Effective Date: 12 March 2026
This Data Processing Agreement ("DPA") forms part of the Agreement between Coder's Cantina e.U., registered in Austria with its principal place of business at Wehlistraße 291/1/47, 1020 Vienna, Austria ("b10cks", "Processor") and the Customer identified in the applicable Account or Order Form ("Controller").
This DPA supplements and is incorporated into the b10cks Terms of Service at https://www.b10cks.com/legal/terms. Capitalised terms not defined herein have the meaning given to them in the Terms of Service. In the event of conflict, this DPA takes precedence over the Terms of Service with respect to the processing of Personal Data.
1.1. "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"); (b) the Austrian Data Protection Act (Datenschutzgesetz — DSG); and (c) any other applicable national data protection legislation within the European Economic Area, in each case as amended or replaced from time to time.
1.2. "Controller" has the meaning given under the GDPR: the natural or legal person that determines the purposes and means of the processing of Personal Data — in this DPA, the Customer.
1.3. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
1.4. "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
1.5. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
1.6. "Processing" has the meaning given under Article 4(2) GDPR and "process", "processes", and "processed" shall be construed accordingly.
1.7. "Processor" has the meaning given under the GDPR: a natural or legal person that processes Personal Data on behalf of the Controller — in this DPA, b10cks.
1.8. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time.
1.9. "Sub-processor" means any third party engaged by b10cks to process Personal Data on behalf of the Controller in connection with the b10cks Services.
1.10. "Supervisory Authority" means the competent data protection authority under Applicable Data Protection Law, which for b10cks is the Austrian Data Protection Authority (Datenschutzbehörde — DSB).
2.1. Processor Role. b10cks processes Personal Data solely in its capacity as a data processor, acting on documented instructions from the Controller, in connection with the provision of the b10cks Services as described in this DPA and the Terms of Service.
2.2. Controller Role. Customer acts as the data controller with respect to all Personal Data contained in or submitted as part of Customer Content processed through the b10cks Services. Customer is responsible for ensuring it has a lawful basis under Applicable Data Protection Law for all Personal Data it submits to the b10cks Services.
2.3. Independent Controller Processing. The Parties acknowledge that b10cks also processes certain Personal Data — such as Account Information and billing data — as an independent data controller for its own purposes (including account management, billing, and service operation). Such processing is governed by the b10cks Privacy Policy at https://www.b10cks.com/legal/privacy-policy and is outside the scope of this DPA.
2.4. Details of Processing. The subject matter, nature, purpose, duration, categories of Personal Data, and categories of Data Subjects covered by this DPA are set out in Annex I to this DPA.
3.1. Documented Instructions. b10cks shall process Personal Data only on documented instructions from the Controller. The Agreement (including this DPA) constitutes Controller's initial documented instructions. Controller may issue further instructions in writing during the term of the Agreement, provided such instructions are within the scope of the b10cks Services.
3.2. Notification of Unlawful Instructions. If b10cks reasonably believes that any instruction from Controller infringes Applicable Data Protection Law, b10cks shall promptly inform Controller. b10cks may suspend processing under the relevant instruction until Controller provides clarified or alternative instructions. b10cks shall not be liable for any delay caused by such suspension.
3.3. Processing Required by Law. If b10cks is required by applicable EU or Member State law to process Personal Data beyond Controller's instructions, b10cks shall inform Controller of that legal requirement before processing, unless such law prohibits disclosure on grounds of public interest.
4.1. Confidentiality. b10cks shall ensure that all personnel authorised to process Personal Data under this DPA are subject to binding confidentiality obligations, whether by contract or statutory obligation.
4.2. Technical and Organisational Measures. b10cks shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex II. Such measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.
4.3. Assistance to Controller. b10cks shall, taking into account the nature of processing and the information available to it, provide reasonable assistance to Controller to enable Controller to:
(a) fulfil its obligation to respond to Data Subject requests exercising rights under Chapter III GDPR (including rights of access, rectification, erasure, restriction, portability, and objection);
(b) comply with its obligations under Articles 32–36 GDPR, including in relation to security of processing, notification of Personal Data Breaches to the Supervisory Authority, communication of Personal Data Breaches to Data Subjects, data protection impact assessments, and prior consultation with Supervisory Authorities.
4.4. Data Subject Requests. b10cks shall promptly forward to Controller any Data Subject request received directly by b10cks relating to Personal Data processed under this DPA. b10cks shall not respond to any such request on Controller's behalf without Controller's prior written authorisation, except to confirm that the request has been forwarded.
4.5. Audit and Inspection. b10cks shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by Controller or a mandated auditor, subject to: (a) reasonable prior written notice of at least thirty (30) days; (b) audits being conducted during normal business hours and no more than once per calendar year; (c) the auditor being bound by an appropriate confidentiality obligation; and (d) Controller bearing all costs of such audit. b10cks may satisfy this obligation by providing Controller with relevant third-party audit reports or certifications (e.g. ISO 27001, SOC 2) where available.
4.6. Deletion or Return of Data. Upon termination or expiry of the Agreement, b10cks shall, at Controller's election, delete or return all Personal Data processed under this DPA within ninety (90) days of the effective date of termination, unless Applicable Data Protection Law requires continued storage. b10cks shall certify such deletion in writing upon Controller's request. b10cks is not obligated to retain Personal Data beyond the ninety (90) day period.
5.1. Authorisation. Controller hereby grants b10cks general written authorisation to engage Sub-processors for the processing of Personal Data under this DPA, subject to the conditions set out in this Section 5.
5.2. Current Sub-processors. The Sub-processors currently engaged by b10cks are listed in Annex III to this DPA and at https://www.b10cks.com/legal/dpa. By entering into this DPA, Controller approves the engagement of all Sub-processors listed as of the Effective Date.
5.3. Sub-processor Changes. b10cks shall notify Controller of any intended addition or replacement of a Sub-processor by updating the sub-processor list at https://www.b10cks.com/legal/dpa. Controller is responsible for regularly reviewing the sub-processor list. Controller may object to a new Sub-processor on reasonable data protection grounds by notifying b10cks in writing at hello@b10cks.com within fourteen (14) days of the update being published. If Controller objects and the Parties cannot reach a resolution within thirty (30) days, Controller's sole remedy is to terminate the Agreement and receive a pro-rata refund of prepaid, unused Subscription Fees for the period following the effective date of termination.
5.4. Sub-processor Obligations. b10cks shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, by way of a written contract. b10cks remains fully liable to Controller for the performance of Sub-processors' obligations under such contracts to the extent that b10cks itself would be liable under this DPA.
6.1. Transfers within the EEA. Personal Data processed under this DPA is primarily stored and processed within the European Economic Area (AWS eu-west-1, Ireland). b10cks shall not transfer Personal Data outside the EEA except as described in this Section 6.
6.2. Transfers to Third Countries. Certain Sub-processors (including OpenRouter and PostHog, where applicable) may process Personal Data outside the EEA. b10cks shall ensure that any such transfer is subject to an appropriate transfer mechanism under Chapter V GDPR, including:
(a) a European Commission adequacy decision in respect of the recipient country;
(b) the Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable), incorporating any supplementary measures required by applicable guidance from the European Data Protection Board; or
(c) another lawful transfer mechanism recognised under Applicable Data Protection Law.
6.3. SCCs. Where SCCs are used as the transfer mechanism, the relevant module of the SCCs is incorporated into this DPA by reference and shall prevail over any conflicting provisions of this DPA with respect to the relevant transfer. b10cks will make copies of applicable SCCs available to Controller upon written request.
7.1. Notification by b10cks. b10cks shall notify Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Notification shall be made by email to the address associated with Controller's Account.
7.2. Content of Notification. The notification shall include, to the extent available at the time of notification:
(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) the name and contact details of b10cks's data protection point of contact;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to address the breach and mitigate its effects.
Where all required information cannot be provided at once, b10cks may provide it in phases without undue delay.
7.3. Controller Obligations. Controller is solely responsible for determining whether and when to notify the competent Supervisory Authority and/or affected Data Subjects of a Personal Data Breach, in accordance with Articles 33 and 34 GDPR.
7.4. No Acknowledgment of Fault. b10cks's notification of a Personal Data Breach does not constitute an acknowledgment of fault or liability in connection with the breach.
Where Controller is required to carry out a data protection impact assessment ("DPIA") under Article 35 GDPR in connection with its use of the b10cks Services, b10cks shall provide reasonable cooperation and assistance to Controller, including making available relevant information about b10cks's processing activities and security measures, to the extent necessary and within b10cks's reasonable control.
b10cks shall maintain records of processing activities carried out on behalf of Controller as required under Article 30(2) GDPR, including the categories of processing carried out, details of international transfers, and references to applicable security measures. Such records shall be made available to Controller and to the competent Supervisory Authority upon request.
10.1. Allocation. Each Party's liability under this DPA is subject to the limitations and exclusions set out in Section 12 of the Terms of Service, to the extent permitted by Applicable Data Protection Law.
10.2. GDPR Liability. Nothing in this DPA limits either Party's liability to Data Subjects or Supervisory Authorities under Applicable Data Protection Law. As between the Parties, if either Party is held liable under Article 82 GDPR for damage caused in part by the other Party, the other Party shall indemnify the first Party to the extent of its responsibility for such damage, subject to the caps and limitations in the Terms of Service.
This DPA enters into force on the Effective Date and remains in effect for the duration of the Agreement. Termination of the Agreement automatically terminates this DPA, subject to Section 4.6 (deletion obligations) and any other provisions that by their nature survive termination.
This DPA is governed by the laws of the Republic of Austria. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts in Vienna, Austria, consistent with Section 14.2 of the Terms of Service.
| Field | Details |
|---|---|
| Subject matter | Processing of Personal Data contained in Customer Content submitted to and stored within the b10cks Services |
| Duration | For the duration of the Agreement plus the 90-day post-termination retention period |
| Nature of processing | Storage, retrieval, transmission, display, deletion, backup, and AI-assisted processing of Customer Content |
| Purpose of processing | Provision of the b10cks headless CMS and digital experience platform services to Controller |
| Categories of Personal Data | Names, email addresses, user-generated text content, images, usage data, and any other personal data submitted by Controller or its Users within Customer Content; may include special category data if submitted by Controller (see AI Terms Section 7.2) |
| Categories of Data Subjects | Controller's Users; end users of Controller's digital products and services; any natural persons whose data is contained in Customer Content |
| Controller's contact | As set out in Controller's Account or Order Form |
| Processor's contact | Coder's Cantina e.U., Wehlistraße 291/1/47, 1020 Vienna, Austria — hello@b10cks.com |
b10cks implements and maintains the following technical and organisational measures for the protection of Personal Data processed under this DPA:
Access Control Logical access to production systems is restricted to authorised b10cks personnel on a need-to-know basis. Access is managed through role-based access controls (RBAC) and multi-factor authentication (MFA). Access rights are reviewed regularly and revoked promptly upon personnel changes.
Encryption All Personal Data is encrypted in transit using TLS 1.2 or higher. Data at rest within AWS Aurora DB, OpenSearch Cluster, and Valkey Cache is encrypted using AES-256. Encryption keys are managed through AWS Key Management Service (KMS).
Infrastructure Security The b10cks Services are hosted on AWS eu-west-1 (Ireland) within a Virtual Private Cloud (VPC) with network segmentation, private subnets for data stores, and security group policies restricting inbound and outbound traffic. CloudFront CDN is used for content delivery with HTTPS enforced.
Availability and Resilience b10cks uses AWS managed services with built-in high availability and multi-availability-zone redundancy for Aurora DB, OpenSearch, and Valkey Cache. Regular automated backups are performed. Incident response and disaster recovery procedures are maintained and tested periodically.
Monitoring and Logging System and access logs are collected and monitored for anomalous activity. PostHog is used for internal usage analytics and error monitoring, subject to its own data protection commitments. Alerts are configured for potential security incidents.
Vulnerability Management b10cks applies security patches and updates to infrastructure components on a regular basis. Dependency scanning is performed as part of the software development lifecycle.
Personnel Measures b10cks personnel with access to Personal Data are subject to contractual confidentiality obligations and receive data protection awareness training.
Incident Response b10cks maintains a documented incident response procedure, including notification workflows consistent with Section 7 of this DPA.
The following Sub-processors are authorised by Controller as of the Effective Date. The current and up-to-date list is maintained at https://www.b10cks.com/legal/dpa.
| Sub-processor | Entity / Country | Processing Purpose | Personal Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Amazon Web Services EMEA SARL, Luxembourg (infrastructure in AWS eu-west-1, Ireland) | Cloud hosting, database (Aurora), search (OpenSearch), caching (Valkey), CDN (CloudFront) | All Personal Data stored in the b10cks Services | Intra-EEA transfer; AWS DPA with SCCs for onward transfers |
| OpenRouter | OpenRouter, Inc., USA | AI model routing and inference for AI Features | Prompts and Customer Content submitted to AI Features | SCCs (Module Two) |
| PostHog | PostHog, Inc., USA (EU Cloud option available) | Product analytics, usage tracking, error monitoring | Account Information, usage events, error context | SCCs (Module Two) or EU Cloud (intra-EEA) |
| Lemon Squeezy | Lemon Squeezy LLC (Merchant of Record), USA | Payment processing, subscription management, invoicing | Billing information, Account Information, transaction data | SCCs (Module Two); Lemon Squeezy acts as Merchant of Record and independent data controller for payment data |
This Data Processing Agreement is entered into between Coder's Cantina e.U. (Processor) and the Customer (Controller) as part of the Agreement. For questions regarding this DPA, please contact hello@b10cks.com.