Make.com DPA: Does Make Have a Data Processing Agreement? (GDPR Guide)
Does Make.com have a Data Processing Agreement?
Yes. Make.com provides a Data Processing Agreement (DPA) for paid plan customers (Team plan and above). Free plan users are not covered. German companies must verify plan eligibility, configure EU data residency, review sub-processors, and address Betriebsrat obligations before deploying Make workflows that process.
- Make.com's DPA applies to Team plan and above — free plan users have no DPA coverage and must not process personal data through Make in a business context.
- EU data residency is available via AWS EU regions — enable it in account settings before processing personal data to reduce reliance on Standard Contractual.
- Make workflows that call AI APIs (OpenAI, Anthropic, etc.) create EU AI Act deployer obligations — assess risk classification before rollout.
- German companies must consult their Betriebsrat if Make workflows affect employee work processes or could enable behavioral monitoring under §87 BetrVG.
Make.com does have a Data Processing Agreement (DPA) available for paid plan customers. As of April 2026, the DPA is accessible through Make’s trust documentation at trust.make.com and covers Make’s role as a data processor under Article 28 GDPR. Free plan users are not covered — DPA protection applies to Team plan subscribers and above. German and DACH companies deploying Make for workflow automation must go beyond DPA availability: EU data residency configuration, sub-processor chains, EU AI Act deployer obligations, and works council consultation under German law all require attention before processing personal data at scale. For an overview of automation and AI tools assessed for the German market, see our AI tools guide.
Does Make.com Have a DPA?
Yes. Make.com provides a Data Processing Agreement for paid plan customers. The DPA establishes Make’s role as a processor under Article 28 GDPR, sets out obligations on sub-processors, security measures, data deletion timelines, and includes Standard Contractual Clauses (SCCs) for the transfer of personal data from the EU/EEA to third countries.
How to access Make.com’s DPA:
- Verify your plan. The DPA applies to Team plan subscribers and above. Free plan users are not covered by a DPA and must not process personal data through Make in a professional context under GDPR.
- Review the documentation at trust.make.com. Make publishes its trust documentation, sub-processor list, and DPA terms at its dedicated trust portal.
- Sign the DPA. For most business plans, DPA acceptance is incorporated into the subscription terms. If your organisation requires a separately countersigned DPA, contact Make’s legal or sales team.
Key DPA checklist for German procurement:
| Issue | What to check |
|---|---|
| Plan eligibility | Is your account on Team plan or above? |
| Sub-processor list | Who does Make rely on for infrastructure and integrations? |
| Transfer mechanism | SCCs — are they current and do they cover all processing paths? |
| EU data residency | Is EU data processing enabled in account settings? |
| Retention and deletion | What are the default retention periods for workflow logs and processed data? |
| Article 28 clause quality | Do instructions, security, audit, and deletion obligations meet GDPR standards? |
For a broader framework on DPA requirements under German data protection law, see our data processing agreement guide.
What Does Make.com’s DPA Cover?
Make.com’s DPA covers the core obligations required by Article 28 GDPR:
- Processor role. Make acts as a processor on behalf of the controller (your company). The DPA defines the scope, purpose, and duration of processing.
- Sub-processor disclosure. Make uses third-party infrastructure providers, including cloud hosting services. The current sub-processor list is published at trust.make.com and should be reviewed before deployment — and again each time Make gives notice of a sub-processor change.
- Data transfer mechanism. Standard Contractual Clauses apply for transfers of personal data from the EU/EEA to Make’s infrastructure or its sub-processors in third countries.
- Data retention and deletion. The DPA sets out deletion obligations after the processing relationship ends. Review default retention periods for workflow logs, integration payloads, and input/output data stored within Make.
- Security measures. Make commits to technical and organisational measures (TOMs) for data protection. Review the current TOMs against your own data classification requirements and the nature of data your workflows process.
Sub-processor chain (indicative):
| Entity | Role | Notes |
|---|---|---|
| Make.com | Data processor (platform) | EU data residency available |
| AWS | Cloud infrastructure | EU regions available |
| Additional sub-processors | Various infrastructure services | Full list at trust.make.com |
Always verify the current, complete sub-processor list at trust.make.com before deployment. Sub-processors can change with advance contractual notice, and new AI-related sub-processors may be added as Make expands its feature set.
Is Make.com GDPR Compliant?
Make.com can be used in a GDPR-compliant manner with the correct plan and configuration. The DPA availability is a necessary starting point — not a sufficient one. Whether your specific Make deployment is lawful depends on which workflows you activate, what personal data enters the system, and whether your contractual and technical setup addresses your actual data flows.
GDPR compliance checklist for Make.com:
- DPA in place. Available on Team plan and above. Required before processing any personal data through Make.
- EU data residency enabled. Make offers EU-based data processing through AWS EU regions. Enable EU data residency in account settings to reduce the volume of data subject to international transfer mechanisms.
- SCCs for remaining transfers. Even with EU data residency enabled, sub-processors and AI API calls within workflows may involve processing outside the EEA. Confirm SCC coverage for all active sub-processors.
- Records of processing activities. Update your Article 30 DSGVO register (Verzeichnis von Verarbeitungstätigkeiten) to include Make.com and its active sub-processors.
- DPIA where required. If Make workflows process special categories of data (Article 9 GDPR), automate decisions with legal or similarly significant effects on individuals, or handle large-scale personal data processing, a Data Protection Impact Assessment under Article 35 GDPR may be required.
The free plan is not suitable for any professional use involving personal data — no DPA exists at that tier.
EU AI Act Considerations for Make Workflows
Make.com is a general automation platform, not itself an AI system. Many Make workflows do, however, connect to AI APIs — calling OpenAI, Anthropic, or other AI services as part of an automated pipeline. When this occurs, the EU AI Act creates obligations for the company operating the workflow.
Deployer obligations under the EU AI Act:
Under the EU AI Act, companies that deploy AI systems in their operations are deployers. If a Make workflow calls an AI API to process information, classify content, generate outputs, or make recommendations that feed into business decisions, the company running the workflow is the deployer of that AI system — not just the user of Make.
Practical implications for Make workflow operators:
- Risk classification. Most AI-assisted automation workflows fall in the minimal or limited risk category under the EU AI Act. Workflows that make consequential automated decisions — CV screening, credit-scoring triggers, access control decisions — may require a higher-risk assessment.
- Transparency obligations. If a Make workflow generates AI-produced outputs that are presented to identifiable individuals (customers, employees), Article 50 EU AI Act transparency obligations may apply.
- GPAI model documentation. If your Make workflow integrates a general-purpose AI model (GPT-4, Claude, Gemini), verify that the provider’s documentation meets EU AI Act obligations for deployers, including technical documentation and instructions for use.
For guidance on AI workflow compliance and scheduling automation in Germany, see our AI scheduling optimization compliance guide.
German-Specific: Works Council and BetrVG
German companies deploying Make in ways that affect employees face specific obligations under the Betriebsverfassungsgesetz (BetrVG).
Under §87(1) no. 6 BetrVG, the Betriebsrat has co-determination rights over the introduction of technical equipment that is capable of monitoring employee behavior or performance. Make workflows can trigger this obligation in several practical scenarios:
- HR automation. Make workflows that automate leave requests, onboarding steps, or scheduling processes interact directly with employee data and may require a Betriebsvereinbarung before deployment.
- Activity logging. If a Make workflow logs employee actions — support ticket responses, order processing, time tracking inputs — and that data could be used to evaluate or compare individual performance, the works council must be consulted.
- Email and communication automation. Automated workflows that route or process employee communications may be subject to co-determination requirements under both §87 BetrVG and the employee data protection provisions of §26 BDSG.
Recommended approach:
Before deploying Make in any context that involves employee data or affects how employees work, engage your Betriebsrat early. Prepare a clear description of what data each workflow collects and processes, and propose a Betriebsvereinbarung that defines permissible uses and prohibits unauthorised performance monitoring from workflow data.
Our Assessment
Make.com is a deployable automation platform for German companies with the right preparation. The DPA exists, EU data residency is available, and the sub-processor list is publicly documented. Those are the foundational requirements under GDPR Article 28.
The areas requiring active management before deployment are:
- Plan eligibility — verify your subscription is Team plan or above before processing personal data.
- EU data residency — enable EU data processing in account settings and confirm the configuration covers your actual workflows.
- Sub-processor review — check trust.make.com for current sub-processors, especially for integration-specific or AI-related providers your workflows activate.
- BetrVG consultation — engage your Betriebsrat if any Make workflows affect employee work processes or could enable behavioral monitoring.
- EU AI Act assessment — if your Make workflows call AI APIs and generate outputs that influence decisions, assess your deployer obligations before rollout.
Compound Law advises businesses in Germany on GDPR, AI procurement, DPA reviews, and EU AI Act compliance for automation deployments. Contact us for a DPA review or rollout checklist tailored to your specific Make.com configuration.
Frequently Asked Questions
Does Make.com have a DPA?
Yes. Make.com provides a Data Processing Agreement for paid plan customers (Team plan and above). The DPA covers Make’s processor role under Article 28 GDPR, sub-processors, Standard Contractual Clauses for international data transfers, and deletion requirements. Free plan users are not covered and must not process personal data through Make in a professional context. Review the current DPA at trust.make.com.
Is Make.com GDPR compliant?
Make.com can be used in a GDPR-compliant way with the right setup: a valid DPA (Team plan or above), EU data residency enabled in account settings, Standard Contractual Clauses for remaining international transfers, and updated records of processing activities under Article 30 GDPR. GDPR compliance is always deployment-specific — the vendor providing a DPA is necessary but not sufficient.
Does Make.com offer an AVV (Auftragsverarbeitungsvertrag)?
Yes. Make.com’s Data Processing Agreement is the functional equivalent of an Auftragsverarbeitungsvertrag (AVV) under Article 28 DSGVO. It is available for Team plan subscribers and above. German companies must sign the DPA before using Make to process personal data in a business context.
Where does Make.com process data?
Make.com offers EU data residency through AWS EU regions. Some plans or features may use US-based infrastructure by default — enable EU data residency in account settings and confirm the configuration before processing personal data. Review the current data residency options and sub-processor hosting locations at trust.make.com.
Which Make.com plan includes DPA coverage?
Make.com’s DPA is available starting from the Team plan. Free plan users do not have DPA coverage and cannot lawfully process personal data through Make in a business context under GDPR.
Does Make.com comply with Schrems II / SCCs?
Yes. Make.com’s DPA includes Standard Contractual Clauses for transfers of EU/EEA personal data to third countries. German companies should verify that SCCs cover all active sub-processors and all data flows their specific Make workflows use — particularly AI API integrations that send data to US-based model providers such as OpenAI or Anthropic.
What BetrVG obligations apply when deploying Make.com in German companies?
Under §87(1) no. 6 BetrVG, the Betriebsrat has co-determination rights over technical systems capable of monitoring employee behavior or performance. Make workflows that log employee actions, automate HR processes, or generate performance-related data may trigger this obligation. Engage your works council before deployment and prepare a Betriebsvereinbarung that sets limits on permissible data use.
