Data Processing Agreement

Last updated: April 2026

between the Customer, acting as Controller ("Controller") and

Webagentur Hochmeir e.U.
Jonathan Hochmeir
Moorweg 7, 4845 Rutzenmoos, Austria
Email: hello@webhoch.com

("Processor")

1. Subject Matter

This DPA governs the Processor's processing of personal data on behalf of the Controller in connection with SaaS products, digital services, technical hosting-related services, support, maintenance, integrations or similar service arrangements.

2. Duration

This DPA applies for the duration of the underlying service relationship and as long as the Processor processes personal data on behalf of the Controller.

3. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of performing the agreed services, including hosting, storage, user management, support, troubleshooting, security monitoring, backups and related technical service functions.

4. Categories of Data

Depending on the service, personal data may include: contact data, user account data, login data, content data, communication data, usage data, technical metadata, billing-related data.

5. Categories of Data Subjects

Data subjects may include: the Controller's customers, employees, users, prospects, service contacts, and other persons whose data is uploaded or processed by the Controller within the service.

6. Instructions

The Processor shall process personal data only on documented instructions from the Controller, unless required otherwise by applicable law.

If the Processor believes an instruction infringes applicable data protection law, it shall inform the Controller without undue delay.

7. Confidentiality

The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. Security Measures

The Processor shall implement appropriate technical and organisational measures pursuant to Article 32 GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to the rights and freedoms of natural persons.

Such measures may include:

• access controls,
• authentication and authorisation controls,
• encryption where appropriate,
• logging and monitoring,
• backup and recovery procedures,
• patch management,
• incident management,
• organisational confidentiality controls.

9. Subprocessors

The Controller grants a general authorisation for the use of subprocessors.

The Processor shall ensure that any subprocessor is bound by data protection obligations that are no less protective than those set out in this DPA, where required by law.

10. Assistance

The Processor shall assist the Controller, taking into account the nature of the processing and the information available to the Processor, with fulfilling the Controller's obligations regarding: data subject rights, security of processing, personal data breach notifications, data protection impact assessments, prior consultations with supervisory authorities.

11. Personal Data Breaches

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed under this DPA, insofar as the breach concerns the Controller's data.

12. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA.

Audits shall be subject to reasonable prior notice, confidentiality safeguards, proportionality and protection of the Processor's business secrets and security interests.

13. Return or Deletion

Upon termination of the underlying services, the Processor shall, at the Controller's choice, delete or return personal data, unless applicable law requires storage.

Where technically justified, a short post-termination retention period may apply for transition, security or deletion processes. Unless otherwise agreed, data is generally deleted within up to 30 days after termination.

14. Governing Law

This DPA shall be governed by Austrian law, to the extent not superseded by mandatory GDPR rules.

15. Miscellaneous

If any provision of this DPA is invalid, the remainder shall remain in effect.