Compliance & regulation
Data Processing Agreement (DPA)
Contract required by Article 28 of the GDPR between a publisher (data controller) and any third party (data processor) that handles personal data on its behalf, including comment systems.
A Data Processing Agreement (DPA) is the contract required under Article 28 of the GDPR whenever a third party (a processor) handles personal data on behalf of a controller (the publisher). For a comment system, every comment, reader account, vote and moderation decision is personal data, so a DPA is mandatory, not optional.
What a Logora-grade DPA covers
- Subject matter, duration and purpose of the processing.
- Categories of data subjects (subscribers, anonymous readers) and types of data (account info, comments, IP, behavioural data).
- Security measures (encryption at rest and in transit, access controls, audit).
- Sub-processor list with notice and opt-out before any change (Logora’s : OVH hosting, Mistral AI, DeepL).
- Confidentiality obligations on all staff with data access.
- Data subject rights handling : access, rectification, deletion, portability.
- Breach notification within 72 hours.
- Audit rights for the controller.
- End-of-contract : return or deletion of personal data.
How Logora handles DPAs
Logora signs an Article 28-compliant DPA by default in every enterprise contract. The template has been reviewed by the DPOs of Der Spiegel, Sud Ouest, Milenio and Krone. Bilateral edits accepted, but the legal default is ready, which removes weeks of back-and-forth typical with US vendors operating under Standard Contractual Clauses.
See GDPR for the broader framework and Schrems II for the related transatlantic-transfer question.