Quick Answer
Before uploading any CSV file containing personal data to an external tool, you need answers to eight questions. The most important is whether the tool processes files on its own servers or entirely in your browser — this single answer determines whether GDPR Article 28, HIPAA BAA, and international transfer obligations apply. The checklist below gives you a structured way to evaluate any tool in under 30 minutes.
TL;DR: Most CSV tools process files on remote servers and retain them temporarily. For files containing PII or PHI, this triggers GDPR, HIPAA, and potentially cross-border transfer obligations. This checklist identifies which tools are safe to use for sensitive data and which require additional agreements or should be avoided entirely.
Your legal team has just asked you to confirm that the CSV processing tool your team uses daily is compliant for handling customer personal data. You open the vendor's website. The privacy policy is 6,000 words. The terms of service are another 4,000. The security page mentions SOC 2 without specifying which type. There is no mention of GDPR, no DPA template, and nothing about what happens to uploaded files after processing.
This is the standard vendor situation. Most CSV tools are built for convenience, not compliance documentation. Evaluating them requires asking specific questions, knowing where to look for answers, and knowing when a non-answer is itself a red flag.
This checklist was validated against GDPR Article 28 requirements, HIPAA §§164.502(e) and 164.504(e), and GDPR Chapter V international transfer provisions, March 2026.
Table of Contents
- The Evaluation Matrix
- Criterion 1: Client-Side or Server-Side?
- Criterion 2: DPA Available?
- Criterion 3: BAA Available?
- Criterion 4: File Retention Period?
- Criterion 5: What Is Logged?
- Criterion 6: Transfer Mechanisms for Non-EEA?
- Criterion 7: SOC 2 Type II Report?
- Criterion 8: Breach Notification Procedure?
- How to Score Your Vendor
- Additional Resources
- FAQ
This guide is for: Compliance officers, DPOs, and data analysts who need a structured way to evaluate CSV processing tools before using them with sensitive data.
The Evaluation Matrix
Use this as your working document during vendor evaluation. Print it, fill it in, and share the result with your legal or compliance team.
| Criterion | Question | Pass | Fail | Risk if Fail | Your Tool |
|---|---|---|---|---|---|
| 1. Processing location | Client-side or server-side? | Client-side (browser) | Server-side | Art. 28 processor relationship; BAA trigger | ☐ |
| 2. DPA availability | Signed DPA available? | Yes — standard template or negotiable | No or "contact us" with no template | GDPR Art. 28 violation if personal data processed | ☐ |
| 3. BAA availability | Signed BAA available? | Yes — offered in writing | No | HIPAA §§164.502(e)/164.504(e) violation for PHI | ☐ |
| 4. File retention | Retention period documented in ToS? | Documented and ≤24 hours, or zero retention (client-side) | Undocumented, or >7 days | Extended exposure of personal data on vendor servers | ☐ |
| 5. Logging | What data is logged documented? | File contents not logged; metadata only or nothing | Undocumented | Unknown processing of personal data; Art. 5(1)(a) transparency risk | ☐ |
| 6. Transfer mechanism | SCCs or adequacy decision documented for non-EEA? | Documented SCCs, BCRs, or adequacy country | Undocumented or US-only server with no mechanism | GDPR Chapter V violation for EU personal data | ☐ |
| 7. SOC 2 Type II | SOC 2 Type II report available? | Yes — available on request | No report, or Type I only | No independent audit of security controls | ☐ |
| 8. Breach notification | Breach notification procedure documented? | Documented timeline ≤72 hours | Undocumented | GDPR Art. 33 and Art. 34 compliance risk | ☐ |
Criterion 1: Client-Side or Server-Side?
This is the single most important question. It determines whether all other criteria apply.
Client-side processing means the file is read locally using the browser's File API and processed in a Web Worker thread on your machine. The file never leaves your device. No server receives the file contents. No processor relationship is formed for the file itself.
Server-side processing means your file is uploaded via HTTP to the vendor's servers, processed there, and the result returned. Every compliance obligation in this checklist applies from the moment the upload begins.
How to check: Open the tool in Chrome. Open DevTools (F12). Click the Network tab. Upload a small test file. Watch for POST requests containing file data — these indicate server-side processing. If you see only the initial page load with no outbound POST containing file content, the tool is client-side. Our DevTools verification guide has the step-by-step process.
Red flags: A tool that claims "client-side processing" but shows file uploads in the Network tab. A tool that processes files instantly without any apparent local computation may be processing server-side with fast return.
Criterion 2: DPA Available?
Under GDPR Article 28, any controller using a processor to handle personal data must have a signed Data Processing Agreement. A CSV tool that processes personal data on its servers is a processor. The DPA is not optional.
What to look for: A DPA template on the vendor's website, ideally downloadable without contacting sales. The template should include the minimum Article 28(3) content: processing subject matter and duration, nature and purpose of processing, type of personal data and categories of data subjects, obligations and rights of the controller.
Red flag: "Contact us for a DPA" with no template available. This typically means the vendor has no standard DPA and the process will be slow and negotiated.
Where to check: Vendor legal page, trust center, or privacy policy. Search the site for "DPA," "data processing agreement," or "GDPR."
See our GDPR Article 28 guide for what a compliant DPA must contain.
Criterion 3: BAA Available?
Under HIPAA, a covered entity (hospital, insurer, healthcare provider) using a vendor to process Protected Health Information must have a signed Business Associate Agreement — 45 CFR §§164.502(e) and 164.504(e). The BAA requirement applies regardless of how the tool is marketed. If PHI flows through it, a BAA is required.
What to look for: Explicit offer of a BAA on the vendor's website or in their healthcare/compliance documentation. The BAA should cover the minimum HIPAA requirements including permitted uses of PHI, safeguarding requirements, and breach notification obligations.
Red flag: No mention of HIPAA. A vendor that does not acknowledge HIPAA obligations is almost certainly not equipped to sign a BAA. For any file containing patient data — names, dates of service, diagnosis codes, treatment information — this is a hard blocker.
Criterion 4: File Retention Period?
A vendor that retains your uploaded files for 30 days after processing has access to your data for 30 days. During that window, the data is subject to the vendor's security controls, their employees' access, and their backup and logging infrastructure — all independently of your own data governance practices.
What to look for: An explicit retention period documented in the terms of service or privacy policy. Zero retention (client-side tools) or documented deletion within 24 hours of processing are both strong positions. Retention beyond 7 days without a specific security justification is a risk flag.
Where to check: Privacy policy, terms of service, or security/data handling FAQ.
Red flag: No mention of retention at all. Absence of retention documentation means the vendor has not committed to deleting your data, which typically means it persists indefinitely or until a periodic sweep.
Criterion 5: What Is Logged?
Every server-side tool logs something. The question is what. Some tools log only metadata (file size, processing time, error codes). Others log file contents for debugging. A few log everything for ML training purposes.
What to look for: Explicit documentation of what is and is not logged. "We log file metadata but not file contents" is a passing answer. "We may use uploaded data to improve our services" is a serious red flag — this is consent language for training data use.
Where to check: Privacy policy (search for "improve our services," "machine learning," "training data," "usage data"). Terms of service.
GDPR relevance: Under GDPR Article 5(1)(a), personal data must be processed transparently. A vendor whose logging practices are undocumented is not meeting the transparency principle with respect to the data they process on your behalf.
Criterion 6: Transfer Mechanisms for Non-EEA Processing?
If a vendor processes files on servers outside the European Economic Area — and most US-based vendors do — GDPR Chapter V requires a valid transfer mechanism for any personal data from EEA data subjects.
The three mechanisms are: adequacy decision (Article 45 — the EEA Commission has deemed the country adequate), Standard Contractual Clauses (Article 46(2)(c) — contractual safeguards between vendor and customer), or Binding Corporate Rules (Article 47 — for intra-group transfers in multinational organizations).
What to look for: SCCs offered as part of the DPA, or documentation that the vendor's servers are in an adequacy country (EEA, UK, Switzerland, Canada for commercial entities, Japan, South Korea — check the current EU list). A vendor with servers in the US must offer SCCs; the EU-US Data Privacy Framework provides an adequacy mechanism for certified US organizations — check the DPF list at https://www.dataprivacyframework.gov.
Red flag: A US-based vendor with no mention of SCCs and no DPF certification. The Meta €1.2 billion fine in May 2023 was for exactly this failure: transferring EU personal data to US servers without a valid Chapter V mechanism.
See our international data transfers guide for the full framework.
Criterion 7: SOC 2 Type II Report?
SOC 2 Type II is an independent audit of a vendor's security controls over a sustained period (typically 6–12 months). It covers five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type I covers only point-in-time design, not operational effectiveness.
What to look for: SOC 2 Type II report available on request. Some vendors publish a summary on their trust center; others require NDA before sharing the full report.
Red flag: SOC 2 Type I only (design, not operation). "We're working on SOC 2" with no completion date. No SOC 2 at all for a tool handling sensitive data.
Important: SOC 2 compliance does not equal GDPR compliance. They address different frameworks. Both may be required.
Criterion 8: Breach Notification Procedure?
Under GDPR Article 33, a processor must notify the controller of a personal data breach without undue delay — and in any case within 72 hours. Under Article 34, notification to affected individuals may also be required. Under HIPAA, breach notification timelines are 60 days from discovery.
What to look for: A documented breach notification procedure with a specific timeline. The procedure should identify how the vendor notifies you (email, account portal), what information they will provide, and who the primary contact is.
Red flag: No breach notification procedure documented anywhere. A vague "we will notify you if required by law" with no specifics.
How to Score Your Vendor
| Score | Interpretation | Action |
|---|---|---|
| 8/8 Pass | Tool meets security baseline for sensitive data | Proceed with appropriate DPAs/BAAs signed |
| 6–7/8 Pass | Minor gaps — may be acceptable depending on data type | Address gaps before using with PII or PHI |
| 4–5/8 Pass | Significant gaps — use only for non-sensitive data | Do not use with personal data without remediation |
| 0–3/8 Pass | Serious compliance risk | Do not use with personal data |
Special rule: If Criterion 1 (server-side processing) fails and your files contain personal data, the overall assessment is "do not use" regardless of other scores — because a server-side tool without a DPA is already a GDPR violation before criteria 2–8 are even evaluated.
Privacy Policy Red-Flag Phrases
When evaluating a vendor's privacy policy, these specific phrases signal compliance gaps more reliably than general security marketing. Use this as a quick-scan reference before committing to a tool for sensitive data.
| Phrase Found in Policy | What It Actually Signals | Action |
|---|---|---|
| "We may use data to improve our services" | Potential training data use; file contents may be retained for ML | Ask explicitly: does this apply to uploaded file contents? Get written clarification. |
| "We collect information you provide to us" | File contents may be in scope as "provided information" | Confirm whether uploaded files are excluded from this definition |
| "We take security seriously" | Marketing language — no specific commitment | Not a compliance statement; ask for specifics (SOC 2 report, encryption specs) |
| "We comply with applicable law" | No mechanism identified | Does not satisfy GDPR Chapter V — ask which mechanism applies for non-EEA transfers |
| "Industry-standard encryption" | Describes server-side security, not processing location | Confirms server-side processing; triggers DPA/BAA requirements |
| "Contact us for compliance inquiries" | DPA not self-service; likely no standard template | Red flag for DPA availability — likely slow and negotiated |
| "We may share data with third parties for business purposes" | Sub-processor disclosure may be inadequate | Ask for full sub-processor list and whether changes require your consent |
| "Data may be retained as required by law" | No defined retention period for your uploaded files | Ask for specific post-processing retention period in writing |
| "We process data on secure servers" | Server-side processing confirmed — file is uploaded | DPA required; BAA if PHI; SCCs if non-EEA servers |
| Silence on retention | Vendor has not committed to deletion timeline | Treat as indefinite retention risk; escalate before use with personal data |
How to use this table: Run a Ctrl+F search on the vendor's privacy policy for each phrase. If you find two or more of these phrases in the same policy without specific clarifying provisions, escalate the vendor assessment to your DPO or legal team before use with any personal data.
Additional Resources
GDPR Official Text and Guidance:
- GDPR Article 28 — Processor — Full text of processor obligation requirements
- EDPB Guidelines on Data Processors — Official guidance on controller/processor distinction
HIPAA Guidance:
- HHS Business Associate Guidance — When a BAA is required under HIPAA
International Transfers:
- EU Data Privacy Framework List — Search to verify whether a US vendor is DPF-certified
- EDPB International Transfers Guidance — Chapter V compliance
SOC 2 Reference:
- AICPA SOC 2 Overview — What SOC 2 covers and how to interpret reports