1. Subject & Scope

This Data Processing Agreement (“DPA”) is entered into between Storyblok (meaning the contracting Storyblok entity indicated on the Order Form or the Storyblok entity mentioned in the online sign-up process) and Customer (meaning the entity that executed or signed the Order Form and/or entered into the Agreement with Storyblok) and forms an integral part of the Agreement in relation to the Processing of Personal Data by Storyblok as Processor. If not agreed otherwise herein, the Storyblok General Terms and Conditions (“Storyblok GTC”) apply. In the event of any conflict between this DPA and the other terms of the Agreement, this DPA prevails. 

2. Definitions

Capitalized terms have the meanings set out below or, if not defined here, in the Agreement.

2.1. "Applicable Data Protection Laws" means all applicable data protection and privacy laws, including the GDPR and local laws implementing or supplementing the GDPR.

2.2. "Customer Data" means Personal Data uploaded, submitted or made available as part of Customer Content to the Storyblok Services by or on behalf of Customer as Controller.

2.3. "Personal Data", "Controller", "Processor", "Processing" and “Data Subject” shall have the meanings given in the GDPR.

2.4. "GDPR" or "General Data Protection Regulation" means the Regulation (EU) 2016/679 of the European Parliament and of the Council.

2.5. "Standard Contractual Clauses" or "SCC" means the Standard Contractual Clauses pursuant to GDPR and the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or as updated from time to time.

2.6. "Security Incident" means - as confirmed by Storyblok’s reasonable discretion - any actual and confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise processed, and excluding any unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems or incidents caused by Customer or its failure to adequately secure infrastructure, data transfers, equipment, systems or accounts.

2.7. "Third Country" means a country which is not a member of the European Union (EU) or the European Economic Area (EEA).

2.8. "Sub-Processor" means any third party engaged by Storyblok to Process any Customer Data.

3. Description of Processing

Details of the subject matter, categories of Personal Data, purposes, and duration of processing are provided in Annex 1. Storyblok may update Annex 1 as reasonably required to reflect new features or functionalities, provided such updates do not materially reduce Customer’s data protection level.

4. Processing Instructions & Compliance

4.1. Permitted Purpose. Storyblok shall process Customer Data solely in accordance with documented instructions from Customer, including to provide the Storyblok Services and perform its rights and obligations under the Agreement and as required by Applicable Data Protection Laws ("Permitted Purpose"). Storyblok shall inform Customer without undue delay if an instruction violates Applicable Data Protection Laws.

4.2. Customer Obligations. Customer represents that it has a lawful basis for all Processing and is responsible for providing any necessary notices to, and obtaining and maintaining any necessary rights, consents, and authorizations from, Data Subjects whose Personal Data is provided by Customer to Storyblok. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which it was acquired. Customer remains the owner or holder of all related rights of Customer Data. Customer shall inform Storyblok without undue delay when noticing any mistakes, errors or other irregularities. Storyblok shall without undue delay correct such mistakes, errors or irregularities.

4.3. Cooperation. Storyblok shall, to the extent required by Applicable Data Protection Laws, reasonably assist Customer to respond to any requests, complaints or other communications from data subjects and government or authorities relating to the processing of Customer Data and with necessary data protection impact assessments or consultations with authorities.

4.4. Data Subject Rights & Requests. Storyblok shall enable Customer to fulfill Data Subject rights under Applicable Data Protection Law by implementing suitable technical and organizational measures. If Storyblok receives a Data Subject request relating to Customer Data, it will promptly forward the request to Customer and not respond directly unless authorized by Customer or required by law.

5. Sub-Processors

5.1. Authorized Sub-Processors. The current list of authorized Sub-Processors is provided in Annex 3 ("Authorized Sub-Processors") and may be updated by Storyblok from time to time in accordance with this section. 

5.2. Updates & Changes. Storyblok shall notify Customer (e.g. via email, electronic notification within the Storyblok Services or other reasonable means) of any intended addition or replacement of a sub-processor. Customer may object to a new sub-processor for legitimate, material reasons related to data protection within 14 days of notice, whereas if not objected, new sub-processors shall be deemed accepted after such period. Storyblok will discuss an objection in good faith. If no resolution is reached, either Party may terminate the Agreement with 30 days’ written notice, and Customer shall receive a pro-rata refund of prepaid fees for the unused subscription period following the effective date of the termination, calculated on a month-by-month basis, excluding any consumption based fees; any further claims by Customer resulting from such termination shall be excluded or waived.

5.3. Sub-Processor Obligations. Storyblok will enter into written agreements with sub-processors containing data protection obligations substantially equivalent to those in this DPA. Storyblok remains fully liable for its sub-processors’ acts and omissions in accordance with the Agreement.

5.4. Third Country Transfers. Customer Data may be Processed in any country in which Storyblok, and sub-processors maintain facilities to perform the Storyblok Services, as further detailed in Annex 3. Storyblok may transfer Customer Data to sub-processors located in Third Countries only if in compliance with Applicable Data Protection Laws, including Chapter V GDPR.

6. Security

6.1. Confidentiality. Storyblok will treat Customer Data confidential and will Process it only for the purposes defined herein. Storyblok ensures that all persons and Sub-Processors authorized to process Customer Data are subject to adequate confidentiality obligations or statutory obligation of confidentiality.

6.2. Technical and Organizational Measures. Storyblok shall implement and maintain appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of Customer Data as set out in Annex 2. These measures are subject to technical progress. Storyblok may modify these measures from time to time, provided they do not materially reduce the overall level of protection.

6.3. Security Incident. In the event of a Security Incident, Storyblok shall notify Customer without undue delay and, where feasible, within 72 hours of confirmation, providing information necessary for Customer to comply with its legal notification obligations. Both Parties shall take reasonable steps to contain, investigate, and mitigate the effects of the Security Incident. Storyblok will cooperate with Customer as required by Applicable Data Protection Laws. Notifications will be delivered to Customer's registered notification email address which Customer needs to maintain accurate and up-to-date.

6.4. Authority & Government Requests. In case Storyblok receives a request from a competent government or authority requiring access to Customer Data Storyblok shall advise such requesting party of the confidentiality and Customer’s ownership of such data. To the extent legally possible, Storyblok will not disclose information without first providing notice to Customer. If Storyblok is prohibited from giving notice or prior notice, Storyblok will try to challenge and/or limit the request if it reasonably believes the request is not compliant with applicable law. In case of lawful requests, Storyblok will narrow the scope of the request to the extent required by law. Where necessary and permitted, Customer and Storyblok shall cooperate with the requesting party.

7. Audits

7.1. Information Requests. Audits to demonstrate compliance with the obligations in this DPA shall primarily be satisfied through Storyblok's responses to questionnaires or by providing certifications and other documentation (e.g., ISO 27001 or SOC 2) within reasonable time upon Customer’s written request. Customer shall exercise such requests only in reasonable intervals. Any responses, information or documentation provided by Storyblok shall be considered Confidential Information. 

7.2. Audits. Further audits shall only occur where such information provided by Storyblok is insufficient to demonstrate compliance or are legally required. In such case, Customer may with at least 30 days prior written notice to Storyblok request an audit to verify Storyblok’s compliance with this DPA. Audits shall take into account the nature and complexity of the Storyblok Services, may only be conducted in reasonable intervals (not more than once per year unless there is a material legal or security-related reason for further audits), during Storyblok's normal business hours, for a reasonable duration and shall not unreasonably interfere with Storyblok's business operations. Audits may be conducted by Customer or a reputable, qualified third party auditor, provided neither are, nor are engaged by, a competitor of Storyblok. Storyblok may require non-disclosure agreements, may redact sensitive or unrelated information and may adapt the scope and timing of any audit to avoid or mitigate risks with respect to service levels, availability, security, integrity of the Storyblok Services and/or confidentiality of unrelated information (e.g information of any other customer or third parties, trade secrets, information that Customer or its auditors seek to access for any reason other than to verify Storyblok’s compliance with this DPA). Any costs and expenses of Customer resulting from audits are at Customer’s sole expense. Any costs and expenses incurred by Storyblok resulting from audits shall be reimbursed to Storyblok, unless the audit reveals material non-compliance attributable to the fault of Storyblok. Any information or findings obtained during audits shall be kept strictly confidential and shall be stored for the minimum time required. Customer shall certify deletion of such information upon Storyblok's request.

8. Term & Termination

8.1. Term. This DPA remains in force for the term of the Agreement and as long as Storyblok processes Customer Data on behalf of Customer or according to applicable law.

8.2. Consequences of Termination. Upon termination or expiration of the Agreement, Storyblok shall return, delete, or block access to (e.g. within backups) any Customer Data, unless retention is required by law. Upon request Storyblok will confirm such deletion and/or blocking within reasonable time.

9. General

9.1. Amendments. Amendments must be made in writing and expressly reference this DPA.

9.2. Liability. Any claims arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability defined in the Storyblok GTC.

9.3. Severability. If and to the extent any provision of this DPA is held invalid or unenforceable at law, such provision will be deemed stricken from the DPA and the remainder of the DPA will continue in effect and be valid and enforceable to the fullest extent permitted by law.

9.4. Assignment. This DPA is binding upon and inures to the benefit of the parties and their heirs, executors, legal and personal representatives, successors and assigns, as the case may be.

9.5. Governing Law & Jurisdiction. This DPA is to be governed and construed under the laws of Austria, without regard to its choice of law provisions. The competent court in Linz, Austria shall have exclusive jurisdiction.

9.6. Contact. Storyblok’s data protection officer may be contacted at: dpo@storyblok.com.

Annex 1 - Description of Processing

Subject Matter	Processing of Customer Data within the Storyblok Services
Nature of Processing	Collection, storage, organization, use, and deletion of Customer Content containing Personal Data
Purpose	Provision and operation of the Storyblok Services
Processing Activities	Provision of cloud based content management, software as a service; organization, order, storing, dissemination and other art of provision, deletion of data
Categories of Personal Data	Personal Data included by Customer in Customer Content and uploaded to the Storyblok Services, the extent of which is determined and controlled by Customer in its sole discretion. (Customer may include names, emails, pictures, job titles, or other identifiers etc.)
Data Subjects	Personal Data included by Customer in Customer Content and uploaded to the Storyblok Services, the extent of which is determined and controlled by Customer in its sole discretion (Customer may include Personal Data of contractors, partners, clients, prospects, customers, vendors, staff, or other individuals etc.)
Special categories of personal data	Not permitted. Customer is prohibited from using the Storyblok Services to process any such data under the terms of the agreement
Duration	See Section 8 of the DPA

Annex 2 - Technical and Organizational Measures

Confidentiality	Datacenter: Storyblok is hosted in datacenters that comply with security standards and compliance certifications like ISO 27001, NIST 800-171, or FedRAMP. Storyblok verifies that these standards are audited by a third party. Special attention is paid to access control against unauthorized entrance to the data processing locations, e.g.: key, swipe or chip cards, electric door openers, porters, security personnel, alarm systems, video systems; the internal data processing systems are only accessible to the administrator with a key and possible with a two-step authentication; data processing locations are monitored via CCTV. Internal Access: Employee access to company data is monitored and controlled via Mobile Device Management tools. Access Control: No unauthorized reading, copying, changing or deleting of production data is possible. Access to the database is secured with password and two-step authentication. Access to the server is only possible via SSH and for authorized users only. Granted authorizations are periodically reviewed. All access attempts and successful log-ins to internal systems shall be registered. Pseudonymization: If possible for the respective data processing, the primary identification features of the personal data is removed within the respective data application and stored separately. Data Classification Scheme: In accordance with the statutory obligations or self-assessment (confidential/internal/public). All data is classified as internal by default and only clearly marked or obvious marketing materials are considered public data. Client-Separation: Client separation for data processing leverages a tagging system with universal unique identifiers that are coupled with the authentication token. This applies to all entry types associated with a particular user or space. Data Encryption: All data is encrypted in transit and at rest (servers, databases, and devices). Storyblok uses only industry proven cryptographic mechanisms (TLS, AES, …) and follows international best practices when discontinuing outdated or insecure algorithms.
Integrity	Disclosure Control: No unauthorized reading, copying, changing or deleting during electronic forwarding or transport of data, e.g.: encryption, Virtual Private Networks (VPN), electronic signatures; Input Control: Review of changes made to personal data. Automatic logging of access attempts and changes to data. Patch Management: We distinguish between patch management for libraries and environments for the Storyblok product. For both patch management processes automatic procedures are in place to keep the environments up-to date. Implementation of patch related changes is handled via the change management process.
Availability & Capacity	Availability Control: Protection against random or deliberate destruction or loss of data, e.g.: backup strategy (on- line/off-line; on-site/off-site), uninterrupted power supply (UPS, diesel generator), virus protection, firewall, reporting channels and emergency plans; security checks at the infrastructure and application level, multi-level security concept with encrypted outsourcing to a backup data centre, standard processes in case of staff transfer/retirement; disaster recovery and business continuity plans. Recoverability: All systems are designed with high availability mechanisms. Failover infrastructure is leveraged to support data processing. Data backups are tested on a regular basis. Deletion Periods: For the data as well as the meta data such as log files, etc. deletion periods are defined in accordance with legal requirements.
Procedures for regular review, assessment & evaluation	Data Privacy Policy: Data privacy policy is in place, available to all parties and regularly reviewed. Data Protection Management: Storyblok operates an information security management system (ISMS) that is following the ISO27001 standards. Regular reviews are conducted ad-hoc and on-demand by third-party security specialists. Security Reviews: ISO 27001 audits are conducted on an annual basis by a registered external auditor. Penetration tests are conducted by external experts at least twice per year. Vulnerability scans are conducted on an on-going basis internally using automated tools that scan every code change committed to the source code repositories. Incident-Response-Management: Incidents are handled on a case-by-case basis. First the incident will be mitigated and all necessary remediation strategies will be put into place. As soon as we know that there is a security incident all customers will be informed within agreed periods. The information if they are affected, not affected, or if we don’t know yet will be included in the notification. Procurement Process: No processing of order data pursuant to Art 28 GDPR without corresponding instructions for the Data Controller, e.g.: transparent contract design, formalized order management, strict selection of the order processor (ISO certification, ISMS), due diligence, follow-up controls.

Annex 3 - Authorized Sub-Processors

Sub-Processor	Activity	Location	Website/Privacy Info
Storyblok GmbH Peter-Behrens-Platz 2, 4020 Linz, Austria	Provision of Storyblok Services	Austria	storyblok.com/legal/privacy-policy
Storyblok Solutions GmbH  Loquaiplatz 12/1, 1060 Vienna, Austria	Operational Activities	Austria	storyblok.com/legal/privacy-policy
Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855, Luxemburg	Hosting/Storage/Infrastructure	Luxemburg Datacenters: EU, USA, Canada, Australia	aws.amazon.com/privacy https://aws.amazon.com/de/compliance/sub-processors/
Tiptap GmbH Kurfürstenstrasse 56, 10785 Berlin, Germany	Content editor & collaboration framework	Germany	https://tiptap.dev/privacy-policy
OpenAI Ireland Ltd The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland	AI Features The Storyblok AI Terms apply	Ireland/Global	openai.com/policies/privacy-policy openai.com/policies/sub-processor-list/
Google Cloud EMEA Limited  70 Sir John Rogerson’s Quay, Dublin 2, Ireland	AI Features The Storyblok AI Terms apply	Ireland/Global	policies.google.com/privacy cloud.google.com/terms/subprocessors