Data processing agreement Clause 11.3

Dear Community,
I just read the Data Processing Agreement (DPA). It leaves me confused. On the one hand KoBo claims to be GDPR compliant. On the other hand in clause 11.3., users (Controllers) seem to have to encrypt data to be GDPR compliant. Quote: “11.3 Controller acknowledges that, in addition to entering into the EU Standard Contractual Clauses as attached hereto as Attachment 3, it may, depending on the circumstances of the case, need to take supplementary measures to ensure that the use of the Services is compliant with Chapter 5 of the GDPR. One of these measures would be to store Personal Data on the KoBoToolbox Server only in an encrypted form.”

Encryption is only possible when collecting data with KoBoCollect. We want to use KoBo to collect membership data for our NGO. This means we want to use the web-forms. How can we be GDPR compliant then? Is there a difference between the Humanitarian Organizations Server and the “Open Server” (



Welcome back to the community, @hassenmeier! You could also have a look at our KoboToolbox Data Privacy Policy to learn more about our data security.

You could also go through our support article Encrypting Forms to learn more about data encryption.

Regarding the differences between the humanitarian server and the non-humanitarian server, feel free to go through our support article Which Server Should I Use?.

Dear @Kal_Lam,
Thanks for responding to my question.

I looked into Data Privacy Policy (Privacy | KoboToolbox). The link to the humanitarian server policy ( is protected and I cannot read it.

Unfortunately, your message does not answer my question.
Hence, I will ask in simpler terms. If I collect personal data through the forms/surveys created by me and want to be GDPR compliant, what do I have to do? Can I use the server or the humanitarian server (hosted by UNOCHA)? Do I have to use encryption additionally?

I understand that encryption only works if data is collected using KoBoCollect. Is this correct?