DATA PROCESSING AGREEMENT

Effective date: 6 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Main Agreement") between:

(1) Ubique d.o.o., a company incorporated in Croatia, with its registered office at Kikićeva 7, 10000 Zagreb, Croatia, OIB HR 90787328659, operator of droplana.com ("Droplana", "Processor"); and

(2) the customer who has accepted the Main Agreement ("Customer", "Controller").

(each a "Party" and together the "Parties")

This DPA reflects the Parties' agreement on the processing of Personal Data carried out by Droplana on behalf of the Customer in connection with the Services. It is incorporated by reference into the Main Agreement.

If there is any conflict between this DPA and the Main Agreement, this DPA prevails with respect to the processing of Personal Data.

1. Definitions

Capitalized terms not defined in this DPA have the meaning given to them in the Main Agreement. The following definitions apply:

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and any national implementing legislation, as amended from time to time.
"Personal Data" has the meaning given in the GDPR.
"Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR.
"Services" means the Droplana client portal service made available to the Customer under the Main Agreement.
"Subprocessor" means any third party engaged by Droplana to Process Personal Data on behalf of the Customer.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries set out in Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor).

2. Roles and scope

2.1 Roles. With respect to Customer Personal Data Processed under the Services:

the Customer is the Controller; and
Droplana is the Processor.

2.2 Scope of Processing. Droplana will Process Customer Personal Data only to the extent necessary to provide the Services, in accordance with this DPA, the Main Agreement, and the documented instructions of the Customer.

The Customer's instructions for Processing are set out in this DPA, the Main Agreement, and the configuration choices the Customer makes within the Services (such as creating clients, uploading files, sending messages).

2.3 Details of Processing. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects involved in the Processing are set out in Annex 1.

2.4 Compliance with laws. Each Party will comply with its respective obligations under the Data Protection Laws.

3. Droplana obligations as Processor

3.1 Documented instructions. Droplana will Process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data, unless required to do otherwise by applicable law. If a legal requirement applies, Droplana will inform the Customer of that requirement before Processing, unless the law prohibits such notice on important grounds of public interest.

3.2 Confidentiality. Droplana will ensure that personnel authorized to Process Personal Data are bound by appropriate written confidentiality obligations.

3.3 Security. Droplana will implement appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk to Data Subjects. The measures in place at the effective date of this DPA are described in Annex 3.

3.4 Subprocessors. Droplana may engage Subprocessors in accordance with Section 5.

3.5 Data Subject requests. Droplana will provide reasonable assistance to the Customer, taking into account the nature of the Processing and the information available to Droplana, to enable the Customer to respond to requests by Data Subjects exercising their rights under the GDPR. Where technically feasible, Droplana will make available within the Services functionality for the Customer to fulfill such requests directly (such as the data export and account deletion features).

3.6 Assistance with controller obligations. Droplana will provide reasonable assistance to the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 GDPR, taking into account the nature of the Processing and the information available to Droplana.

3.7 Return or deletion of data. At the end of the Services, Droplana will, at the Customer's choice, delete or return all Personal Data and delete existing copies, unless retention is required by applicable law. The Customer can self-serve account deletion (which performs an irreversible hard delete) and data export (JSON format) at any time during the term via the Services.

3.8 Audit information. Droplana will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA, in accordance with Section 9.

3.9 Notification of unlawful instructions. Droplana will inform the Customer if, in its opinion, an instruction infringes the Data Protection Laws.

4. Customer obligations as Controller

4.1 Lawful basis. The Customer warrants that it has a valid legal basis under the Data Protection Laws for the Processing of Personal Data through the Services and that its instructions to Droplana comply with the Data Protection Laws.

4.2 Notice and consent. The Customer is responsible for providing any required notices and obtaining any required consents from Data Subjects (including the Customer's own clients and the clients' representatives who use the portal) for the Processing carried out through the Services.

4.3 Customer responsibilities. The Customer is responsible for:

the accuracy, quality, and legality of Personal Data uploaded to the Services;
the means by which the Customer acquired the Personal Data;
ensuring that Customer personnel and authorized representatives keep their access credentials confidential;
the configuration of access tokens and the distribution of portal links to clients; and
the lawfulness of the Customer's instructions to Droplana.

5. Subprocessors

5.1 General authorization. The Customer grants Droplana general authorization to engage Subprocessors to perform Processing on the Customer's behalf, subject to this Section 5.

5.2 Current Subprocessors. The current Subprocessors are listed in Annex 2. The list is also published at https://droplana.com/dpa#subprocessors and updated when the list changes.

5.3 Notice of changes. Droplana will notify the Customer at least 30 days before any addition or replacement of a Subprocessor by updating the public list and, where the Customer has subscribed to subprocessor change notifications, by email.

5.4 Right to object. The Customer may object to the addition or replacement of a Subprocessor on reasonable grounds related to data protection within 30 days of notification. If the Parties cannot reach agreement, the Customer may terminate the affected Services for cause without penalty.

5.5 Subprocessor obligations. Droplana will impose contractual obligations on each Subprocessor that are no less protective than those set out in this DPA, particularly with respect to data protection, confidentiality, and security.

5.6 Liability. Droplana remains fully liable to the Customer for the performance of each Subprocessor's obligations.

6. Data Subject rights

6.1 Direct requests. If a Data Subject sends a request directly to Droplana, Droplana will, where it can identify that the request relates to Customer data, forward the request to the Customer without undue delay and will not respond to the Data Subject directly except to confirm receipt.

6.2 Customer assistance. Droplana will provide reasonable assistance to the Customer in handling Data Subject requests, including by:

providing functionality within the Services that allows the Customer to access, export, rectify, or delete Personal Data;
providing information necessary to enable the Customer to respond to a request; and
where the Customer cannot reasonably fulfill the request through self-service, taking reasonable additional steps at the Customer's request.

6.3 Costs. Droplana provides the assistance described in this Section 6 at no additional charge for routine requests. For requests that require materially disproportionate effort, the Parties will agree on reasonable compensation in advance.

7. Personal Data Breaches

7.1 Notification. Droplana will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data.

7.2 Information provided. The notification will include, to the extent then known:

the nature of the Personal Data Breach, including categories and approximate number of Data Subjects and records concerned;
the likely consequences of the Personal Data Breach;
the measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects; and
the contact point for further information.

7.3 Cooperation. Droplana will cooperate with the Customer in good faith and provide reasonable assistance in connection with the Customer's notification obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 GDPR.

7.4 No admission of liability. A notification provided under this Section 7 is not an acknowledgment of fault or liability.

8. International transfers

8.1 Primary processing location. Droplana primarily Processes Personal Data within the European Union (in Frankfurt, Germany).

8.2 Transfers outside the EEA. Where a Subprocessor processes Personal Data outside the European Economic Area, the United Kingdom, Switzerland, or another country recognized by the European Commission as providing an adequate level of protection, the Parties agree that:

the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference into this DPA, with the Customer as data exporter and the Subprocessor as data importer;
the optional docking clause does not apply unless the Parties expressly agree;
supervision is by the Supervisory Authority of the country of the Customer's establishment, or where the Customer is not established in the EU, the Croatian Personal Data Protection Agency (AZOP);
governing law for the SCCs is the law of the Republic of Croatia; and
Annex I of the SCCs is populated using the information in Annex 1 and Annex 2 of this DPA.

8.3 UK Addendum. Where the Customer is established in the United Kingdom or otherwise subject to UK data protection law, the parties agree that the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (issued by the UK Information Commissioner) applies to any transfer of Personal Data to a Subprocessor outside the United Kingdom and a country recognized as adequate.

9. Audits

9.1 Audit information. Droplana will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, including:

this DPA and any relevant publicly available documentation (such as the Security & Privacy page);
the most recent versions of any applicable third-party audit reports, certifications, or attestations (where available);
summaries of internal security reviews (where appropriate);
responses to reasonable written security questionnaires.

9.2 On-site audits. If the information made available under Section 9.1 is insufficient to demonstrate compliance, the Customer may, no more than once per twelve-month period and on at least 30 days' written notice, conduct an audit of Droplana's processing activities relevant to this DPA, subject to the following:

the audit is conducted during normal business hours and in a manner that does not unreasonably interfere with Droplana's operations;
the auditor is bound by appropriate confidentiality obligations;
the audit does not access information that would compromise the data of other Droplana customers;
the Customer bears its own costs and reimburses Droplana's reasonable costs for an audit that goes beyond the information provided under Section 9.1.

9.3 Supervisory Authority. Nothing in this Section limits the rights of any Supervisory Authority.

10. Term and termination

10.1 Term. This DPA takes effect on the effective date and continues for the duration of the Main Agreement.

10.2 Survival. Sections 3.7 (return or deletion), 7 (Personal Data Breaches in respect of breaches discovered after termination but relating to in-term Processing), 9 (audits in respect of in-term Processing), and 11 (liability) survive termination of this DPA.

10.3 Effect of termination on data. On termination of the Main Agreement, Droplana will delete or return Personal Data in accordance with Section 3.7. The Customer can also export and delete data via the self-service features at any time.

11. Liability

11.1 Liability cap. Each Party's total liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations and exclusions of liability set out in the Main Agreement.

11.2 Statutory rights. Nothing in this DPA limits liability that cannot be limited under applicable law, including liability for damage caused intentionally or by gross negligence.

12. General

12.1 Governing law. This DPA is governed by the laws of the Republic of Croatia, without regard to its conflict of laws principles. The courts of Zagreb, Croatia have exclusive jurisdiction over any disputes arising out of or in connection with this DPA, subject to mandatory provisions of applicable law.

12.2 Order of precedence. In the event of a conflict between this DPA and the Main Agreement, this DPA prevails with respect to the Processing of Personal Data.

12.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remainder of the DPA remains in full force and effect.

12.4 Notices. Notices under this DPA must be sent to:

to Droplana: dpa@droplana.com
to the Customer: the email address associated with the Customer's account.

12.5 Updates. Droplana may update this DPA from time to time to reflect changes required by applicable law or operational changes (such as Subprocessor changes). Material changes will be notified at least 30 days in advance via email or in-product notice.

12.6 Entire agreement. This DPA, together with the Main Agreement, constitutes the entire agreement between the Parties regarding the Processing of Personal Data.

12.7 Acceptance. This DPA is accepted by the Customer when the Customer accepts the Main Agreement, by continuing to use the Services after this DPA is made available, or by signing a counterpart provided on request. Either Party may request a counter-signed copy by emailing dpa@droplana.com.

ANNEX 1 — Description of Processing

A. Subject matter and purpose

The subject matter of the Processing is the provision of the Droplana client portal service: a tool that allows the Customer (a freelancer, agency, consultant, or small firm) to share files and exchange messages with the Customer's own clients and projects.

The purpose of the Processing is to enable the Customer to:

create and manage portals for the Customer's clients;
upload, store, and share files with those clients;
exchange messages and per-file status updates with those clients;
manage access to those portals (token generation, revocation, regeneration);
receive operational metadata (download events, comment seen state).

B. Duration of Processing

For the duration of the Customer's account on the Services, plus any retention required to meet the Parties' legal obligations or as set out in Section 3.7 of the DPA. The Customer can hard-delete the account and all associated data at any time via the Account → Delete account feature.

C. Nature of the Processing

Storage of files in EU-hosted S3-compatible object storage (Hetzner, Germany)
Storage of metadata, comments, status, and events in EU-hosted PostgreSQL database (Hetzner, Germany)
Transmission of authentication and notification emails via Brevo (France)
Generation and delivery of portal access links
Logging of operational and security events in server logs

D. Categories of Data Subjects

The Personal Data processed under the Services may relate to:

the Customer's own representatives (the natural persons who hold and operate the Customer's Droplana account);
the Customer's clients (natural persons or representatives of legal entities that the Customer interacts with through the Services); and
additional individuals whose Personal Data the Customer chooses to upload to the Services (for example, individuals named in documents uploaded as files).

E. Categories of Personal Data

The following categories of Personal Data may be Processed:

About the Customer's representatives:

email address
account identifiers (slug, user ID)
session metadata (IP address, timestamp, user agent)
audit log entries (login events, access token operations, account changes)
billing-related identifiers (subscription IDs — billing details themselves are processed by Paddle, not stored by Droplana)

About the Customer's clients (portal users):

name (as entered by the Customer)
portal session metadata (IP address, timestamp during portal use)
file download events (timestamp, file identifier)
comment content (where the client sends comments via the portal)

About anyone whose data the Customer chooses to upload:

any Personal Data contained within files the Customer uploads (e.g. names, contact details, documents containing identifying information)
any Personal Data contained within messages the Customer or the Customer's client sends through the Services

The Services are general-purpose. Droplana does not require or solicit any specific category of Personal Data and does not access the contents of files or messages except as necessary to operate or secure the Services.

F. Special categories of Personal Data

The Customer is responsible for ensuring that any uploading of special categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR) is appropriate for the Customer's use case. Droplana is not certified for, and is not appropriate for, the processing of protected health information regulated under HIPAA, or for any other use case that requires specific regulatory certifications that Droplana does not hold.

ANNEX 2 — Subprocessors

The following Subprocessors are engaged to provide infrastructure and supporting services. The current list is also published at https://droplana.com/dpa#subprocessors.

Subprocessor	Service provided	Location of processing	Data Processed
Hetzner Online GmbH	Application server hosting, PostgreSQL database hosting, and S3-compatible object storage	EU (Germany)	All Customer data (database records, files, server logs)
Sendinblue SAS (Brevo)	Transactional email delivery	EU (France)	Email addresses of recipients, subject and body of authentication and notification emails
Paddle.com Market Limited	Payment processing, invoicing, and tax compliance (Merchant of Record)	UK and EU	Customer billing details, transaction records, tax-relevant identifiers
Internet Security Research Group (Let's Encrypt)	TLS certificate issuance via Caddy	Globally distributed	Domain names only; no Personal Data

Droplana will update this list when adding, replacing, or removing a Subprocessor, in accordance with Section 5 of the DPA.

ANNEX 3 — Technical and Organizational Measures

This Annex describes the technical and organizational measures implemented by Droplana to ensure an appropriate level of security for the Personal Data Processed under the Services, in accordance with Article 32 GDPR.

1. Pseudonymization and encryption of Personal Data

Encryption in transit: All connections to the Services use HTTPS with TLS 1.2 or 1.3. HTTP-Strict-Transport-Security headers are set to enforce HTTPS for one year, including subdomains.
Encryption at rest: Files in object storage are encrypted at rest using AES-256 server-side encryption. The PostgreSQL database is also encrypted at rest. Encryption keys are managed by the underlying infrastructure providers.
Authentication tokens: Magic-link tokens and portal access tokens are 32 random bytes, hashed using SHA-256 before storage. Raw tokens are never logged.

2. Confidentiality, integrity, availability, and resilience of processing systems

Authentication: Magic-link based authentication for the business side. Token-based authentication for the client portal side, with one-time token exchange for portal sessions. No password storage.
Authorization: All data access is scoped at the application level by the authenticated business identifier. Every database query that touches client data is constrained to the authenticated business.
Per-tenant isolation: Each customer's data is logically isolated. There is no shared workspace model. Cross-tenant access is prevented by architectural constraints, not by configurable permissions.
CSRF protection: All state-changing requests require a double-submit cookie token check.
Rate limiting: Sensitive operations (magic link issuance, portal token exchange) are rate-limited to mitigate abuse.
Network security: The Services are fronted by a reverse proxy that handles automatic TLS termination, HTTP-to-HTTPS redirection, and the application of security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy).
Logging: Application activity is logged using structured logging with daily rotation. Security-relevant events (authentication, token operations, account deletions, rate-limit hits) are recorded as audit events. Authentication tokens are never logged in raw form.

3. Availability and resilience

The Services are monitored continuously via a public health-check endpoint and external uptime monitoring.
The PostgreSQL database is hosted on Hetzner infrastructure with automated daily backups. Backups are used for disaster recovery only, are not user-accessible, and expire on the schedule defined by our infrastructure provider.
File storage is hosted on Hetzner managed S3-compatible object storage with provider-level redundancy.

4. Restoration of availability and access to Personal Data

The Customer can export all Personal Data associated with the Customer's account at any time via the JSON data export functionality.
In the event of a system-level data loss, restoration is performed from backups maintained by the database host.

5. Process for regularly testing, assessing, and evaluating the effectiveness of measures

Security-relevant code changes are reviewed before deployment.
Dependencies are kept up to date via routine review.
Security incidents are reviewed post-incident with corrective measures recorded.
Customers are encouraged to report suspected vulnerabilities to security@droplana.com.

6. User account access controls and personnel measures

Personnel with access to systems Processing Personal Data are bound by written confidentiality obligations.
Access to production systems is restricted to personnel who require it for their role.
Personnel access is reviewed when roles change or when personnel leave.

7. Subprocessor oversight

Each Subprocessor is selected based on, among other things, its security and data protection posture.
Each Subprocessor is bound by contractual terms imposing obligations no less protective than those in this DPA.

8. Data minimization

The Services collect only the Personal Data needed to operate. Droplana does not run third-party analytics scripts or trackers and does not collect telemetry beyond what is needed for security and operation.
The Services do not require, and do not solicit, any special category Personal Data from the Customer's clients.

9. Data retention and deletion

Customer-facing self-service: account deletion via the Services performs an irreversible hard delete of all Customer Personal Data, including files in object storage, database records, sessions, magic links, and subscription metadata.
Customer data is retained for the duration of the Customer's account and as required by applicable law (e.g. invoice records for tax compliance purposes).
Database backups are retained for the period defined by the database host and expire automatically.

10. Security incident management

Suspected or confirmed Personal Data Breaches are escalated immediately to designated personnel.
Customers will be notified in accordance with Section 7 of the DPA.
Reports of security vulnerabilities can be submitted to security@droplana.com.

Contact

For questions about this DPA or to request a counter-signed copy, contact dpa@droplana.com.