Auth0 Home Blog Docs

Is there a Data Processing Agreement/Addendum on its way?


#1

Hi. To comply with the upcoming GDPR, we are required to sign or at least confirm Data Processing Agreements/Addendums with all the services that we use (Auth0, Amazon…). Is Auth0 working on formulating a DPA or is it not deemed necessary? Thanks you!

Kind regards,

Claus


#2

We will have an updated policy this week.


#3

It says in this doc that the DPA is only available for Enterprise customers. Is that the current position that Auth0 is taking? The last time I checked the Enterprise Tier was starting at 18K annually, which is currently outside of our budget. Is there a more cost-friendly solution that is being considered for non-enterprise customers?


#4

The full statement is:

Auth0 is responsible for:

Following the data processor’s instructions as explicated in the Subscription Agreement (SA) and Data Processing Addendum (DPA) (for enterprise customers) or Terms of Service (for self-service customers)

depending on if you’re a enterprise customer or self-service customer is where you’ll find the updated terms.


#5

Thanks for clarifying.


#6

@ jeremy.meiss thanks for clarifying but could you pls. explain why Auth0 makes a difference? I mean from a legal and business perspective.

For enterprise customers --> DPA (Y)

For self-service customers --> DPA (N)

Reason I ask:
We are a self-service customer at Auth0 and would like to sign a DPA with Auth0. From your sales team we get the information, that isn’t possible. But with all other companies (Atlassian, Microsoft etc.) we do have a DPA. Where / what is the difference?

Thanks


#7

I also found the policy a bit unclear. I’m also in the position where my company would (apparently?) need a signed DPA with Auth0, but can’t afford the enterprise package


#8

@ORBAT and @JonasM - the clarification I received from our team is that standalone DPAs are only for enterprise customers. For all self service customers, applicable data protection terms are built into the agreement. For review, this is specifically addressed in Section 7 of the Terms of Service (https://auth0.com/legal/ss-tos), and in particular Section 7.11 and Exhibit A. These provisions fulfill the requirements of Article 28.3 of the GDPR, which is the requirement for a legally binding contract between a controller (the customer) and a processor (Auth0).


#9

Thanks @jeremy.meiss