Data protection

Data Processing Agreements (DPA)

Ledidi Core is designed to comply with privacy laws - especially GDPR. Our built-in project specific DPA ensures the formalities are in place between you as a data controller and Ledidi as a data processor when personal data is to be part of your project.


A data processing agreement is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data. All data controllers (you) need a data processing agreement with the data processor (Ledidi) they use to process personal data on their behalf to comply with GDPR.

  • A data controller is a person, company, or other body that determines the purpose and means of personal data processing
  • A data processor is a person or company that processes personal data on behalf of the data controller.
  • Processing by a processor shall be governed by a contract or other legal act under Union or Member State law.
  • The agreement is binding on the processor with regard to the controller and sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.


You need to sign a DPA if you are to include personal data in your project. The European Union's definition of personal data is listed on the left.

You do not need a DPA if you are to include only non-personal data in a project.

  • Personal data is any information that relates to an identified or identifiable living individual.
  • Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
  • Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the GDPR and you do thus need a DPA.
  • Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data.
  • For data to be truly anonymized, the anonymization must be irreversible.


Our Data Processing Agreement takes into account all the obligations as set out in the GDPR

  • Ledidi is only processing Personal Data on behalf of the Customer and in accordance with the Customer’s instructions, and does not process Personal Data for any other purpose
  • Ledidi complies with all applicable data protection laws
  • Ledidi will notify the Customer in due time in advance of any planned change or replacement of sub-processors, and give the Customer the opportunity to oppose against the change in question
  • Ledidi will assist the Customer as necessary to ensure compliance with any legal obligations under applicable data protection laws, such as to respond to requests to exercise Data Subject rights under the Data Protection Laws
  • Ledidi performs risk assessments and implement and maintain controls for risk identification, analysis, monitoring, reporting, and corrective action. We have implemented systematic and appropriate technical and organisational measures to ensure the security, confidentiality, integrity and accessibility of the Processing of Personal Data
  • Ledidi ensures that all persons authorized to Process Personal Data keep CustomerPersonal Data confidential
  • Ledidi willl notify the Customer without undue delay in case of a Personal Data Breach affecting Customer Personal Data
  • Ledidi regularly conducts security audits by an independent third-party auditor on its organizational and technical measures
  • Ledidi will delete all Personal Data after termination of the subscription

The GDPR does not relate to private persons processing personal data for purely private purposes. So if you are creating a project for a private purpose, you do not have to sign a DPA.

How it works

How it works

When you create a new project in Ledidi Core, you are asked to state whether or not you will include personal data in your project.

If "Yes", you are asked to define the purpose of processing, data subjects and categories of personal data you will include.

Your entries are automatically incorporated in the agreement text. Read through and sign the agreement - and you are good to go!