Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer (“Controller”) and Sovrio (“Processor”) for the provision of QR code management and redirect services.

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject.

Data is retained per the Controller's tenant configuration, with configurable retention periods between 7 and 365 days.

Automatic deletion occurs after the configured retention period expires. Manual deletion is also available at any time via the GDPR data deletion endpoint.

The current list of subprocessors is maintained on our compliance page.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. All infrastructure is hosted on Hetzner (ISO 27001 certified, GDPR compliant) within the European Union. A full overview of security measures is available on our compliance page.

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, and in any event within 72 hours of discovery.

The notification shall include the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.