Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA", dt. Auftragsverarbeitungsvertrag) forms part of the Terms of Service ("Agreement") between Philip Simon (doing business as "archiv.cc"), Liebfrauenstraße 70, 64289 Darmstadt, Germany ("Data Processor" or "Provider") and the customer agreeing to these terms ("Data Controller" or "Customer").

This DPA is automatically incorporated into the Terms of Service. By using our services to build and host websites that process personal data of third parties, the Customer accepts this DPA.

1. Subject Matter, Nature, and Purpose of Processing

The Provider provides a website building and hosting platform. In providing the Service, the Provider may process personal data on behalf of the Customer.

• Nature and Purpose: The processing is carried out to host websites built by the Customer, deliver content to end-users, and store data submitted via the Customer's websites (e.g., contact forms).
• Duration: The processing will continue for the duration of the Customer’s use of the Service (until account deletion or termination of the Agreement).

2. Roles and Responsibilities

For the purposes of the General Data Protection Regulation (GDPR), the Customer is the Data Controller, and the Provider is the Data Processor.

• The Customer is solely responsible for ensuring that there is a lawful basis for processing the personal data of their end-users (e.g., obtaining consent for cookies or contact forms).
• The Provider shall only process personal data based on the documented instructions of the Customer (which includes providing the core functionality of the Service).

3. Confidentiality and Security

The Provider ensures that all persons authorized to process the personal data have committed themselves to confidentiality. The Provider shall implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including the protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4. Sub-processors

The Customer grants the Provider general authorization to engage third-party sub-processors. The Provider shall enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those in this DPA.

If the Provider intends to add or replace a sub-processor, the Provider will update the list below. The Customer has the right to object to such changes.

Current List of Authorized Sub-processors:

• Vercel Inc.(Cloud Hosting & Edge Network)
  • Location of Processing: Primary compute region in Frankfurt, Germany (EU). Content delivery and temporary routing (IP addresses) occur globally via Vercel's Edge Network.
  • Purpose: Hosting the website frontend and delivering content via CDN.
• Supabase Inc.(Database Hosting & Authentication)
  • Location of Processing: Frankfurt, Germany (EU)
  • Purpose: Storing user data, form submissions, and authentication.

(Note: Although data is hosted on servers within the EU, Vercel and Supabase are US-based companies. Data processing is safeguarded by the EU-US Data Privacy Framework and/or Standard Contractual Clauses).

5. Data Subject Rights & Breach Notification

• Data Subject Requests: If the Provider receives a request from a data subject (e.g., a visitor of the Customer's website) regarding their rights (access, deletion, etc.), the Provider will promptly forward this request to the Customer. The Provider will assist the Customer in fulfilling these requests using the tools provided within the Service.
• Data Breach: In the event of a personal data breach affecting the Customer's data, the Provider will notify the Customer without undue delay after becoming aware of it, providing sufficient information to allow the Customer to meet any obligations to report to the authorities.

6. Deletion or Return of Data

Upon termination of the Agreement or deletion of the Customer's account, the Provider shall, at the choice of the Customer, delete or return all personal data processed on behalf of the Customer, unless applicable law requires continued storage of the data.

Schedule 1: Details of Processing

• Categories of Data Subjects: Visitors, customers, or users of the websites built and operated by the Customer using our Service.
• Types of Personal Data: IP addresses, browser and device information (automatically collected for hosting purposes), and any personal data actively submitted by the data subjects through forms on the Customer's website (e.g., names, email addresses, messages).

Schedule 2: Technical and Organizational Measures (TOMs)

The Provider implements the following security measures:

• Encryption: Data in transit is encrypted using TLS/HTTPS. Data at rest is encrypted by our infrastructure providers (Vercel/Supabase).
• Access Control: Strict logical access controls. Only authorized personnel have access to the production databases, protected by multi-factor authentication (MFA) and strong passwords.
• Backups & Resilience: Automated backups are performed regularly to ensure data can be restored in the event of a physical or technical incident.