Data Processing Agreement (DPA)
NEVO · As of: 22 June 2026
This agreement supplements the Terms and Conditions between you ("Controller", "you") and Sigrid Aicher Photography, Sobieskigasse 37/6, 1090 Vienna, Austria ("Processor", "we") and applies automatically for the duration of your NEVO subscription as soon as you process personal data of your own customers in NEVO. A separate signature is not required; by concluding the NEVO contract, you also accept this DPA.
1. Subject Matter and Duration
1.1 You use NEVO to manage data of your own customers (pet owners) and their animals — for example, in connection with bookings, orders, appointments, and the storage of photos. To the extent that you process personal data in doing so, you are the controller under data protection law within the meaning of Art. 4 No. 7 GDPR. We process this data exclusively on your behalf and on your instructions as processor within the meaning of Art. 28 GDPR.
1.2 This agreement applies for the duration of your NEVO contract and ends automatically upon its termination, subject to the provisions on data deletion in Section 9.
2. Nature and Purpose of the Processing
We process the data exclusively to provide you with the operation of NEVO as Software-as-a-Service: storage, display, backup, and management of the data you enter, within the scope of the contractually agreed functions. There is no processing for our own purposes, in particular not for advertising or analytics purposes.
3. Type of Data and Categories of Data Subjects
3.1 Categories of data processed: Master data of your customers (name, contact details, address), data on their animals, order and appointment data, uploaded photos, and — to the extent used by you — signature data in connection with liability waivers.
3.2 Data subjects: Your customers (pet owners) and, where applicable, other persons named by them (e.g., additional contact persons).
3.3 Processing of special categories of personal data under Art. 9 GDPR (e.g., health data) is not intended within the scope of NEVO's intended use. Should you nevertheless enter such data, this is at your sole responsibility.
4. Your Rights and Obligations as Controller
4.1 You are responsible for ensuring that the processing of your customers' data via NEVO has an appropriate legal basis (e.g., contract with your customer, consent) and that you inform your customers in accordance with Art. 13/14 GDPR.
4.2 You generally issue instructions to us through the intended use of NEVO (e.g., by entering, modifying, or deleting data via the application). Any further-reaching instructions are to be given in text form (e.g., email) to the address stated above.
4.3 If you consider one of our instructions to be unlawful, we will inform you immediately; pending clarification, we will suspend the affected processing, to the extent this is possible without significantly impairing ongoing operations.
5. Our Obligations as Processor
We undertake to: (a) process the data exclusively on your documented instructions; (b) bind all persons who have access to the data at our organization to confidentiality; (c) take appropriate technical and organizational measures under Art. 32 GDPR; (d) engage subprocessors only under the conditions of Section 7; (e) support you in fulfilling your obligation to respond to requests from data subjects; (f) support you in complying with your obligations under Art. 32 to 36 GDPR; (g) after termination of the contract, either delete all data or make it available to you; (h) provide you with the information necessary to demonstrate compliance with this agreement and enable audits within the scope of Section 8.
6. Technical and Organizational Measures
We employ, in particular, the following measures: encrypted data transmission (TLS), access separation between customer accounts at the database level (row-level security, each user sees only their own data), access restriction at the employee level on a need-to-know basis, and regular data backups at our hosting subprocessors. We continuously adapt these measures in line with the state of the art.
7. Subprocessors
7.1 You consent to the engagement of the following subprocessors:
- Railway Corporation, 548 Market St, San Francisco, CA 94104, USA — application hosting, servers in the EU
- Supabase Inc. (headquartered in Singapore) — database, authentication, file storage, servers in the EU (Frankfurt region)
7.2 If we wish to engage an additional subprocessor or replace an existing one, we will inform you in advance in text form. You may object within 14 days for good cause; in this case, we will jointly find a solution, or you will receive a special right of termination for your NEVO contract.
7.3 We ensure that agreements exist with all subprocessors that guarantee at least the level of data protection provided for in this DPA, including appropriate safeguards for data transfers to third countries.
8. Audit Rights
Upon request, you can satisfy yourself, to a reasonable extent, of compliance with this agreement, for example through the provision of relevant evidence, certificates, or self-disclosures from our subprocessors. You can request an on-site audit at our premises if a legitimate interest exists; you bear the costs of this, unless the suspicion is confirmed.
9. Deletion and Return After Termination
After termination of your NEVO contract, you can export your data within a reasonable period. After that, we will irrevocably delete all data stored by us and our subprocessors, unless a statutory retention obligation precludes this.
10. Reporting of Data Breaches
If we identify a breach of the protection of your data processed via NEVO, we will inform you immediately, no later than within 48 hours of becoming aware of it, with the information known to us at that time, so that you can comply with your own reporting obligations (Art. 33, 34 GDPR).
11. Liability
Liability between you and us under this agreement is governed by the liability provisions of our Terms and Conditions.