Data Processing Agreement (DPA)

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement or Terms of Service (the "Agreement") between the Client (Data Controller) and the Studio (Data Processor). This DPA applies where and to the extent that the Studio processes Personal Data on behalf of the Client in the course of providing software development services.

2. Definitions

"GDPR": means the General Data Protection Regulation (EU) 2018/672.

"Personal Data": means any information relating to an identified or identifiable natural person provided by the Client to the Studio.

"Processing": means any operation performed on Personal Data, such as collection, storage, adaptation, or deletion.

3. Processing Instructions

The Studio shall process Personal Data only on documented instructions from the Client, including with regard to transfers of personal data to a third country, unless required to do so by European Union or Member State law to which the Studio is subject.

4. Personnel and Confidentiality

The Studio ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security of Processing

Taking into account the state of the art and the costs of implementation, the Studio shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data where applicable.
  • The ability to ensure the ongoing confidentiality, integrity, and availability of processing systems.
  • A process for regularly testing and evaluating the effectiveness of security measures.

6. Sub-processors

The Client provides a general authorization for the Studio to engage sub-processors (such as cloud hosting providers or specialized API services).

Current Sub-processors: The Client acknowledges the use of Web3Forms (form processing) and Microsoft Clarity (analytics).

The Studio shall inform the Client of any intended changes concerning the addition or replacement of sub-processors, giving the Client the opportunity to object.

7. Data Subject Rights

The Studio shall, insofar as is possible, assist the Client by appropriate technical and organizational measures for the fulfilment of the Client's obligation to respond to requests for exercising the data subject's rights (e.g., right of access, rectification, or erasure).

8. Personal Data Breach

The Studio shall notify the Client without undue delay after becoming aware of a personal data breach. This notification shall include the nature of the breach and the measures taken to address it.

9. Return or Deletion of Data

Upon termination of the Agreement, the Studio shall, at the choice of the Client, delete or return all personal data to the Client and delete existing copies unless applicable law requires storage of the personal data.

Appendix: Details of Processing

Subject Matter: Software development and maintenance services.

Duration: The term of the Agreement plus the period until all data is deleted or returned.

Nature/Purpose: Processing for the purpose of developing, testing, and optimizing the Client's software products.

Data Categories: Name, email, IP address, user behavior data (via Microsoft Clarity), and any other data provided by the Client's end-users.