Skip to content
EISBERG
Legal · DPA

Data Processing Addendum.

The executable DPA is available on request to active customers and serious prospects. The structure and substantive commitments are summarized below.

Aligned with GDPR Article 28.

The Eisberg Data Processing Addendum (DPA) is structured around GDPR Article 28 obligations. It defines the categories of personal data processed, the purposes of processing, the duration, the security measures applied, and the sub-processor list — in the form a European data protection authority expects to see.

EU Standard Contractual Clauses.

Where customer data falls under EU jurisdiction and is processed in a third country, our DPA incorporates the EU Standard Contractual Clauses (2021 Module 2 — controller-to-processor) as approved by the European Commission. Supplementary measures are documented per the Schrems II framework.

US state-equivalent privacy frameworks.

The DPA addresses CCPA / CPRA (California), CDPA (Virginia), CPA (Colorado), and the rolling list of US state privacy laws. Where US state law diverges from GDPR, the DPA states which framework governs in which jurisdiction.

HIPAA Business Associate Agreement.

For healthcare customers handling PHI, Eisberg executes a HIPAA Business Associate Agreement (BAA) alongside the MSA and DPA. The BAA defines breach notification timelines, security safeguards, and the obligations Eisberg accepts as a Business Associate under HIPAA.

Sub-processor list and notifications.

The current sub-processor list is shared under NDA with active customers. Customers are notified at least 30 days in advance of any new sub-processor with the right to object, per GDPR Article 28(2). The list includes the sub-processor name, the category of data they touch, the purpose, the location, and their certifications.

Customer-owned data plane reduces DPA scope.

Because customer data lives in the customer's own object storage — not on Eisberg infrastructure — the personal data 'processed' by Eisberg is materially smaller than under a typical SaaS DPA. The architectural separation is what makes the legal posture defensible at scale.

Need the executable DPA, BAA, or full sub-processor list? Email trust@eisbergdata.com.