Your customers don't care about GDPR. They care about risk. When a customer hands you their backup data, they're handing you payroll records, customer databases, and ten years of email, and the document that turns that trust into something enforceable is the Data Processing Agreement. This post covers what a DPA (in Germany: AVV) actually is, what yours needs to contain, and how to set up the full contract chain from your customer down to your backup vendor.
Key Takeaways
- Article 28 GDPR requires a Data Processing Agreement whenever you process personal data on behalf of a customer. Backups always contain personal data, so this applies to every backup service you sell.
- You are the data processor, your customer is the controller, and your backup vendor is a sub-processor. You need a signed DPA on both sides of that chain.
- Your vendor's DPA with you does not cover your customers. Each customer needs their own DPA with you. This is the single most common gap in reseller setups.
- A usable DPA fits in a few pages: scope, data categories, security measures, sub-processor list, deletion terms, and audit rights.
- Data residency belongs in the DPA. 'Backups stored in German datacenters' is a one-line clause that wins deals in regulated industries.
- Enterprises and public-sector customers ask for the DPA before they sign anything. Having it ready is a sales asset, not paperwork.
Not Legal Advice
We are not lawyers, and this post is not legal advice (keine Rechtsberatung). It explains how data processing agreements work in a backup reseller context from an operator's perspective. Have your final DPA reviewed by a qualified lawyer or data protection officer in your jurisdiction, especially if you serve customers in regulated industries.
What a Data Processing Agreement Actually Is
A Data Processing Agreement (DPA) is a contract that governs what a service provider is allowed to do with personal data it handles on behalf of someone else. In the DACH region you'll usually hear the German term: Auftragsverarbeitungsvertrag, or AVV. Same thing. Article 28 of the GDPR (in Germany, the DSGVO) makes it mandatory: if you process personal data on a customer's behalf, a written agreement must exist, and it must contain specific clauses.
The regulation defines three roles, and getting them straight is most of the battle:
Who Is Who in the Backup Chain
| Role | Controller | Processor | Sub-processor |
|---|---|---|---|
Decides why and how data is processed | |||
Acts only on documented instructions | |||
In your backup business, this is | Your end customer | You, the MSP or reseller | Your backup vendor |
Signs a DPA with | You | Customer above, vendors below | You |
Your customer is the data controller. They decide what data exists and why it gets backed up. You, the MSP or reseller, are the data processor: you handle that data on their instructions. And the vendor hosting your offsite Proxmox Backup Server targets is a sub-processor, one layer further down, doing a defined job on your instructions.
That structure produces a chain of two separate agreements:
A lot of resellers assume their backup vendor handles all of this. The vendor handles exactly half: the agreement between the vendor and you. The agreement between you and your customer is yours to put in place, and no vendor contract can substitute for it.
Your Vendor's DPA Does Not Cover Your Customers
The DPA you sign with remote-backups.com (or any vendor) covers the relationship between you and us. It does not create any contractual relationship between us and your customers. Every customer whose data you back up needs their own DPA with you. Skipping this leaves both you and your customer non-compliant.
Why This Lands on You, Not Your Vendor
Some resellers treat the DPA as the customer's problem ("they're the controller, they should bring the contract") or the vendor's problem ("the data sits on their servers"). The GDPR sees it differently. Article 28(3) puts the obligation on both controller and processor to have the agreement in place, and Article 28(4) makes you responsible for flowing equivalent obligations down to your sub-processors. If a sub-processor fails, you remain fully liable to your customer.
In practice, your obligations as the processor in the middle are:
- Have a signed DPA with every customer whose data you process. No exceptions for small customers or "just a homelab" setups that turn out to contain a company's file server.
- Have a DPA with every sub-processor: your backup vendor, and any other party that touches customer data (a datacenter where you colocate, a monitoring provider that sees hostnames and account names).
- Maintain a sub-processor list and tell customers when it changes. Most DPAs use a general authorization with a notification period, so you don't need fresh signatures for every change.
- Document your data flows. Know which customer data lands on which Proxmox Backup Server datastore, in which country, under which retention policy. If you can't answer that in five minutes, start there.
- Support your customers' obligations. When their customer files a deletion request or a subject access request, the controller may need your help to honor it on the backup tier. How pruning and retention work in PBS determines what you can realistically promise here.
Day to day this is less work than it sounds. The data flow documentation is a half-page per customer. The sub-processor list is a table you update twice a year. The hard part is starting.
What Belongs in a Good DPA
Article 28(3) prescribes the content, so every serious DPA covers the same ground:
- Subject matter and duration: what service you provide and for how long.
- Nature and purpose of processing: storing encrypted backup data for disaster recovery. Spell out that you do not access, analyze, or use the data for anything else.
- Type of personal data: in a backup context this is honest shorthand for "whatever is inside the customer's systems": contact data, contract data, payroll, communications.
- Categories of data subjects: the customer's employees, customers, and suppliers, typically.
- Documented instructions: you process only as instructed; the service contract counts as the standing instruction.
- Confidentiality: everyone on your team with access is bound to confidentiality.
- Technical and organizational measures (TOMs): encryption, access control, network isolation. This is where your actual stack earns its keep. Client-side encryption in Proxmox Backup Server means backup content is encrypted before it leaves the customer's site, which makes the TOM annex short and credible.
- Sub-processor authorization: your current sub-processor list and the notification process for changes.
- Assistance obligations: helping the controller with data subject rights, breach notification, and impact assessments where the backup tier is involved.
- Deletion or return at contract end: what happens to backup data when the customer leaves, and within what timeframe. Be specific: "datastores deleted within 30 days of termination, confirmed in writing."
- Audit rights: the controller may verify your compliance. In practice this clause is usually satisfied with documentation and existing certifications rather than on-site visits.
A DPA Does Not Need 50 Pages
A clear DPA for a backup service fits in five to eight pages plus a TOM annex. remote-backups.com provides DPA templates to resellers in our partner program, pre-filled with our sub-processor details and datacenter locations, so you only fill in your side of the chain.
Data Residency: Where the Backups Physically Live
For many EU customers, the first question is not "are you certified" but "where is my data". Finance, healthcare, legal, and public-sector customers often have internal policies or sector rules that require data to stay in the EU, sometimes specifically in Germany.
Backup data is no exception, and it's often forgotten because it's invisible. The production database lives in the customer's documented infrastructure, but the backup copy quietly sits wherever the reseller's offsite target happens to be. If that target is outside the EU/EEA, you've created a third-country transfer that needs its own legal basis (Standard Contractual Clauses, adequacy decisions) and you probably never told the customer.
State it plainly in the DPA: storage location by country, and a commitment not to move data outside the EU/EEA without prior agreement. Our infrastructure runs in German and EU datacenters, which keeps this clause to a single sentence; the compliance breakdown for GDPR, SOC 2, and ISO 27001 covers how the technical controls underneath map to auditor questions.
Residency Includes Every Copy
Geo-replication, sync targets, and seed disks count. If your primary datastore is in Frankfurt but a sync job replicates to a datacenter in another jurisdiction, that second location belongs in the DPA too. Document every place a chunk of customer data can end up.
Common Mistakes Resellers Make
After enough partner conversations, the same gaps show up repeatedly:
- No DPA with end customers at all. The vendor relationship is papered, the customer relationship runs on an invoice and a handshake. This is the most common and the most serious gap.
- A DPA that no longer matches reality. Signed in 2021, never touched since, while the backup target moved providers twice. An outdated DPA can be worse than none in a dispute, because it documents commitments you're visibly not keeping.
- Invisible sub-processors. The customer has no idea which companies actually hold their data. The sub-processor list exists so they can assess their own risk; keep it current and name names.
- Unstated storage locations. "Cloud backup" with no country attached. Compliance-conscious customers will eventually ask, and "let me check" is not a good look.
- Assuming the vendor's DPA flows upward. It doesn't. Two relationships, two agreements.
- Signing commitments you don't operate. If the DPA promises deletion within 30 days but your retention setup keeps pruned snapshots for 90, fix one of the two before a customer tests it.
How to Put the Chain in Place
DPA Implementation for Resellers
Audit your data flows
For each customer, write down what gets backed up, which datastore it lands on, which country that datastore is in, the retention policy, and every party that can technically access it. Half a page per customer is enough.
Get a solid template
Don't draft from scratch. Use a standard Art. 28 template or request the reseller DPA template from your backup vendor. remote-backups.com provides one with our sub-processor and datacenter details already filled in.
Make it match your practice
Read the TOM annex and the deletion clause against your actual setup. Adjust the document or the setup until they agree. Never sign a process you don't run.
Sign the downstream DPA with your sub-processors
Get the agreement with your backup vendor and any other data-touching supplier in place first, so your customer-facing sub-processor list is accurate from day one.
Roll it out to customers
Make the DPA part of your service contract and onboarding for new customers. For existing customers, send it with a short plain-language note; almost all will sign without discussion, and the few questions you get are usually good signs of an engaged customer.
Document everything
Keep signed copies, track versions, and log signature dates. A simple folder per customer beats a compliance tool you won't maintain.
Review annually
Put a yearly reminder in your calendar. If a datastore moved, a sub-processor changed, or retention policies shifted, update the DPA and notify customers per the change clause.
Compliance as a Sales Tool
Here's the part that makes the effort pay for itself: a clean DPA practice wins deals. Larger customers, and any public-sector tender, will request your AVV, your sub-processor list, and your TOMs before signing. The reseller who sends three tidy PDFs the same afternoon beats the one who goes quiet for two weeks.
It also changes the conversation with smaller customers. "All backup data is encrypted on your systems before transfer and stored exclusively in German datacenters, here's the agreement that guarantees it" is a stronger pitch than any feature list. Resellers and MSPs in our partner program use exactly this framing, and the white-label program lets you make those guarantees under your own brand, backed by our infrastructure and our paper.
Wrapping Up
A Data Processing Agreement is not a legal formality to survive; it's the document that makes your backup service trustworthy on paper, not just in practice. The structure is simple: one DPA upward with each customer, one DPA downward with each sub-processor, both reflecting what actually happens to the data. Start with a single customer this week: map the data flow, fill in a template, get it signed. The second one takes a quarter of the time.
Need the sub-processor side handled?
remote-backups.com provides reseller DPA templates, a transparent sub-processor list, and backup storage exclusively in German and EU datacenters. Compliance questions? Just ask.
Explore the Reseller Program
