GDPR Art. 28

Data Processing
Agreement

As a hosting provider, Bunker acts as a data processor under the GDPR. This DPA defines the obligations of each party regarding the protection of personal data.

Data in France

Hosted in our DCs

E2E Encryption

Encrypted backups

30-day deletion

After termination

72h notification

In case of breach

DPA contents

Our Data Processing Agreement covers the following sections:

1 Subject matter and duration of processing
2 Nature and purpose of processing
3 Types of personal data processed
4 Categories of data subjects
5 Obligations of the processor (Bunker)
6 Obligations of the controller (the client)
7 Sub-processors
8 Transfers outside the EU
9 Technical and organizational security measures
10 Data breach notification
11 Assistance with data subject rights
12 Data return and deletion
13 Audit and control

Key commitments of Bunker

Process data only on documented instructions from the client.

Confidentiality of all personnel authorized to process data.

State-of-the-art technical and organizational security measures.

Notification of any data breach within 72 hours.

Assistance to the client in responding to data subject rights requests.

Deletion or return of data at the client's choice (30-day retention).

Prior notice before adding any new sub-processor.

Download the DPA

The standard DPA applies to all Bunker clients.

Download DPA (PDF)

For a custom DPA, contact us.

Questions about the DPA?

Contact our DPO at [email protected]

Contact us