We need the ability to automatically get signed DPAs
Some organizations in Europe require a signed copy of the DPA for it to be valid according to the GDPR rules. Currently it is only possible to get a public copy of the Coda DPA. However,
In order to get a signed DPA from Coda you need to upgrade to the Enterprise plan. That means min. 5600 USD per year instead of 360 USD - just for the signed DPA. That is 5240 USD per year for a one-time signature (!!!)
Coda support team’s explanation is “there are tens of thousands of customers at that level and it would be unrealistic for us to be able to do this at that magnitude”
But that does not seem right to me. It’s Coda. There should be an automated solution.
Do like Airtable
To get the DPA signed from e.g. Airtable it takes 2 minutes end-to-end for me as a customer. You simply fill out this form, 2 seconds later get an email from DocuSign, sign the document and then it’s done. See Airtable Data Processing Addendum
It would take no time to build this out with Coda itself, more (happy) European customers - and a great proof of how easy it is to build out stuff with Coda.
In Airtable’s case, the DPA doesn’t (as far as I know) magically make your use of PII GDPR compliant. I think the DPA is simply an agreement that holds the customer responsible for following Airtable’s best security practices. Airtable is quick to sign anything that holds you more responsible than they are.
Since none of Airtable’s servers are in the EU, they cannot be compliant with GDPR unless you also declare certain waivers. Some do allow PII to be conveyed into the US and pulled from the US, but this is a very complicated array of rules.
That said, does a DPA actually achieve anything except to increase your responsibility while deflecting Airtable’s?
Again - I’m no expert in these matters even if I seem like I know what I’m talking about.
Yeah - I get it. They want to cross Ts and dot Is . It’s entirely possible that something about the enterprise version of Coda makes it possible for them to make these assurances, whereas, all other service tiers do not.