Legal

Privacy Center

Welcome to Lobyco’s Privacy Center – your resource for understanding how we protect and manage personal data. The Privacy Center provides transparency into our data protection practices, policies, and the measures we have implemented to safeguard personal data throughout its lifecycle. We process personal data on behalf of our clients in accordance with the Data Processing Agreement and thus in compliance with applicable data protection regulations, including the EU General Data Protection Regulation (GDPR).

Privacy Center
Resilience Overview
Service Level Agreement
Governance
Data Processing Agreement
Security
Privacy Policy

Privacy Principles

We recognise that trust is earned through transparancy and accountability. As a data processor, we take our responsibilities seriously and have built our operations around the following core privacy principles:

Security by design: We integrate robust security measures into every aspect of our data processing activities, from initial system design through to ongoing operations.

Compliance: We maintain continuous compliance with applicable data protection regulation and regularly review our practices to ensure alignment with evolving regulatory standards.

Transparency: We provide clear information about our data processing practices, sub-processors, and security measures to enable informed decisions by our clients.

Accountability: We document our processing activities and conduct regular audits to demonstrate our commitment to data protection.

Instructions & DPA

We comply with procedures and controls which ensures that instructions regarding the processing of personal data are followed in accordance with the concluded data processing agreement:

  • Written procedures ensures processing only occurs when instructions are in place.
  • Annual review of procedures is conducted as a minimum.
  • Processing is limited to what is set out in agreed Data Processing Agreement.
  • Notifications to data controller if instructions breach GDPR requirements.

Technical Security Measures

We comply with procedures and controls which ensures that we have implemented technical measures to ensure relevant processing security:

  • Risk-based technical security measures implemented.
  • System monitoring and alerts in place.
  • Encryption for transmission of confidential and sensitive data.
  • Regular vulnerability scans and penetration tests.

Technical Security Measures

We comply with procedures and controls which ensures that we have implemented organisational measures to ensure relevant processing security:

  • Management-approved information security policy in place.
  • Employee vetting conducted upon recruitment.
  • Confidentially agreements and security training upon employment.
  • Ongoing awareness training on IT security and data processing

Deletion and Return of Data

We comply with procedures and controls which ensures that personal data can be deleted or returned should an agreement to that effect be concluded with the client:

  • Written procedures for storage and deletion in accordance with agreements.
  • Compliance with agreed retention periods and deletion routines.
  • Data returned or deleted upon termination of processing.

Storage

We comply with procedures and controls which ensures that we only store personal data in accordance with the agreement with the data controller:

  • Written procedures ensures storage complies with data controller agreements.
  • Proessing and storage limited to approved locations, countries, or geographical areas.

Sub-processors

We comply with procedures and controls which ensures that only approved sub-processors are used, and that we ensure adequoate processing security through follow-up on their technical and organisational measures to protect the rights of data subjects.

  • Written procedures for use of sub-processors.
  • Only approved sub-processors are used.
  • Timely notification of changes to generally approved sub-processors.
  • Regular follow-up through meetings, inspections, or audit reviewes.

Transfer to third countries

We comply with procedures and controls which ensures that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism:

  • Written procedures requiring valid transfer mechanisms.
  • Transfers only occur following data controller instructions.
  • Vald transfer mechanisms assessed and documented.

Assistance with Data Subject Rights

We comply with procedures and controls which ensures that we can assist the data controller with disclosure, rectication, deletion, or restriction of information about the processing of personal data to the data subject:

  • Written procedures for assisting data controller with data subject rights.
  • Established procedures enable timely assistance with disclosure, rectification, deletion, restriction, and information provision.
  • Vald transfer mechanisms assessed and documented.

Handling of Security Breaches

We comply with procedures and controls which ensures that any security breaches can be handled in accordance with the concluded Data Processing Agreement:

  • Written procedures for notifiying data controllers of personal data breaches.
  • Controls established fpr identifiying breaches (employee awareness, network monitoring, acces logging).
  • Notification to data controller without undue delay.
  • Procedures in place for assisting with notificatons to Data Protection Authority.

Instructions & DPA
Technical Security Measures
Technical Security Measures
Deletion and Return of Data
Storage
Sub-processors
Transfer to third countries
Assistance with Data Subject Rights
Handling of Security Breaches

We comply with procedures and controls which ensures that instructions regarding the processing of personal data are followed in accordance with the concluded data processing agreement:

  • Written procedures ensures processing only occurs when instructions are in place.
  • Annual review of procedures is conducted as a minimum.
  • Processing is limited to what is set out in agreed Data Processing Agreement.
  • Notifications to data controller if instructions breach GDPR requirements.

We comply with procedures and controls which ensures that we have implemented technical measures to ensure relevant processing security:

  • Risk-based technical security measures implemented.
  • System monitoring and alerts in place.
  • Encryption for transmission of confidential and sensitive data.
  • Regular vulnerability scans and penetration tests.

We comply with procedures and controls which ensures that we have implemented organisational measures to ensure relevant processing security:

  • Management-approved information security policy in place.
  • Employee vetting conducted upon recruitment.
  • Confidentially agreements and security training upon employment.
  • Ongoing awareness training on IT security and data processing

We comply with procedures and controls which ensures that personal data can be deleted or returned should an agreement to that effect be concluded with the client:

  • Written procedures for storage and deletion in accordance with agreements.
  • Compliance with agreed retention periods and deletion routines.
  • Data returned or deleted upon termination of processing.

We comply with procedures and controls which ensures that we only store personal data in accordance with the agreement with the data controller:

  • Written procedures ensures storage complies with data controller agreements.
  • Proessing and storage limited to approved locations, countries, or geographical areas.

We comply with procedures and controls which ensures that only approved sub-processors are used, and that we ensure adequoate processing security through follow-up on their technical and organisational measures to protect the rights of data subjects.

  • Written procedures for use of sub-processors.
  • Only approved sub-processors are used.
  • Timely notification of changes to generally approved sub-processors.
  • Regular follow-up through meetings, inspections, or audit reviewes.

We comply with procedures and controls which ensures that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism:

  • Written procedures requiring valid transfer mechanisms.
  • Transfers only occur following data controller instructions.
  • Vald transfer mechanisms assessed and documented.

We comply with procedures and controls which ensures that we can assist the data controller with disclosure, rectication, deletion, or restriction of information about the processing of personal data to the data subject:

  • Written procedures for assisting data controller with data subject rights.
  • Established procedures enable timely assistance with disclosure, rectification, deletion, restriction, and information provision.
  • Vald transfer mechanisms assessed and documented.

We comply with procedures and controls which ensures that any security breaches can be handled in accordance with the concluded Data Processing Agreement:

  • Written procedures for notifiying data controllers of personal data breaches.
  • Controls established fpr identifiying breaches (employee awareness, network monitoring, acces logging).
  • Notification to data controller without undue delay.
  • Procedures in place for assisting with notificatons to Data Protection Authority.

Table of Contents

Example H2
Example H3
Example H4
Example H5
Example H6
This is also a heading that is long to test if these are wrapping
This is a heading

Instructions & DPA

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that instructions regarding the processing of personal data are followed in accordance with the concluded data processing agreement:

  • Written procedures ensures processing only occurs when instructions are in place.
  • Annual review of procedures is conducted as a minimum.
  • Processing is limited to what is set out in agreed Data Processing Agreement.
  • Notifications to data controller if instructions breach GDPR requirements.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Technical Security Measures

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that we have implemented technical measures to ensure relevant processing security:

  • Risk-based technical security measures implemented.
  • System monitoring and alerts in place.
  • Encryption for transmission of confidential and sensitive data.
  • Regular vulnerability scans and penetration tests.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Technical Security Measures

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that we have implemented organisational measures to ensure relevant processing security:

  • Management-approved information security policy in place.
  • Employee vetting conducted upon recruitment.
  • Confidentially agreements and security training upon employment.
  • Ongoing awareness training on IT security and data processing

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Deletion and Return of Data

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that personal data can be deleted or returned should an agreement to that effect be concluded with the client:

  • Written procedures for storage and deletion in accordance with agreements.
  • Compliance with agreed retention periods and deletion routines.
  • Data returned or deleted upon termination of processing.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Storage

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that we only store personal data in accordance with the agreement with the data controller:

  • Written procedures ensures storage complies with data controller agreements.
  • Proessing and storage limited to approved locations, countries, or geographical areas.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Sub-processors

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that only approved sub-processors are used, and that we ensure adequoate processing security through follow-up on their technical and organisational measures to protect the rights of data subjects.

  • Written procedures for use of sub-processors.
  • Only approved sub-processors are used.
  • Timely notification of changes to generally approved sub-processors.
  • Regular follow-up through meetings, inspections, or audit reviewes.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Transfer to third countries

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism:

  • Written procedures requiring valid transfer mechanisms.
  • Transfers only occur following data controller instructions.
  • Vald transfer mechanisms assessed and documented.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Assistance with Data Subject Rights

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that we can assist the data controller with disclosure, rectication, deletion, or restriction of information about the processing of personal data to the data subject:

  • Written procedures for assisting data controller with data subject rights.
  • Established procedures enable timely assistance with disclosure, rectification, deletion, restriction, and information provision.
  • Vald transfer mechanisms assessed and documented.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Handling of Security Breaches

Lobyco’s platform is delivered on the Microsoft Azure Cloud, ensuring a secure, resilient, and scalable environment for all services. This cloud foundation ensures that customer data and applications remain secure, reliable, and continuously available.

We comply with procedures and controls which ensures that any security breaches can be handled in accordance with the concluded Data Processing Agreement:

  • Written procedures for notifiying data controllers of personal data breaches.
  • Controls established fpr identifiying breaches (employee awareness, network monitoring, acces logging).
  • Notification to data controller without undue delay.
  • Procedures in place for assisting with notificatons to Data Protection Authority.

Redundant architecture providing high availability and fault tolerance.

Multi-region deployment options supporting geographic separation and recovery.

24/7 monitoring of infrastructure health, performance, and security.

Physical and environmental controls managed by Microsoft’s certified data center operations.

Instructions and DPA
We comply with procedures and controls which ensure that instructions regarding the processing of personal data are followed in accordance with the concluded data processing agreement:
– We have written procedures containing requirements that processing of personal data may only be carried out when instructions are in place, and we conduct ongoing assessments - and at least annually - of whether the procedures require updating
– We only carry out the processing of personal data as set out in the instructions from the data controller
–We notify the data controller immediately if, in our assessment, an instruction is in breach of the data protection regulation or data protection provisions in other EU law or Member States' national law

Technical security measures
We comply with procedures and controls which ensure that we have implemented technical measures to ensure relevant processing security:
– We have written procedures containing requirements that agreed security measures for the processing of personal data are established in accordance with the agreement with the data controller
– We have carried out a risk assessment and, on that basis, implemented the technical measures deemed relevant to achieve appropriate security
– Antivirus software is installed on the systems and databases used for processing personal data, which is continuously updated
– External access to systems and databases used for processing personal data occurs through secured firewalls
– Internal networks are segmented to ensure limited access to systems and databases used for processing personal data
– Access to personal data is restricted to users with a work-related need, and we conduct periodic follow-up on access rights
–System monitoring with alerts has been established for systems and databases used for processing personal data
–Effective encryption is used when transmitting confidential and sensitive personal data via the internet and by email
–Logging has been established in systems, databases, and networks of activities performed by system administrators and others with special privileges, as well as security incidents
–Personal data used for development, testing, or similar purposes is always in pseudonymised or anonymised form
–The established technical measures are continuously tested through vulnerability scans and penetration tests
–Changes to systems, databases, and networks follow established procedures which ensure maintenance with relevant updates and patches, including security patches –There are formalised procedures for granting and terminating user access to personal data, and users' access is regularly reviewed
–Access to systems and databases in which processing of personal data occurs that entails high risk to data subjects is carried out using two-factor authentication as a minimum
–Physical access security has been established so that only authorised persons can gain physical access to premises and data centres where personal data is stored and processed

Organisational security measures
We comply with procedures and controls which ensure that we have implemented organisational measures to ensure relevant processing security:
–Our management has approved a written information security policy which has been communicated to all relevant stakeholders, including our employees, and which is based on the risk assessment carried out
–Management has ensured that the information security policy does not conflict with concluded data processing agreements
–Vetting of our employees is carried out in connection with employment, including references, criminal record checks, and verification of qualifications
–Upon employment, employees sign a confidentiality agreement and are introduced to the information security policy and procedures regarding data processing
–Upon termination of employment, we ensure that the user's rights become inactive or cease, and that assets are retrieved
–Upon termination of employment, the employee is informed that the signed confidentiality agreement remains valid
–Ongoing awareness training is conducted for our employees in relation to IT security generally and processing security in relation to personal data

Deletion and Return of Personal Data
We comply with procedures and controls which ensure that personal data can be deleted or returned should an agreement to that effect be concluded with the data controller:
–We have written procedures containing requirements that storage and deletion of personal data is carried out in accordance with the agreement with the data controller
–We ensure compliance with agreed retention periods and deletion routines
–Upon termination of processing of personal data for the data controller, data is returned or deleted in accordance with the agreement

Storage in accordance with Agreement
We comply with procedures and controls which ensure that we only store personal data in accordance with the agreement with the data controller:
–We have written procedures containing requirements that storage of personal data only occurs in accordance with the agreement with the data controller
–Our data processing, including storage, only takes place at the locations, countries, or geographical areas approved by the data controller

Use of sub-processors
We comply with procedures and controls which ensure that only approved sub-processors are used, and that we ensure adequate processing security through follow-up on their technical and organisational measures to protect the rights of data subjects: We have written procedures containing requirements for the use of sub-processors, including requirements for sub-processor agreements and instructions We only use sub-processors for the processing of personal data who have been specifically or generally approved by the data controller In the event of changes in the use of generally approved sub-processors, the data controller is notified in good time We have imposed on the sub-processor the same data protection obligations as those set out in the data processing agreement with the data controller We maintain an updated list of approved sub-processors stating name, company registration number, address, and description of the processing Based on risk assessment, we conduct ongoing follow-up on sub-processors through meetings, inspections, review of audit statements, or similar Transfer to third countries We comply with procedures and controls which ensure that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism: We have written procedures containing requirements that we only transfer personal data to third countries or international organisations in accordance with the agreement with the data controller based on a valid transfer mechanism We may only transfer personal data to third countries or international organisations following instructions from the data controller In connection with the transfer of personal data to third countries or international organisations, we have assessed and documented that a valid transfer mechanism exists Assistance with Data Subject Rights We comply with procedures and controls which ensure that we can assist the data controller with disclosure, rectification, deletion, or restriction of information about the processing of personal data to the data subject: We have written procedures containing requirements that we must assist the data controller in relation to data subject rights We have established procedures which enable timely assistance to the data controller in relation to disclosure, rectification, deletion, or restriction of and information about the processing of personal data to the data subject Handling of security breaches We comply with procedures and controls which ensure that any security breaches can be handled in accordance with the concluded data processing agreement: We have written procedures containing requirements that we must notify the data controllers in the event of a personal data breach We have established controls for the identification of any personal data breaches, including employee awareness, monitoring of network traffic, and follow-up on logging of access to personal data We notify the data controller without undue delay in the event of any personal data breaches at our organisation or at a sub-processor We have established procedures for assisting the data controller with notification to the Data Protection Authority, including description of the nature of the breach, probable consequences, and measures that have been taken or are proposed to be taken to address the breach