Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement (hereinafter "DPA") is entered into between:

• Data Processor: Jose Antonio Touriño Eirín, NIF 76827011L, Juan Bautista Andrade, Pontevedra, España (en adelante, "el Encargado" o "Laxio")
• Data Controller: The company or professional that contracts Laxio services (hereinafter, "the Client")

2. Purpose of processing

The Processor shall process personal data on behalf of the Client exclusively for the provision of contracted Laxio platform services, which include:

• Natural stone block inventory management
• Client, supplier, and quote management
• Order, delivery, and settlement management
• Storage of associated files (block photographs, documents)

3. Types of data processed

In the course of service provision, the Processor may process the following categories of personal data:

• Identification data: name, surname, tax ID, address, phone, email of Client's customers and suppliers
• Platform user data: name, email, role, access activity
• Commercial data: quotes, orders, rates, deliveries
• Billing data: tax data necessary for invoice generation

4. Processor obligations

The Processor commits to:

• Process data only in accordance with the Client's documented instructions and for the purpose described in this DPA
• Not disclose data to third parties, except with explicit Client authorization or by legal obligation
• Ensure that authorized persons processing data have committed to confidentiality
• Implement appropriate technical and organizational measures to ensure data security (encryption in transit and at rest, access control, backups, tenant isolation)
• Assist the Client in fulfilling obligations regarding data subject rights (access, rectification, erasure, portability, objection, restriction)
• Notify the Client of any security breach affecting personal data within a maximum of 72 hours of detection

5. Security measures

The Processor has implemented the following technical and organizational measures:

• TLS encryption on all communications (HTTPS)
• Tenant data isolation (Row Level Security in PostgreSQL)
• JWT authentication with refresh tokens and failed attempt lockout
• Password hashing with bcrypt (factor 12)

6. Sub-processors

The Client authorizes the Processor to engage the following sub-processors: Hetzner Online GmbH (infrastructure hosting, Germany/EU), Resend Inc. (transactional email delivery, USA — with standard contractual clauses).

The Processor shall inform the Client of any change in sub-processors at least 30 days in advance, allowing the Client to object.

7. International transfers

Data is hosted on servers located in the European Union (Hetzner, Germany). In case of transfers to sub-processors outside the EEA, safeguards under Article 46 GDPR shall apply (standard contractual clauses approved by the European Commission).

8. Duration and termination

This DPA shall remain in force for the duration of the contractual relationship. Upon termination, the Processor shall:

• Return or delete all personal data, at the Client's choice
• Certify data deletion if requested
• May retain data in blocked state for the legally required period

9. Contact

For any questions regarding this DPA or personal data processing, contact the Processor at: [email protected].