This page summarises how Ernesto Motion SRL acts as a data processor when you contract us to build software that handles your end-users' personal data. It is intended to be read alongside the Privacy Policy, which covers data we collect about you directly.
01Roles
For data we collect about you (the Client), we are the controller. For data your end-users generate inside software we build and operate for you, you are the controller and we are the processor acting strictly on your documented instructions.
02Subject matter and duration
- —Subject matter — building, hosting, maintaining, and operating the software described in your SOW.
- —Duration — for the term of the SOW plus a 30-day handover period after termination.
- —Nature and purpose — design, development, deployment, monitoring, support, and any task explicitly listed in the SOW.
- —Categories of data subjects — your end-users, employees, partners, and anyone whose data you load into the software.
- —Categories of personal data — as configured by you. We collect no special-category data unless your SOW explicitly authorises it.
03Our obligations as processor
- —Process personal data only on your documented instructions, including transfers to third countries.
- —Ensure everyone authorised to process the data is bound by confidentiality.
- —Apply appropriate technical and organisational security measures (Article 32).
- —Engage sub-processors only with your prior general or specific authorisation. Current sub-processors are listed below.
- —Assist you with data-subject requests, breach notifications, DPIAs and prior consultations.
- —Delete or return all personal data at the end of the engagement, at your choice, unless EU or Romanian law requires retention.
- —Make available all information necessary to demonstrate compliance and submit to audits.
04Sub-processors
We use a small, vetted set of sub-processors to deliver our services. The current list is available on request and is updated whenever it changes. You have 14 days from notification to object to a new sub-processor; if we cannot accommodate the objection we will work with you on a remedy.
05Security measures
- —Encryption of personal data in transit (TLS 1.2+) and at rest where the storage layer supports it.
- —Pseudonymisation in non-production environments wherever feasible.
- —Role-based access control with least privilege; mandatory MFA on every studio account.
- —Logged, time-bound access for production environments.
- —Backup and recovery procedures tested at least annually.
- —Incident response plan with a defined chain of command and 72-hour breach notification.
06International transfers
Personal data is hosted in EU regions by default. Where a sub-processor operates from a third country, we rely on European Commission adequacy decisions or Standard Contractual Clauses, supplemented by transfer impact assessments where relevant.
07Data-subject requests
If a data subject contacts us directly with a request that should be addressed to you, we forward it to you within 5 working days and do not respond ourselves unless you instruct us to. We charge no fee to assist you with reasonable volumes of requests; abusive volumes may be billed at our standard rate.
08Breach notification
We notify you of any confirmed personal data breach without undue delay and in any event within 48 hours of becoming aware of it, with the information you need to comply with Articles 33 and 34. We assist you with the regulator notification and any communication to data subjects.
09End of engagement
- —Default — we delete all personal data within 30 days of termination and provide written confirmation.
- —Alternative — at your request we return all personal data in a portable format before deletion.
- —Exception — we may retain copies for the period required by Romanian or EU law (e.g. accounting), kept secure and unused for any other purpose.
10Contact and DPO
For data-protection matters write to privacy@devsolution.ro. We are not legally required to appoint a DPO under Article 37 GDPR; the founder acts as the contact point. You may also lodge a complaint with the Romanian National Supervisory Authority — dataprotection.ro.