Skip to content

Outsourcing development under GDPR: what to demand from your vendor

A buyer's checklist for hiring an offshore development partner without creating a compliance problem — DPAs, transfers, access control and the questions that expose weak answers.

Zephico Engineering

If your users are in the EU or UK, every vendor who touches personal data is your compliance problem — you remain the data controller, and “our agency handled it” has never once impressed a regulator. Since we’re on the vendor side of this table, here’s the checklist we think buyers should hold every offshore partner to, including us.

The non-negotiables

A DPA, offered — not extracted. A data processing agreement defining what data is processed, why, for how long, and what happens on termination. A serious vendor treats this as default paperwork. If you have to explain what a DPA is, the conversation is already over.

A legal basis for the transfer. Development in India, Ukraine, or the Philippines means personal data leaving the EU needs Standard Contractual Clauses (SCCs) plus a transfer impact assessment. Any vendor working with EU clients should produce these on request without a scramble.

Sub-processor transparency. Your vendor’s cloud providers, monitoring tools and any subcontractors are inside your compliance boundary. You want a written list and a commitment to notify before it changes. “We use some tools” is not a list.

Least-privilege, named-person access. Access to production data granted per person, per need, revoked when the engagement ends — with an audit trail. The red flag is the shared team account, which usually means your customer data is one departed contractor away from being unaccountable.

The questions that separate practiced from performed

Ask these on a call and watch whether the answers are specific:

  • “What data do your developers use for development and testing?” The right answer involves synthetic or anonymized data. The wrong answer — a production dump on every laptop — remains the single most common GDPR failure in outsourced development, and it’s disqualifying.
  • “Walk me through your last security incident or a breach drill.” GDPR gives controllers 72 hours to notify; your vendor is your detection lag. You’re listening for a process — who’s contacted, in what timeframe, with what information — not the word “immediately.”
  • “What happens to our data and access when the contract ends?” Offboarding — key rotation, access revocation, data deletion with confirmation — should sound rehearsed, because it should be routine.
  • “Which certifications do you hold — and which do you just follow?” Honest vendors distinguish being ISO 27001 certified from running ISO 27001-aligned practices. (We’re the latter and say so plainly.) A vendor vague about this distinction will be vague about things that matter more.

The part that’s genuinely good news

None of this requires your vendor to be European, and geography is a poor proxy for discipline — an EU agency with production dumps on laptops is a worse bet than an offshore team with real access control. GDPR-compliant offshore development is a solved problem: the mechanisms are standard, the paperwork is boilerplate for anyone who’s done it before, and the practices — least privilege, synthetic test data, audit trails — are just good engineering hygiene wearing a legal name.

The checklist above is table stakes we hold ourselves to; here’s how it’s built into our engagements. If a vendor treats it as friction, that’s the cheapest red flag you’ll ever get.

  • GDPR
  • Security
  • Outsourcing

Want this expertise on your team?

The engineers who write these articles are the ones we place on contract. Tell us what you're building.