Last updated: June, 2026.
Our Data Processing Agreement (DPA) is an integrated part of the LBC Services Agreement and Master Services Agreement we enter into with our customers. When we provide our services, we process personal data in accordance with the responsibilities and safeguards described in the DPA.
We recognise that trust is earned through transparency and accountability. As a data processor, we take our responsibilities seriously and have built our operations around the following core privacy principles:
Security by design: We integrate robust security measures into every aspect of our data processing activities, from initial system design through to ongoing operations.
Compliance: We maintain continuous compliance with applicable data protection regulation and regularly review our practices to ensure alignment with evolving regulatory standards.
Transparency: We provide clear information about our data processing practices, sub-processors, and security measures to enable informed decisions by our clients.
Accountability: We document our processing activities and conduct regular audits to demonstrate our commitment to data protection.
Last updated: June, 2026.
Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.
Last updated: June, 2026.
Redundant architecture providing high availability and fault tolerance.
Multi-region deployment options supporting geographic separation and recovery.
24/7 monitoring of infrastructure health, performance, and security.
Physical and environmental controls managed by Microsoft’s certified data center operations.
Instructions and DPA
We comply with procedures and controls which ensure that instructions regarding the processing of personal data are followed in accordance with the concluded data processing agreement:
– We have written procedures containing requirements that processing of personal data may only be carried out when instructions are in place, and we conduct ongoing assessments - and at least annually - of whether the procedures require updating
– We only carry out the processing of personal data as set out in the instructions from the data controller
–We notify the data controller immediately if, in our assessment, an instruction is in breach of the data protection regulation or data protection provisions in other EU law or Member States' national law
Technical security measures
We comply with procedures and controls which ensure that we have implemented technical measures to ensure relevant processing security:
– We have written procedures containing requirements that agreed security measures for the processing of personal data are established in accordance with the agreement with the data controller
– We have carried out a risk assessment and, on that basis, implemented the technical measures deemed relevant to achieve appropriate security
– Antivirus software is installed on the systems and databases used for processing personal data, which is continuously updated
– External access to systems and databases used for processing personal data occurs through secured firewalls
– Internal networks are segmented to ensure limited access to systems and databases used for processing personal data
– Access to personal data is restricted to users with a work-related need, and we conduct periodic follow-up on access rights
–System monitoring with alerts has been established for systems and databases used for processing personal data
–Effective encryption is used when transmitting confidential and sensitive personal data via the internet and by email
–Logging has been established in systems, databases, and networks of activities performed by system administrators and others with special privileges, as well as security incidents
–Personal data used for development, testing, or similar purposes is always in pseudonymised or anonymised form
–The established technical measures are continuously tested through vulnerability scans and penetration tests
–Changes to systems, databases, and networks follow established procedures which ensure maintenance with relevant updates and patches, including security patches –There are formalised procedures for granting and terminating user access to personal data, and users' access is regularly reviewed
–Access to systems and databases in which processing of personal data occurs that entails high risk to data subjects is carried out using two-factor authentication as a minimum
–Physical access security has been established so that only authorised persons can gain physical access to premises and data centres where personal data is stored and processed
Organisational security measures
We comply with procedures and controls which ensure that we have implemented organisational measures to ensure relevant processing security:
–Our management has approved a written information security policy which has been communicated to all relevant stakeholders, including our employees, and which is based on the risk assessment carried out
–Management has ensured that the information security policy does not conflict with concluded data processing agreements
–Vetting of our employees is carried out in connection with employment, including references, criminal record checks, and verification of qualifications
–Upon employment, employees sign a confidentiality agreement and are introduced to the information security policy and procedures regarding data processing
–Upon termination of employment, we ensure that the user's rights become inactive or cease, and that assets are retrieved
–Upon termination of employment, the employee is informed that the signed confidentiality agreement remains valid
–Ongoing awareness training is conducted for our employees in relation to IT security generally and processing security in relation to personal data
Deletion and Return of Personal Data
We comply with procedures and controls which ensure that personal data can be deleted or returned should an agreement to that effect be concluded with the data controller:
–We have written procedures containing requirements that storage and deletion of personal data is carried out in accordance with the agreement with the data controller
–We ensure compliance with agreed retention periods and deletion routines
–Upon termination of processing of personal data for the data controller, data is returned or deleted in accordance with the agreement
Storage in accordance with Agreement
We comply with procedures and controls which ensure that we only store personal data in accordance with the agreement with the data controller:
–We have written procedures containing requirements that storage of personal data only occurs in accordance with the agreement with the data controller
–Our data processing, including storage, only takes place at the locations, countries, or geographical areas approved by the data controller
Use of sub-processors
We comply with procedures and controls which ensure that only approved sub-processors are used, and that we ensure adequate processing security through follow-up on their technical and organisational measures to protect the rights of data subjects: We have written procedures containing requirements for the use of sub-processors, including requirements for sub-processor agreements and instructions We only use sub-processors for the processing of personal data who have been specifically or generally approved by the data controller In the event of changes in the use of generally approved sub-processors, the data controller is notified in good time We have imposed on the sub-processor the same data protection obligations as those set out in the data processing agreement with the data controller We maintain an updated list of approved sub-processors stating name, company registration number, address, and description of the processing Based on risk assessment, we conduct ongoing follow-up on sub-processors through meetings, inspections, review of audit statements, or similar Transfer to third countries We comply with procedures and controls which ensure that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism: We have written procedures containing requirements that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism We may only transfer personal data to third countries or international organisations following instructions from the data controller In connection with the transfer of personal data to third countries or international organisations, we have assessed and documented that a valid transfer mechanism exists Assistance with Data Subject Rights We comply with procedures and controls which ensure that we can assist the data controller with disclosure, rectification, deletion, or restriction of information about the processing of personal data to the data subject: We have written procedures containing requirements that we must assist the data controller in relation to data subject rights We have established procedures which enable timely assistance to the data controller in relation to disclosure, rectification, deletion, or restriction of and information about the processing of personal data to the data subject Handling of security breaches We comply with procedures and controls which ensure that any security breaches can be handled in accordance with the concluded data processing agreement: We have written procedures containing requirements that we must notify the data controllers in the event of a personal data breach We have established controls for the identification of any personal data breaches, including employee awareness, monitoring of network traffic, and follow-up on logging of access to personal data We notify the data controller without undue delay in the event of any personal data breaches at our organisation or at a sub-processor We have established procedures for assisting the data controller with notification to the Data Protection Authority, including description of the nature of the breach, probable consequences, and measures that have been taken or are proposed to be taken to address the breach