pursuant to Art. 28 GDPR (General Data Protection Regulation, Regulation (EU) 2016/679)

Parties

This Data Processing Agreement (hereinafter the „Agreement“) is concluded between the respective customer of the postservice.at platform (hereinafter the „controller“ or „client“) and the contractor:

1010 Works GmbH
Seitenstettengasse 5/37, 1010 Wien
represented by Stephan Holzbach, Managing Director
(hereinafter the „processor“).

The controller and the processor are hereinafter referred to collectively as the „parties“ and individually as a „party“. This Agreement enters into force upon conclusion of the underlying service contract via postservice.at.

Preamble

The controller uses the services of the processor within the scope of the service contract for virtual office services and postal services via the postservice.at platform. In the course of providing these services, the processor processes personal data on behalf of the controller. This Agreement governs the rights and obligations of the parties in connection with the processing of personal data pursuant to Art. 28 GDPR.

§ 1 Subject matter and duration of the processing

(1) The subject matter of this Agreement is the processing of personal data by the processor within the scope of the following services:

Receipt, sorting and forwarding of mail
Scanning and digital transmission of mail contents to the controller
Provision of a business address (virtual office address)
Telephone service and call forwarding (where commissioned)
Access management for coworking premises (where commissioned)

(2) The duration of the processing is governed by the term of the service contract between the parties. This Agreement ends automatically upon termination of the service contract.

§ 2 Nature and purpose of the processing

The processing is carried out exclusively for the purpose of performing the services set out in § 1. The nature of the processing includes in particular:

Collection and storage of contact data of the controller and its employees/business partners
Scanning, digital capture and transmission of mail contents
Physical storage and forwarding of mail
Logging of incoming calls (where commissioned)

§ 3 Type of personal data

The following categories of personal data are the subject of the processing:

Names and contact data (address, telephone number, email) of the controller, its employees and business partners
Business correspondence and its contents (where scanned)
Sender information of incoming mail
Call information (caller name, telephone number, time of call, message content)
Access data for coworking premises (name, timestamp)

§ 4 Categories of data subjects

The data subjects are:

Employees, managing directors and corporate bodies of the controller
Customers and business partners of the controller
Senders of mail to the controller
Callers to the controller

§ 5 Obligations of the processor

(1) The processor processes personal data exclusively on documented instructions from the controller, unless required to process by Union law or the law of the member state to which the processor is subject (Art. 28 (3) lit. a GDPR).

(2) The processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28 (3) lit. b GDPR).

(3) The processor takes all technical and organisational measures required pursuant to Art. 32 GDPR (see Annex 1).

(4) The processor does not engage another processor without the prior specific or general written authorisation of the controller. In the case of a general written authorisation, the processor informs the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes (Art. 28 (2) GDPR).

(5)Taking into account the nature of the processing, the processor assists the controller, where possible, by appropriate technical and organisational measures in fulfilling the controller’s obligation to respond to requests for exercising data subject rights (Art. 28 (3) lit. e GDPR).

(6) The processor assists the controller in ensuring compliance with the obligations set out in Art. 32 to 36 GDPR (security of processing, notification of breaches, data protection impact assessment, prior consultation).

(7) At the end of the provision of the processing services, the processor, at the choice of the controller, deletes or returns all personal data and deletes existing copies, unless storage is required under Union law or national law (Art. 28 (3) lit. g GDPR).

(8) The processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR, and allows for and contributes to audits, including inspections (Art. 28 (3) lit. h GDPR).

§ 6 Obligations of the controller

(1) The controller is solely responsible for the lawfulness of the data processing and for safeguarding the rights of the data subjects.

(2) The controller issues all orders, sub-orders and instructions as a rule in writing or in a documented electronic format. Oral instructions must be confirmed without delay in writing or electronically.

(3) The controller informs the processor without delay if it detects errors or irregularities in the processing of personal data.

§ 7 Sub-processors

(1) The controller hereby grants the processor general authorisation to engage further processors (sub-processors).

(2) The processor informs the controller at least 14 days before the intended engagement or replacement of a sub-processor. The controller may object to the change within 14 days of receipt of the information.

(3) When engaging sub-processors, the processor ensures that the same data protection obligations as set out in this Agreement are imposed on them.

(4) A list naming the sub-processors engaged at the time of conclusion of the contract forms part of this Agreement as Annex 2. An always-current version is additionally published at postservice.at/en/data-processing-agreement#anlage-2 .

§ 7a Transfer of data to third countries

(1) Insofar as personal data is transferred to sub-processors established in a country outside the European Economic Area (EEA) under this Agreement, or may be processed there, the processor ensures that an appropriate safeguard within the meaning of Art. 44 et seq. GDPR is in place.

(2) Appropriate safeguards may in particular include:

Adequacy decision of the European Commission pursuant to Art. 45 GDPR (e. g. EU-US Data Privacy Framework for certified US recipients)
Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as amended from time to time
UK International Data Transfer Addendum or UK IDTA, insofar as relevant for transfers from the United Kingdom

(3) The processor has carried out a Transfer Impact Assessment (TIA) and, where necessary, takes supplementary technical measures (encryption in transit and at rest, access restriction, choice of EU region for hosting) to ensure the level of protection of the GDPR.

(4) The specific third-country transfers, the respective recipient country and the safeguards applied are documented in Annex 2 of this Agreement.

§ 8 Notification obligation in the event of data breaches

(1) The processor notifies the controller of any breach of the protection of personal data without delay, and at the latest within 24 hours of becoming aware of it.

(2) The notification contains at least the following information:

A description of the nature of the breach, where possible including the categories and approximate number of data subjects and records concerned
The name and contact details of the data protection officer or other point of contact
A description of the likely consequences of the breach
A description of the measures taken or proposed to remedy the breach

§ 9 Data subject rights

(1)If a data subject contacts the processor with a request to exercise their rights (Art. 15–22 GDPR), the processor forwards the request to the controller without delay.

(2) The processor assists the controller, within its means, in responding to such requests.

§ 10 Inspection rights of the controller

(1)The controller has the right to verify the processor’s compliance with data protection provisions and the contractual agreements. This may be done by means of on-site inspections, examination of documents or by commissioning an independent auditor.

(2) Upon request, the processor makes available to the controller the information necessary to carry out the inspection.

(3)Inspections are to be carried out with due regard to the processor’s business operations and with at least 14 days’ prior notice, except in the case of justified suspicion of data protection violations.

§ 11 Liability

The liability of the parties is governed by the provisions of the GDPR, in particular Art. 82 GDPR, as well as by the general statutory provisions.

§ 12 Final provisions

(1) This Agreement is governed by Austrian law. The exclusive place of jurisdiction is Vienna.

(2) Should individual provisions of this Agreement be or become invalid, this does not affect the validity of the remaining provisions. The parties undertake to replace the invalid provision with a valid arrangement that comes as close as possible to the economic purpose of the invalid provision.

(3) Amendments and supplements to this Agreement must be made in writing.

(4) This Agreement forms part of the service contract between the parties.

Annex 1: Technical and organisational measures pursuant to Art. 32 GDPR

1. Confidentiality (Art. 32 (1) lit. b GDPR)

Physical access control:

Access to the business premises exclusively by means of an electronic access system (EVVA AirKey)
Logging of all entries
Access authorisation only for authorised personnel

System access control:

Password-protected systems with minimum requirements for password complexity
Two-factor authentication for administrative access
Automatic screen lock

Data access control:

Role-based authorisation concept
Access to customer data only for authorised employees
Logging of access to personal data

Separation control:

Multi-tenant systems, strict separation of customer data
Separate storage of physical mail per customer

2. Integrity (Art. 32 (1) lit. b GDPR)

Transfer control:

Encrypted transmission of all data via TLS 1.2+ / HTTPS between the platform and the customers’ end devices
Encrypted transmission of scanned documents for storage in an EU-hosted object storage
Encrypted email communication via TLS (Microsoft 365), insofar as the receiving mail server supports TLS
Encryption of the database (PostgreSQL) and the object storage at rest with the cloud provider

Input control:

Traceability of data capture, modification and deletion by means of audit logs
Versioning of critical records in the database

3. Availability and resilience (Art. 32 (1) lit. b, c GDPR)

Daily automatic database backups with the hosting provider including point-in-time recovery, retention in accordance with the provider SLA
Redundant hosting infrastructure with automatic failover
Fire and theft protection measures on the business premises
Secure physical storage of incoming mail in lockable filing cabinets
Recovery procedures and regular testing of backup restoration

4. Procedures for regular review (Art. 32 (1) lit. d GDPR)

Regular internal review of the technical and organisational measures
Awareness-raising and training of employees in data protection
Documented data protection management
Incident response process for data breaches
Selection of sub-processors exclusively after a GDPR-compliant prior assessment (DPA, SCCs, certifications, choice of EU region where possible)

Annex 2: List of sub-processors and systems used

The following sub-processors are involved, as at the date of this Agreement, in the provision of the services via postservice.at.

A. Hosting & infrastructure

Provider	Registered office / place of processing	Purpose / data categories	Safeguard for third country
Vercel Inc. 340 S Lemon Ave #4133, Walnut, CA 91789, USA	USA (controlling company); function execution primarily in the Frankfurt region (fra1)	Hosting of the postservice.at platform, serverless function execution; processes log data, IP addresses, submitted form data	DPA including EU Standard Contractual Clauses (Module 2 + 3) pursuant to Decision 2021/914; supplementary technical measures
Vercel Blob Storage (via Vercel Inc.)	Frankfurt region (eu-central, AWS S3-based)	Storage of scanned mail, uploaded documents, customer profile images/logos	Processing in the EU; contractual safeguards as above
Neon Inc. (subsidiary of Databricks Inc.) San Francisco, CA, USA	Frankfurt region (eu-central-1, AWS)	Managed PostgreSQL database; processes all structured customer, mail and contract data	DPA including EU Standard Contractual Clauses; data remains in the EU region

B. Email and communication services

Provider	Registered office / place of processing	Purpose / data categories	Safeguard for third country
Microsoft Ireland Operations Limited One Microsoft Place, Dublin 18, D18 P521, Ireland	EU Data Boundary (Microsoft 365 / Exchange Online)	Business mailbox hello@postservice.at, sending and receiving of correspondence with customers, mail notifications	Microsoft Products and Services DPA; processing within the EU Data Boundary
Resend, Inc. 2261 Market Street #5039, San Francisco, CA 94114, USA	USA (with EU region for transactional sending, where available)	Sending of transactional emails (order confirmations, notifications of received mail, account emails)	DPA including EU Standard Contractual Clauses; supplementary technical measures

C. Payment processing & contract management

Provider	Registered office / place of processing	Purpose / data categories	Safeguard for third country
Chargebee Inc. Head office: San Francisco, CA, USA EU establishment: Piet Heinkade 55, 1019 GM Amsterdam, Netherlands Operationally also: ChargeBee Technologies Pvt. Ltd., Chennai/Bengaluru, India	USA, Netherlands, India	Subscription management, hosted checkout, invoicing, customer portal; processes name, billing address, email, VAT ID, contract data. The actual processing of card or account data is carried out by the respective connected payment service provider.	DPA including EU Standard Contractual Clauses (Module 2); ISO 27001, SOC 1 + 2

D. Appointment and consultation booking

Provider	Registered office / place of processing	Purpose / data categories	Safeguard for third country
Cal.com, Inc. 2261 Market Street #4382, San Francisco, CA 94114, USA	USA	Online booking of onboarding and consultation appointments; processes name, email, preferred date, notes field	DPA including EU Standard Contractual Clauses; open-source code base

E. Access management (coworking)

Provider	Registered office / place of processing	Purpose / data categories	Safeguard for third country
EVVA Sicherheitstechnologie GmbH Wienerbergstraße 59-65, 1120 Wien, Österreich	Austria (EU)	AirKey/Xesar access system to the business premises; logs the entries of authorised persons as well as coworking users	No third-country transfer (Austria/EU)

F. Web analytics & tag management (only after consent)

Provider	Registered office / place of processing	Purpose / data categories	Safeguard for third country
Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA)	EU primarily; transfer to the USA possible	Google Tag Manager and Google Analytics 4 for pseudonymous reach measurement; activation exclusively after consent (Consent Mode v2). Google Ads for conversion tracking.	Google Ads Data Processing Terms including EU Standard Contractual Clauses; IP anonymisation

Sub-processors used exclusively for the provision of internal services (e. g. accounting, code versioning, project management) without processing customer mail data are not part of this list, provided that no personal data of customers is transferred to them.

Contact for data protection questions

For questions regarding this Data Processing Agreement or about data protection in general, please contact:

1010 Works GmbH
Seitenstettengasse 5/37, 1010 Wien
Email: hello@postservice.at

Status: April 2026 (Version 2.0 – including Annex 2 sub-processor list and § 7a third-country transfer)