Why we don't use Getstream - or why more privacy means more problems

While developing our mobile app, we also search for a service provider to provide text chat to our users. The solution from Getstream.io looked very nice and a test implementation showed, that it worked perfectly for our needs. As usual I searched for a Data Processing Agreement (sometimes also called Data Processing Addendum, especially if it's based on the so-called Standard Clauses) because Art. 28 GDPR requires it if private / sensible data is processed by a third-party provider ((also called processor) on behalf of the data controller. 

I found a good documentation of their security on their website. But I couldn't find a pre-signed data processing agreement or similar as it is provided by most other companies and even by Google and Microsoft. So I opened a ticket and asked for a contract because as a Germany-based company we have some special requirements for such agreements.

The GDPR defines in Art. 28 par. 9. that the contract "shall be in writing, including in electronic form". Ok, it's on their homepage and it's in electronic form. But § 128a of the German Civil Code defines the requirements for an electronic form, because this is not defined by the EU, but is the responsibility of the individual EU members. And there is clearly stated "If the legally required written form is to be replaced by electronic form, the issuer of the declaration must add his name to it and provide the electronic document with a qualified electronic signature.". A text on a website doesn't comply to this requirement.

The answer to a request to the Governmental Data Privacy Official of Bavaria also said, that at least a fixed format and an evidence that both sides (the processor and the controller) have agreed to it is required. So what companies in Germany basically need is at least a write-protected PDF file and an email where the third-party provider writes that this his Data Processing Agreement. 

Unfortunately the support of Getstream answered to my request, that they don't provide a DPA if we aren't customers of their Enterprise Plan. Okaaaay... we, a small startup from Germany must have >100k users before they give us a DPA? Really? I think it's clear that we will not continue with their service. The risk of transferring data of our users to a third-party without the legal basis is no risk that we're willing to take, neither I nor our CEO. Is it really that hard to create a PDF from their website and send it to us via email? 

But it was the only third-party provider in my whole career who bound a DPA to a specific plan, user level or similar. Even small startups from USA send us a DPA if we explain them the legal requirements and point out the laws we have to comply to. Most of them even sign it. On the other hand it also shows what problems the strong privacy laws bring to companies in Europe.

You'll only receive email when they publish something new.

More from FF-Sec