your rights to audit, delete, and be notified of breaches. Without a signed DPA, processing EU personal data through that vendor is non-compliant.

How do I sign Deskwoot's DPA?

Open Settings > Legal > Data Processing Agreement in your Deskwoot dashboard, fill in your company details, sign electronically, and receive a countersigned PDF immediately. The whole flow takes under a minute. No email loop, no DocuSign, no three-day wait for the Deskwoot side to counter-sign.

Do I need a DPA with my support tool?

Yes if any EU personal data flows through that tool, which is almost always the case for a customer support platform because every customer email, chat, and contact record contains personal data. GDPR Article 28 mandates a signed DPA before that data flow begins. Skipping it puts the controller (you) at risk in audits and breaches.

How long does it take to sign Deskwoot's DPA?

Under a minute. The signing flow lives directly in the dashboard at Settings > Legal > Data Processing Agreement. Fill in your company name, signing person, role, and click Sign. The countersigned PDF is generated and stored in your account immediately. No external e-signature service involved.

Is Deskwoot's DPA countersigned?

Yes. The PDF you receive after signing carries Deskwoot's counter-signature automatically, applied at the moment you sign. The countersignature comes from Neltacore LLC, the legal entity behind Deskwoot. You can re-download the signed PDF from the dashboard at any time without going through the flow again.

Ready to improve your customer support?

Try Deskwoot free for 7 days. Cancel anytime.

Get started for free

Related articles

whatsapp

Using WhatsApp Business with Multiple Employees: What Works and What Doesn't

5 min read

ai agent

Letting an AI agent take real actions in customer support, without losing control

2 min read

mcp

Connect an AI agent to your help desk with MCP

1 min read