Data Processing Agreement (DPA)

Preamble

This Data Processing Agreement (hereinafter "DPA") specifies the obligations of the parties under Art. 28 GDPR in the context of using the LACOP portfolio platform pursuant to the General Terms and Conditions of Lacop Studio OG. It becomes an automatic part of the contractual relationship upon customer registration, insofar as LACOP processes personal data on behalf of the customer (in particular data of visitors to the customer's portfolio website).

§ 1 Parties

Controller: the customer, as stored in their account data in the LACOP dashboard.

Processor:
Lacop Studio OG
Lazar Peric & Claus Pavel
Herderstraße 40, 4600 Wels, Austria
Email: office@lacop.app

§ 2 Subject and Duration

2.1 The subject of this DPA is the processing of personal data by the processor on behalf of the controller in the context of providing the LACOP portfolio platform and associated services pursuant to the GTC.

2.2 The term of this DPA corresponds to the term of the main contract (subscription or service agreement). It ends automatically upon termination of the main contract.

§ 3 Nature and Purpose of Processing

The processor processes data for the following purposes:

• Provision and display of the controller's portfolio website
• Storage and delivery of media content (photos, videos) of the controller
• Technical processing of requests from visitors to the portfolio website (e.g. delivery of page content, anonymous access statistics)
• Processing of contact form and interaction data submitted via the portfolio website (where configured)
• Email hosting and delivery of transactional messages (where booked)

§ 4 Categories of Data and Data Subjects

Categories of personal data:

• Master data (name, email, contact information — to the extent published by the controller)
• Visitor usage data (IP addresses in server logs, anonymized access statistics via Vercel Analytics)
• Content data (contact form submissions, newsletter sign-ups — where configured)
• Communication data (email content when email hosting is booked)

Categories of data subjects:

• Visitors of the controller's portfolio website
• Persons making contact (e.g. bookers, agencies, customers)
• Recipients and senders of emails (when email hosting is booked)

§ 5 Obligations of the Processor

5.1 The processor undertakes to:

• Process data exclusively within the scope of the documented instructions of the controller (Art. 28(3)(a) GDPR). The conclusion of the contract and the GTC serve as a baseline instruction.
• Ensure that all persons involved in processing are committed to confidentiality (Art. 28(3)(b) GDPR).
• Implement and maintain appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR (see § 7).
• Support the controller in fulfilling their obligations, in particular regarding data subject requests (Arts. 15–22 GDPR), data protection impact assessments (Art. 35 GDPR) and breach notifications (Arts. 33, 34 GDPR).
• Inform the controller without delay if an instruction, in the processor's view, violates the GDPR or other data protection regulations.
• Delete or return all personal data after the end of processing pursuant to § 10.

5.2 The processor has appointed a person responsible for data protection, who can be contacted at office@lacop.app.

§ 6 Obligations of the Controller

6.1 The controller undertakes to:

• Only process personal data via the LACOP platform if they have a lawful basis for the processing (Art. 6, Art. 9 GDPR).
• Inform data subjects about the processing (information obligations pursuant to Arts. 13, 14 GDPR) — e.g. via an own privacy policy on their portfolio website.
• Primarily handle data subject requests themselves; the processor will support upon request (§ 9).
• Independently report data breaches within their area of responsibility to the supervisory authority.

§ 7 Technical and Organizational Measures (TOMs)

The processor implements and maintains the following TOMs pursuant to Art. 32 GDPR:

• Encryption: TLS 1.2+ for all data transmissions (HTTPS, SMTPS, IMAPS); passwords stored as cryptographic hashes (bcrypt/argon2).
• Access control: Role-based permission system (RLS — Row Level Security in the database), mandatory two-factor authentication (2FA) for administrators.
• Pseudonymization: IP addresses anonymized in web analytics, Sentry error reports without personal content.
• Availability: Automated backups via Supabase (point-in-time recovery), redundant Vercel edge nodes.
• Resilience: Rate limiting against abuse, automatic failover upon component failure.
• Auditability: Internal audit logs for administrative actions and security-relevant events.
• Regular review: Security audits, dependency scanning, CVE monitoring.

A detailed description of the TOMs is available on request via email to office@lacop.app.

§ 8 Sub-processors

8.1 By entering into this DPA, the controller gives general consent to the use of the sub-processors listed below. The up-to-date list of all sub-processors engaged by LACOP is available at lacop.app/subprozessoren and is continuously maintained there.

8.2 A separate contract exists with each sub-processor, which meets the data protection requirements pursuant to Art. 28 GDPR and imposes the same protective obligations as agreed in this DPA.

8.3 The processor will inform the controller by email at least 30 days before changing or adding a sub-processor. The controller may object within this period; in case of objection, both parties have a special right of termination effective at the time of the change.

§ 9 Data Breaches

9.1 The processor will inform the controller without delay, but at the latest within 72 hours of becoming aware, of any personal data breach within the meaning of Art. 4(12) GDPR affecting the controller's personal data. The notification is made in sufficient time for the controller to meet their own notification deadline to the supervisory authority (Art. 33(1) GDPR).

9.2 The notification includes at least the information specified in Art. 33(3) GDPR (nature of the incident, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed).

9.3 Notification to the supervisory authority (Art. 33 GDPR) and to affected data subjects (Art. 34 GDPR) is the responsibility of the controller, insofar as the breach concerns them.

§ 10 Deletion and Return of Data

10.1 After the end of processing, the controller chooses whether the personal data will be deleted or returned. Data export is possible via the dashboard pursuant to § 8 GTC.

10.2 Without deviating instruction, all customer data will be deleted within 30 days after the end of the contract, unless statutory retention obligations apply (in particular tax and commercial retention obligations pursuant to § 132 BAO, up to 7 years for invoice data).

§ 11 Audit Rights of the Controller

11.1 The controller has the right to verify compliance with this DPA by the processor. This is usually done by:

• Reviewing current certificates, attestations or audit reports from independent bodies (if available)
• Obtaining written information
• In justified individual cases, upon prior notice (at least 14 days), conducting an inspection of the TOMs at the processor's premises during normal business hours

11.2 Reasonable costs for conducting on-site audits are borne by the controller.

§ 12 Liability

12.1 The parties' liability in the event of breaches of data protection regulations is governed by Art. 82 GDPR and the liability provisions of the main contract (§ 13 GTC).

12.2 Internally, each party is liable for damages caused by its own fault.

§ 13 Final Provisions

13.1 Changes to this DPA will be announced to the controller by email at least 30 days before they take effect. § 19 GTC applies accordingly.

13.2 In the event of a conflict between the GTC and this DPA, the provisions of this DPA prevail on data protection matters.

13.3 Austrian law applies. Place of jurisdiction is Wels, Austria (for consumers: § 14 KSchG).