What it is
Compliance at Debitura covers three areas: data processing governance under GDPR, contractual agreements that define rights and obligations, and verification mechanisms that ensure only authorised users can sign legally binding documents.
Together, these safeguards ensure that personal data is processed lawfully, contracts are signed by verified individuals, and a complete audit trail exists for every action on the platform.
Why it matters
If your business is based in the EU or processes personal data of EU residents, GDPR requires a formal agreement between you (the data controller) and any service provider processing data on your behalf (the data processor). Without proper agreements and safeguards in place, you risk regulatory non-compliance. Debitura provides the tools and documentation needed to meet these obligations.
GDPR roles: data controller and data processor
When you use Debitura for debt collection, you act as the data controller and Debitura acts as the data processor under GDPR Article 28. This means you determine the purpose of the data processing (collecting outstanding debts), and Debitura processes debtor personal data on your behalf and under your instructions. Debitura does not use debtor data for its own purposes.
The data Debitura processes on your behalf includes debtor names, contact details, address information, financial claim details, and supporting documents you upload. For a deeper look at GDPR roles and obligations, see Data protection and DPA fundamentals.
Data Processing Agreement (DPA)
If you are based in the EU or handle personal data of EU residents, a Data Processing Agreement is required before using Debitura's services under GDPR Article 28. A DPA is a legally binding contract that governs how personal data is processed between you and Debitura.
Debitura provides a self-service DPA wizard with five steps: review your company data, review and attest your signing authority, sign digitally, add a privacy policy snippet to your website, and confirm completion. Only Admin users can access and complete the DPA wizard. For step-by-step instructions, see How to request a Data Processing Agreement (DPA).
After signing, you receive a context-aware privacy policy snippet to add to your website. This is required under GDPR Article 13 to inform debtors that Debitura processes their data on your behalf. The snippet text adapts depending on whether your context is EU or non-EU.
Required contracts
In addition to the DPA, you must sign two other documents before cases can be processed:
Standard Debt Collection Agreement (SDCA): Required before cases can proceed. The initial signing uses two-factor email verification, where a 6-digit code is sent to your registered email address to confirm your identity. See How to sign agreements (SDCA + PoA) for the full process.
Power of Attorney (PoA): Authorises the assigned collection partner to act on your behalf. Signed when engaging a specific partner for a case.
You can view and download all signed contracts from the Contracts page in the platform. For details on accessing your documents, see Where to view and download signed agreements.
Audit trails
Debitura maintains comprehensive audit trails of all data processing activities on the platform. Audit records capture what happened, who performed the action, when it occurred, and from where (IP address). These records are immutable, meaning they cannot be modified or deleted after creation.
The DPA process has its own dedicated audit log that tracks every step from initialisation through to completion, including the signer's identity, IP address, and a SHA256 hash of the signed PDF for integrity verification.
Data retention
Data type | Retention period |
Active account and case data | While your account is active |
Data after account closure | Up to 6 months (soft-deleted), then permanently deleted |
Audit logs | 7 years (legal requirement), then archived for up to 10 years total |
Audit log retention is based on legal requirements for accounting records and statute of limitations for legal claims. After the 7-year period, personal data within audit logs is pseudonymised (IP addresses hashed, user agent strings removed) while preserving the audit trail structure.
Your rights under GDPR
As the data controller, your obligations and rights under GDPR apply to the debtor data you process through Debitura. The platform supports you in fulfilling these obligations by maintaining audit trails, providing access to case and document data, and supporting data portability through case exports and document downloads.
Handling debtor GDPR requests
If a debtor submits a GDPR request to you, you are responsible as the data controller for responding. Debitura can support you:
Data Subject Access Requests (DSAR): Contact [email protected] to request an export of data Debitura holds on a specific debtor.
Erasure Requests (Article 17): Contact l[email protected]. Data tied to legal obligations (audit logs, financial records) may be exempt under GDPR Article 17(3).
GDPR requests must be acknowledged within 30 days.
What to expect
Once your DPA is signed, your privacy policy snippet is published, and your SDCA and PoA are in place, you are set up to use Debitura in a GDPR-compliant way. If your company data changes or a new DPA template version is released, you can delete your existing DPA and complete the wizard again with updated information. Contract version updates are prompted automatically when a new version is available.
For questions about data privacy and what information is visible to different parties, see Data privacy and document visibility. If you experience issues with email verification during contract signing, see Email verification troubleshooting.
Compliance contacts
Topic | Contact |
DPA requests and GDPR compliance questions | |
Legal questions, formal complaints, erasure requests |