Data Processing Addendum (DPA)

Last updated: 2026-06-04 | Effective date: 2026-06-04

This Data Processing Addendum ("DPA") forms part of, and is governed by, the Terms of Service between the customer ("you", the "Customer") and Jakub Ludwig, IČO 88711111, U Obory 1004, 675 71 Náměšť nad Oslavou, Czech Republic, Czech Republic ("Cobalt", "we"). It applies where, in using Cobalt, you process personal data of others to which the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Czech Act No. 110/2019 Coll. apply. Where this DPA conflicts with the Terms on data-protection matters, this DPA prevails.

When this DPA is relevant. Most individual photographers using Cobalt act as consumers, and for their own personal data Cobalt is the controller (see the Privacy Policy). This DPA matters where you use Cobalt in a business capacity and you are the controller of personal data about other people that you put into the Service (for example, contributors, clients, or people depicted in images you store and share) — in which case Cobalt acts as your processor for that hosting. For some flows (e.g. anonymous-visitor security logs) Cobalt determines the purposes itself and is an independent controller, as described in the Privacy Policy.

1. Roles of the Parties

Customer as controller; Cobalt as processor. For personal data the Customer puts into the Service about third parties ("Customer Personal Data"), the Customer is the controller and Cobalt is the processor, processing only on the Customer's documented instructions (the Terms, this DPA, and the Customer's use of the Service's features).
Cobalt as independent controller. For data Cobalt determines the purposes of — account administration, billing reconciliation, security logging, and capturing connection data of anonymous share-link visitors — Cobalt acts as a controller in its own right, as described in the Privacy Policy. This DPA does not cover that processing.

2. Subject-Matter and Details of Processing (Annex equivalent)

Item	Detail
Subject-matter	Hosting and display of the Customer's boards and content on the Cobalt SaaS platform.
Duration	For the term of the Customer's account, plus the deletion/retention periods in the Privacy Policy.
Nature & purpose	Storage, organisation, display, backup, technical derivation (e.g. thumbnails), and sharing of content as directed by the Customer.
Types of personal data	Images that may depict identifiable individuals; names, notes, and any personal data the Customer or its contributors include in board content; contributor IP/connection data.
Categories of data subjects	The Customer's clients, models/subjects depicted in images, contributors, and other individuals the Customer chooses to include.
Special categories	Not intended. Cobalt performs no biometric processing or facial recognition. The Customer must not upload special-category data unless it has a valid Art. 9 basis and has informed Cobalt.

3. Cobalt's Obligations as Processor

Cobalt shall:

process only on instructions (Art. 28(3)(a)) — process Customer Personal Data only on the Customer's documented instructions, including for transfers, unless required by EU/CZ law (in which case Cobalt informs the Customer unless the law prohibits it);
ensure confidentiality (Art. 28(3)(b)) — ensure persons authorised to process the data are bound by confidentiality;
secure the data (Art. 32) — implement the measures in Section 5;
respect sub-processor rules (Art. 28(2),(4)) — as set out in Section 4;
assist the Customer (Arts. 28(3)(e),(f), 32–36) — provide reasonable assistance, taking account of the nature of processing and the information available, with: responding to data-subject requests; security; breach notification; and data-protection impact assessments and prior consultations;
notify breaches — notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data;
delete or return data (Art. 28(3)(g)) — on the end of the Service, delete or return Customer Personal Data per the Customer's choice, subject to the retention periods in the Privacy Policy and any legal retention obligation; and
support audits (Art. 28(3)(h)) — make available information necessary to demonstrate compliance and allow for and contribute to audits, which (given Cobalt is a small operator) may be satisfied by responding to reasonable written questionnaires and providing sub-processors' certifications/reports.

4. Sub-processors

The Customer provides a general authorisation for Cobalt to engage the sub-processors listed below to deliver the Service. Each sub-processor is engaged under a written contract imposing data-protection obligations equivalent to those in this DPA, and an appropriate transfer mechanism where data leaves the EEA (see Section 6).

Sub-processor	Purpose	Location / transfer basis
Google Cloud Platform (Google Cloud EMEA Ltd / Google Ireland Ltd / Google LLC)	Application hosting (compute) and object storage for content	[Confirm region — EU — and Google Cloud DPA/SCCs]
PostgreSQL database on a Google Cloud VM	Primary application database (account, board metadata, subscription/usage records)	On Google Cloud infrastructure [same region — confirm]
Cloudflare, Inc.	CDN, DNS, DDoS/WAF protection, app/site delivery (Cloudflare Pages)	[Global edge; confirm DPF status + SCC fallback; link Cloudflare DPA]
Google (Google Ireland Ltd / Google LLC)	"Sign in with Google" (OAuth) identity provider	[Confirm transfer basis]
Polar [legal entity — confirm]	Merchant of Record: payment processing, invoicing, EU VAT (acts as seller of record; for billing data Polar is largely an independent controller as MoR)	[Confirm location + transfer basis; link Polar DPA]
[Email/support provider — confirm]	Transactional email and support inbox	[Confirm + DPA]

4.1 Notice of Sub-processor Changes

Cobalt maintains the current list of sub-processors in its Privacy Policy and/or a dedicated page. If Cobalt intends to add or replace a sub-processor, it will give the Customer at least 30 days' prior notice (by email and/or by updating the published list) so the Customer can object on reasonable data-protection grounds. If the Customer reasonably objects and the parties cannot resolve it, the Customer may terminate the affected Service, as its sole remedy.

5. Security Measures (Art. 32)

Cobalt applies technical and organisational measures appropriate to the risk, including:

encryption in transit (TLS 1.2+) and encryption at rest in object storage;
access controls and least-privilege access to production data;
strictly necessary, short-lived sign-in security cookies and bound access tokens;
network-perimeter protection (Cloudflare DDoS/WAF);
backups and a documented deletion process;
regular dependency and vulnerability review; and
logging for security and abuse detection, retained for a limited period.

6. International Transfers

Where a sub-processor processes Customer Personal Data outside the EEA, Cobalt relies on an adequacy decision, the EU Standard Contractual Clauses (Art. 46(2)(c)) supported by a transfer impact assessment, or the recipient's valid DPF certification, as applicable to that recipient (see the table in Section 4 and the Privacy Policy). A copy of the relevant safeguard is available on request to [email protected].

7. Data-Subject Requests

If a data subject contacts Cobalt about Customer Personal Data, Cobalt will, where lawful, direct them to the Customer (the controller) and assist the Customer in responding. Cobalt also operates a route for people depicted in content (non-users) to raise objections/erasure requests (see the Privacy Policy), and will coordinate with the relevant Customer/board owner.

8. Liability, Term, and Governing Law

This DPA is subject to the liability provisions and governing law (Czech law) of the Terms of Service. It takes effect when the Customer accepts the Terms and continues for as long as Cobalt processes Customer Personal Data.

9. Contact

Jakub Ludwig, IČO 88711111
U Obory 1004, 675 71 Náměšť nad Oslavou, Czech Republic, Czech Republic
[email protected]

Home · Privacy · Terms · Cookies · Refunds