At a minimum, you should screen and inventory all vendors that will have access to your information or information systems. This includes communication tools like G Suite, CRM tools like Salesforce, and hosting platforms like Aptible and AWS.
Again, make sure to consult your counsel before entering into any regulated agreements. The GDPR includes a number of requirements related to DPAs. For more information, review GDPR Article 28.
While Aptible has not published a template DPA, there are plenty available online. See, for example, Proton Technologies’ template DPA, or one from the International Association of Privacy Professionals (IAPP).
Make sure you consult your counsel before entering into any regulated agreements, including BAAs. For background on BAAs, check out our article, What is a HIPAA BAA?
Updated about a month ago