Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between you ("Customer", "Controller") and Acme Web SRL ("Webkio", "Processor"). It applies where we process personal data of the End Users of your Published Sites on your behalf, and is intended to satisfy Article 28 of the GDPR. Where this DPA conflicts with the Terms in respect of data protection, this DPA prevails.

1. Roles

You are the controller and Webkio is the processor of End-User personal data collected through your Published Sites. You determine the purposes and means; we process only as set out here and on your documented instructions. For personal data about you as our customer, Webkio is the controller under the Privacy Policy — that data is outside this DPA.

2. Subject Matter & Duration

The subject matter is the processing of End-User personal data necessary to provide the Service. Processing lasts for the term of your account and ceases on termination, subject to the deletion/return obligations in Section 9.

3. Nature & Purpose of Processing

We process End-User data to host and serve your Published Sites and operate features you enable, including: CMS data, newsletter subscribers, appointment bookings, and — where you run a store — customers, orders, and order processing; serving content and media; producing visitor analytics; and protecting against spam, abuse, and unsafe content.

4. Types of Personal Data & Data Subjects

• Data subjects: visitors, leads, newsletter subscribers, booking clients, and store customers of your Published Sites.
• Categories: identifiers and contact details (name, email, phone), message/booking/order content, billing and shipping details you collect via your store, account credentials of store customers, and technical data (IP address, approximate location, device/browser, usage).

You must not use the Service to process special categories of data (Art. 9 GDPR) unless you have a valid lawful basis and have configured your site appropriately.

5. Controller Obligations

You warrant that you have a lawful basis to collect and entrust this data to us, that your instructions are lawful, and that you provide End Users with the required privacy information and obtain any necessary consents (including cookie consent on your Published Sites).

6. Processor Obligations

We will:

• Process personal data only on your documented instructions (the Service configuration being such instructions), unless required by law;
• Ensure personnel authorised to process the data are bound by confidentiality;
• Implement appropriate technical and organisational security measures (Section 8);
• Respect the conditions for engaging sub-processors (Section 7);
• Assist you, taking into account the nature of processing, in responding to End-User rights requests and in your obligations under Articles 32–36 (security, breach notification, impact assessments);
• Make available information necessary to demonstrate compliance and allow for reasonable audits (Section 10);
• Delete or return personal data at the end of processing (Section 9).

7. Sub-Processors

You provide general authorisation for us to engage the sub-processors listed below to deliver the Service. We impose data-protection obligations on each that are no less protective than this DPA, and we remain responsible for their performance. We will give notice of intended changes and you may object on reasonable data-protection grounds.

Sub-processor	Function
Amazon Web Services (S3)	Storage of media and uploaded files
Amazon Web Services (SES)	Outbound email (notifications to you and your End Users)
Stripe	Payment processing for your store's customers
OpenAI	Automated moderation of content
Google (reCAPTCHA)	Spam/bot protection on forms
MaxMind (GeoLite2)	Offline IP-to-country lookup for analytics

8. Security Measures

We maintain measures appropriate to the risk, including: encryption of data in transit (TLS), password hashing and optional two-factor authentication, role-based access controls and administrative IP allow-listing, network isolation, rate limiting, audit logging, and regular backups. We review these measures and may update them provided the level of protection is not reduced.

9. Return & Deletion

On termination of your account, or on your written request, we will delete End-User personal data we process for you. Deleting a project or your account triggers a cascading deletion of associated leads, subscribers, bookings, store customers, orders, payments, and related records. Residual copies in routine backups are overwritten on a rolling basis. We may retain data where required by law.

10. Audit

We will make available information reasonably necessary to demonstrate compliance with Article 28 and allow for audits, including inspections, conducted by you or an auditor you mandate, on reasonable prior notice, during business hours, subject to confidentiality and without unduly disrupting our operations.

11. International Transfers

Where a sub-processor processes personal data outside the EEA, we ensure an appropriate transfer mechanism is in place, such as the European Commission's Standard Contractual Clauses or an adequacy decision.

12. Personal Data Breach

We will notify you without undue delay after becoming aware of a personal data breach affecting End-User data we process for you, and provide information reasonably available to help you meet your own notification obligations.

13. Liability & Term

Each party's liability under this DPA is subject to the limitations of liability in the Terms. This DPA takes effect when you accept the Terms and remains in force while we process End-User data on your behalf.

14. Contact

Data-protection notices under this DPA: contact@webkio.com.

This document is provided for transparency and general information. It is not legal advice; please have it reviewed by qualified counsel for your jurisdiction before relying on it.