Signed DPA to customers (like Airtable)

Maja_Overgard · October 10, 2023, 8:10am

We need the ability to automatically get signed DPAs

Some organizations in Europe require a signed copy of the DPA for it to be valid according to the GDPR rules. Currently it is only possible to get a public copy of the Coda DPA. However,

Problem
In order to get a signed DPA from Coda you need to upgrade to the Enterprise plan. That means min. 5600 USD per year instead of 360 USD - just for the signed DPA. That is 5240 USD per year for a one-time signature (!!!)

Coda support team’s explanation is “there are tens of thousands of customers at that level and it would be unrealistic for us to be able to do this at that magnitude”

But that does not seem right to me. It’s Coda. There should be an automated solution.

Do like Airtable
To get the DPA signed from e.g. Airtable it takes 2 minutes end-to-end for me as a customer. You simply fill out this form, 2 seconds later get an email from DocuSign, sign the document and then it’s done. See Airtable Data Processing Addendum

Ask
It would take no time to build this out with Coda itself, more (happy) European customers - and a great proof of how easy it is to build out stuff with Coda.

So please, Coda - solve this problem!

Christiaan_Huizer · October 10, 2023, 8:33am

Hi @Maja_Overgard ,

The AT example is a great suggestion. Indeed this is Coda and they should be able to handle this without any problem.

Cheers, Christiaan

Bill_French · October 10, 2023, 9:18pm

In Airtable’s case, the DPA doesn’t (as far as I know) magically make your use of PII GDPR compliant. I think the DPA is simply an agreement that holds the customer responsible for following Airtable’s best security practices. Airtable is quick to sign anything that holds you more responsible than they are.

Since none of Airtable’s servers are in the EU, they cannot be compliant with GDPR unless you also declare certain waivers. Some do allow PII to be conveyed into the US and pulled from the US, but this is a very complicated array of rules.

That said, does a DPA actually achieve anything except to increase your responsibility while deflecting Airtable’s?

Again - I’m no expert in these matters even if I seem like I know what I’m talking about.

Maja_Overgard · October 11, 2023, 6:52am

Hi Bill

All good and really fair points.

I am by no means an expert in law or specifically GDPR. However, some of the bigger organizations I work with have dedicated Data Protection Officers and law teams.

and so far, they give the green light to use Coda in their organization based on the DPA if they can get a signed copy.

So it seems the DPA ensures Coda lives up to the requirements to use a tool here in Europe.

Bill_French · October 11, 2023, 12:49pm

Yeah - I get it. They want to cross Ts and dot Is . It’s entirely possible that something about the enterprise version of Coda makes it possible for them to make these assurances, whereas, all other service tiers do not.