logo
Request a consultation
logo
Request a consultation

GENERAL TERMS OF USE

Digital New Era Ltd.
UIC: 207276590
VAT number: BG207276590
Registered office and management address: Str. Thessaloniki 47, gr. Sofia, Bulgaria
Email: contact@studionewera.com
Phone: +359 885 868 793

Effective from: 10 March 2025.
Latest update: 10 January 2026.

IMPORTANT NOTICE

These Terms and Conditions include integrated Data Processing Agreement (DPA) в Section VIII (Articles 15-23).

DPA is automatically applied when you use the Platform to process personal data of third parties (for example: data of your customers, employees, contractors).

By accepting these Terms and Conditions, you automatically accept the DPA Terms and Conditions.

CONTENTS

SECTION I: General provisions and definitions (Articles 1-2)
SECTION II: Commencement of contractual relations (Articles 3-4)
SECTION III: Revisions and additional requests (Articles 5-6)
SECTION IV: Payments and invoicing (Articles 7-9)
SECTION V: Customer Portal (Articles 10-11)
SECTION VI: Domains and Hosting (Articles 12-13)
SECTION VII: Intellectual property (Article 14)
SECTION VIII: PERSONAL DATA PROCESSING (DPA) (Articles 15-23)
SECTION IX: Customer's Obligations (Articles 24-26)
SECTION X: Liability and limitations (Articles 27-29)
SECTION XI: Termination (Articles 30-32)
SECTION XII: Disputes and applicable law (Articles 33-35)
SECTION XIII: Final Provisions (Articles 36-40)

[Sections I-VII remain the same as in the original document]

SECTION VIII: DATA PROCESSING AGREEMENT (DPA)

IMPORTANT: When does this section apply?

This Section (Articles 15-23) shall apply automatically, when:

  • You upload files containing personal data of third parties (not your personal data)
  • You use the data storage portal of Your customers, employees, contractors
  • Store contracts, invoices, HR documents with personal data of other individuals

Not applicable, when uploading only Your own personal data or data without personal data.

Article 15. Roles in processing personal data

15.1. When the company is Administrator (Data Controller):

The supplier acts as Personal Data Controller For:

  • The personal data of the Customer (name, email, phone, subscription details)
  • Data collected when using the Platform
  • Billing and payment details

The processing of this data shall be governed by Privacy Policy to the Supplier.

15.2. When the company is a Processor:

When the Customer uses the Platform (especially the Customer Portal) for processing of personal data of third parties (e.g. Customer's customers, employees, contractors), then:

  • Client е Administrator (Data Controller) within the meaning of the GDPR
  • Provider е Processor within the meaning of the GDPR
  • The provisions of Article 28 GDPR

15.3. Automatic DPA acceptance:

By accepting these Terms and Conditions, the Customer automatically and unconditionally accept the conditions of the integrated Data Processing Agreement (DPA), set out in Articles 15-23 of this section.

This replaces the need for a separate DPA contract.

Article 16. Subject matter and scope of processing

IMPORTANT: THIS ARTICLE AND ARTICLES 17-23 ONLY APPLY WHEN THE CUSTOMER PROCESSES PERSONAL DATA OF THIRD PARTIES THROUGH THE PLATFORM.

16.1. Subject of processing:

The Processor (the Provider) will process personal data on behalf of the Controller (the Customer) within:

  • Storage of files and documents uploaded to the portal
  • Storage of messages and communications
  • Technical data processing for the purpose of providing the service
  • Backup and data recovery
  • Providing access to data for authorised users

16.2. Categories of personal data (examples):

Depending on what the Customer uploads, this may include:

  • Customer's name, email, phone number
  • Employee data (if the Customer uploads HR documents, contracts)
  • Addresses, bank details, ID number/ID number (from contracts, invoices)
  • Other personal data provided by the Customer

16.3. Categories of data subjects:

  • Clients/customers of the Client
  • Client's employees and job applicants
  • Contractors and partners
  • Any other natural persons whose data the Customer lawfully processes

16.4. Nature and purposes of processing:

  • Objectives: Provision of contracted services, technical storage, backup, recovery
  • Nature of processing: Collect, store, organise, structure, adapt, delete

16.5. Duration:

This DPA shall be in effect for the duration of the underlying contract between the Parties and shall terminate automatically upon termination of the contract.

Article 17. Obligations of the Processor (Provider)

17.1. Processing only as instructed:

The provider undertakes to process the personal data only on the basis of documented instructions from the Client, including:

  • These Terms and Conditions (which are instructions)
  • Customer's actions in the portal (file quality = storage instruction)
  • Written instructions by email or through the portal
  • Instructions on transfers to a third country or international organisation

If the Provider believes that an instruction violates the GDPR or other data protection standards, it immediately notify Customer in writing.

17.2. Privacy:

All employees and associates of the Supplier who have access to the Personal Data:

  • Are they drunk obligation of confidentiality (NDA - Non-Disclosure Agreement)
  • Sa trained about GDPR requirements and data protection
  • Have access only within required (need-to-know basis, principle of least privilege)

17.3. Technical and organisational measures (Article 32 GDPR):

The supplier shall apply the following appropriate technical and organisational measures on data protection:

Technical measures:

  • SSL/TLS encryption (HTTPS) for all communications
  • Encrypted passwords (bcrypt hashing) - never plain text
  • Firewall and DDoS protection (Cloudflare)
  • Rate limiting against brute-force attacks (5 attempts/5 minutes)
  • Regular backups (daily, storage 30 days, encrypted)
  • Malware scanning (automatically)
  • Logging of critical actions (audit logs)
  • File validation (MIME type checking, size limits, format restrictions)

Organizational measures:

  • Role-based access control (RBAC) - different levels of access
  • Restricted access for authorised employees only
  • Regular training staff on GDPR and security (annual)
  • Incident response procedures (documented breach procedures)
  • Regular security audits (internal and external)
  • Vendor risk management (evaluation of the improvers)

The supplier may Update these measures to adapt them to technological developments, provided that does not reduce the level of protection.

17.4. Sub-processors:

The Customer gives GENERAL AUTHORISATION the Supplier to engage the following Improvers to provide the Services:

EnhancingServiceLocationProtective measure
Hostinger International Ltd.Hosting and serversCyprus, EUWithin the EU/EEA
Stripe, Inc.Payment processingUSAStandard Contractual Clauses (SCCs) + Adequacy Decision
Google LLCAnalytics, Email, FontsUSASCCs + Data Processing Agreement
Cloudflare, Inc.CDN, Cache, SecurityUSASCCs + DPA
Microsoft CorporationAnalytics (Clarity)USASCCs + DPA

Current and complete list: https://studionewera.com/subprocessors (updated as changes occur)

When adding a NEW enhancer:

  • Provider notify Client minimum 14 calendar days in advance (by email)
  • The Customer has the right to object within that period with a reasoned reason
  • Upon objection: the parties discuss alternatives or termination of the contract

Provider concludes with each subprocessor a written agreement requiring the same obligations data protection as in this DPA.

The supplier shall bear full responsibility to the Customer for the performance of the obligations by the Improvement Workers. If an Improver fails to perform its obligations, the Supplier shall be liable to the Customer.

17.5. Assistance in exercising the rights of data subjects:

Provider assist the Client in response to requests to exercise the rights of data subjects (Articles 15-22 GDPR):

  • Right of access (Article 15)
  • Right to rectification (Art. 16)
  • Right to erasure / „Right to be forgotten“ (Art. 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Art. 21)

Procedure:

(a) If a request is received directly to the Supplier:

  • Provider Forwarded by the request to the Customer within 48 hours
  • Provider does NOT answer directly to the data subject without instructions from the Client
  • (Because the Customer is the Controller and he decides how to respond)

b) If the Customer requests technical assistance from the Supplier:

  • Data export in machine-readable format (JSON, CSV)
  • Delete specific data from the portal
  • Restriction of processing (temporary suspension of access)
  • It shall be provided within 5 working days of the request

17.6. Assistance in complying with the Client's obligations:

The Supplier shall assist the Customer in:

  • Data Protection Impact Assessment (DPIA) - Article 35 GDPR
    • Provides information on technical measures
    • Assist in risk assessment
  • Prior consultation with the supervisory authority - Article 36 GDPR
    • Provides necessary information and documentation
  • Response to inquiries from the CPD or other supervisory authorities
  • Preparation of documentation (Records of Processing Activities, technical documents)

17.7. Data Breach - Article 33-34 GDPR:

Upon discovery of a data breach (accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access):

Obligations of the Supplier:

a) Immediate notification to the Customer:

  • Without undue delay
  • No later than 24 hours after becoming aware of the infringement
  • By email to the registered address + notification in the portal

b) Content of the notification:

  • Description of the nature of the infringement
  • Categories and approximate number data subjects concerned
  • Categories and approximate number personal data records affected
  • Probable consequences the infringement
  • Measures taken or proposed to remedy the infringement and limit the damage
  • Contact person for further information (name, email, phone)

c) Full assistance:

  • Provider cooperate fully the Customer in the performance of its obligations under:
    • Art. 33 GDPR (notification to a supervisory authority - CPC in Bulgaria - within 72 hours)
    • Art. 34 GDPR (notification of affected data subjects in high-risk situations)
  • Provides all available evidence, logs, information
  • Assist in the investigation and remediation

Important: The Client as Administrator is Responsible for the notification of the CPC and the subjects. The provider only assists.

Article 18. Obligations of the Administrator (Client)

18.1. Legality of processing:

Client WARRANTS AND DECLARES, That:

  • There is legal basis for the processing of personal data under Article 6 GDPR:
    • Consent of the data subject (Article 6(1)(a))
    • Contractual necessity (Article 6(1)(b))
    • Legal obligation (Art. 6(1)(c))
    • Legitimate interest (Article 6(1)(f))
    • Other legal grounds
  • Е informed the data subjects processing (Articles 13-14 GDPR):
    • Through its own Privacy Policy
    • Through information clauses in contracts
    • In another appropriate way
  • Respects the principles of the GDPR (Article 5 GDPR):
    • Legality, integrity, transparency
    • Limiting the targets
    • Data minimization
    • Accuracy
    • Restriction of storage
    • Integrity and Privacy

The Customer assumes FULL RESPONSIBILITY the legality of the instructions given to the Supplier.

18.2. STRICT PROHIBITION of uploading data without legal grounds:

IS CATEGORICALLY PROHIBITED uploading to the portal of:

  • Personal data of third parties WITHOUT legal basis for processing
  • Special categories of data (Art. 9 GDPR) WITHOUT explicit consent and additional protections: - Health data (diagnoses, medical records) - Ethnic or racial data - Religious or philosophical beliefs - Sexual orientation or sex life - Genetic or biometric data (for identification) - Trade union membership - Political beliefs
  • Data for criminal convictions and offences without special permission

If special categories of data need to be uploaded:

  • The customer must have explicit consent by the subject (Article 9(2)(a) GDPR)
  • Or to have other legal basis Article 9(2) GDPR
  • You must inform the Supplier in advance
  • Additional agreement and enhanced protection measures may be required

18.3. Informing data subjects:

When the Customer uploads third party data to the Portal, it is obliged to inform the subjects By:

  • Its own Privacy Policy
  • Information clauses in contracts, forms, website
  • Other appropriate means

Recommended formulation for the Customer Privacy Policy:

„For technical data storage and processing we use the services of Digital New Era Ltd. (UIC: 207276590), a hosting provider based in Bulgaria. Data is stored on secure servers in the European Union. For more information about their Privacy Policy: https://studionewera.com/privacy-policy“

18.4. Full responsibility for uploaded content:

The customer brings FULL AND EXCLUSIVE RESPONSIBILITY For:

  • Legality of all data uploaded to the portal
  • All claims of data subjects, third parties, supervisory authorities
  • Fines and penalties, imposed by the CPC or other supervisory authority due to breach of the Customer
  • Compensation of the Supplier (indemnification) for:
    • Any damages resulting from illegally uploaded data
    • Legal defence costs
    • Reputational damage
    • Fines imposed on the Supplier due to actions of the Customer

The Customer undertakes to indemnify the Supplier in full for all the above damages.

18.5. Instructions to Supplier:

The Customer shall provide clear and lawful instructions to the Supplier.

Client does NOT give instructions, that would result in a violation of the GDPR, the GDPR or other data protection standards.

Article 19. International Data Transfers (Articles 44-50 GDPR)

19.1. Transfers outside the European Economic Area (EEA):

The provider may transfer personal data to sub-processors located outside the EEA (European Union + Norway, Iceland, Liechtenstein).

Reason: Service delivery requires the use of global infrastructure (CDN, cloud services, analytics).

19.2. Safeguards (Articles 44-50 GDPR):

All transfers outside the EEA are subject to appropriate protective measures:

a) Standard Contractual Clauses (SCCs): - Contractual clauses approved by the European Commission - Impose the same data protection obligations as in the EU - Contracted with all non-EEA processors (Stripe, Google, Cloudflare, Microsoft)

b) Data Processing Agreements (DPA): - Separate data processing agreements with each processor - Contain data protection clauses, security measures, breach notification

c) Adequacy Decisions (where applicable): - For some countries the European Commission has recognised an adequate level of protection - Example: Adequacy Decision for certain frameworks and

d) Binding Corporate Rules (BCR) (for groups of companies): - Some improvers have BCRs approved by supervisory authorities

19.3. Transfer Impact Assessment (TIA):

According to post-Schrems II case law (C-311/18), the supplier has committed Transfer Impact Assessment for transfers to the US and found that:

  • Standard Contractual Clauses provide adequate protection
  • Additional technical measures (encryption, pseudonymisation) have been implemented
  • The risk is assessed as acceptable

19.4. Right to information:

The customer may at any time request:

  • Copy of Standard Contractual Clauses, concluded with improvers
  • Information about Transfer Impact Assessment
  • List of all countries, where data are processed

Request: contact@studionewera.com with subject „Request for SCC / TIA information“

19.5. Right to object:

The Customer has the right to object to transfer to a specific country or sub-processor if it considers that the safeguards are insufficient.

In such case, the Parties shall discuss alternative solutions or termination of the contract without penalty to the Customer.

Article 20. Audit and inspection (Art. 28(3)(h) GDPR)

20.1. Right to audit:

The Customer, as Administrator, is entitled to audit and inspection to verify compliance with this DPA and the Supplier's obligations.

Audit Scope:

  • Technical and organisational security measures
  • Data processing procedures
  • Compliance with the Client's instructions
  • Improvement contracts (on request)

20.2. Who can perform the audit:

  • The client in person (if competent)
  • Authorized independent auditor, appointed by the Client (external auditor, consultant)
  • Supervisory authority (CPC) or its representative

20.3. Audit Procedure:

a) Notice:

  • Client notify Supplier minimum 14 calendar days Pre
  • The notification shall include: date, time, scope, persons to carry out the audit

b) Conduct:

  • The audit is carried out during working hours (Mon-Fri, 9am-5pm)
  • The audit does not significantly impair the normal operation of the Supplier
  • Auditors sign an NDA (if not signed in advance)
  • The supplier shall provide necessary assistance и access to documentation, systems (within reason)

c) Limitations:

  • The audit no includes access to data of other customers of the Supplier (for confidentiality reasons)
  • The audit no involves critical production infrastructure that could compromise security

d) Report:

  • Following the audit, a written report
  • In case of non-compliance: the Supplier has 30 days remove them
  • For critical non-conformities: immediate corrective action

20.4. Audit costs:

  • Client covers the costs of the audit (auditors' fees, transport, accommodation)
  • Exception: If the audit finds material breaches the obligations of the Supplier:
    • Provider covers all costs for the audit
    • The supplier covers the costs of corrective actions

20.5. Frequency of audits:

  • Audits may be carried out no more than 1 time per year, unless:
    • There is reasonable suspicion of infringement
    • There is a data breach
    • There is a change in technology or processing
    • Required by a supervisory authority

Article 21. Erasure and return of data (in case of termination)

21.1. Upon termination of the contract:

Upon termination of the basic service contract (for any reason), the Supplier shall at Customer's choice carried out one of the following:

Option A: Wipe

  • Provider deletes ALL personal data, including all copies and backups
  • Term: 30 calendar days after termination of the contract
  • The deletion is irrevocably (secure deletion - impossible to restore)
  • Methods: overwriting, cryptographic erasure

Option B: RETURN

  • The Supplier shall provide the Customer with full copy of all personal data
  • Format: structured, generally accepted, machine-readable Format:
    • JSON (recommended)
    • CSV
    • SQL dump
    • XML
    • Or any other format as requested by the Customer
  • Term: 14 calendar days upon written request from the Customer
  • After return: the supplier deletes all copies by 30 days

How the Customer Chooses:

  • Upon termination: the Customer sends a written request (email) with his choice
  • If the Customer no specify a choice: the default applies Option A (Delete)

21.2. Exceptions (data that SHALL be stored):

The supplier may retain and continue to store certain data when:

a) The legislation REQUIRES mandatory storage: - Accounting documents, invoices: 10 years (Accounting Act) - Tax documents: 6-10 years - Contract documentation: 5 years (Law on Obligations and Contracts)

(b) The data are necessary for defence of legal claims: - If there is a dispute, litigation, arbitration - Pending the dispute + limitation period

(c) The data are completely anonymised: - If the data has been processed in such a way that the CAN'T to contact a specific subject - Then they are no longer „personal data“ and GDPR does not apply

21.3. Written confirmation:

Upon deletion or return, the Supplier shall provide the Customer with written confirmation (certificate of deletion/return), containing:

  • Date of deletion/return
  • Scope of deleted/returned data
  • Method of deletion (if applicable)
  • Exceptions (if there is retained data under 21.2)

21.4. Data Download Period:

The customer has 30 calendar days after termination of the contract to download all its files and data from the portal, before final deletion.

After the 30 days:

  • Access is terminated completely
  • Data is permanently deleted
  • Refund NOT POSSIBLE

Article 22. Liability and indemnity (under DPA)

22.1. Liability under Article 82 GDPR:

The parties shall be liable under Article 82 GDPR (right to compensation and liability):

a) The Processor (Provider) is liable for any damage caused by the processing, IF: - Failed to comply with its obligations under the GDPR specifically aimed at processors - OR acted outside or contrary to with the instructions of the Administrator (Customer)

b) The Administrator (Customer) is liable for damages caused by: - Illegal or unlawful instructions to the Provider - Lack of lawful basis for the processing - Uploading data without consent or permission

Discharge:

  • Each Party shall be relieved of liability if it proves that in any way not responsible for the event leading to the damage.

22.2. Indemnification:

Compensation from the Processor (Supplier):

The Supplier undertakes to compensate and protect Client for:

  • Fines, imposed by the CPC or other supervisory authority due to breach of the Supplier
  • Claims by data subjects for compensation due to breach of the Supplier
  • Protection costs (lawyers' fees, court costs)
  • Reputational damage, if caused by actions of the Supplier

Compensation from the Administrator (Customer):

The Customer undertakes to compensate and protect Supplier for:

  • Fines, imposed on the Supplier due to illegal instructions or actions of the Customer
  • Claims by data subjects for data, uploaded by the Customer without lawful basis
  • Claims by third parties for copyright infringement, confidentiality, etc. from Customer's materials
  • All costs for defence, including lawyers' fees

22.3. Limit of liability:

Despite the above provisions, general liability of the Supplier (including under the DPA) is limited according to Article 27 of these Terms and Conditions:

  • Monthly subscription: last 3 monthly fees
  • Annual subscription: 50% of the annual fee

Exception: This restriction NOT APPLICABLE For:

  • Deliberate acts or gross negligence of the Supplier
  • Breach of confidentiality obligations
  • Fines imposed by supervisory authorities (these are due in full)

Article 23. Special provisions for DPA

23.1. Priority of DPA provisions:

At contradiction between:

  • The general provisions of the General Terms and Conditions (Sections I-VII, IX-XIII), И
  • The provisions of the DPA (Section VIII, Articles 15-23) on the processing of personal data

ADVANTAGE HAVE the provisions of DPA (Articles 15-23).

23.2. Severability:

The DPA provisions (Articles 15-23) may be self-apply и independently from the other articles of the General Terms and Conditions.

If any provision of the DPA is held to be invalid, this does not affect the validity of other provisions of the DPA or the General Terms and Conditions as a whole.

23.3. Explicit confirmation and declaration:

  • By accepting these Terms and Conditions (by registering, confirming subscription or payment), the Customer EXPRESSLY CONFIRMS AND DECLARES, That:
  • Well read and fully understands the provisions of the DPA (Articles 15-23)
  • Accepts unconditionally the terms and conditions of the DPA and undertakes to comply with them
  • Understands its obligations as Administrator (Data Controller) when uploading personal data of third parties
  • Understands the role the Provider as Processor
  • NO WAY personal data in the portal WITHOUT legal basis for processing
  • NO WAY special categories of data (Article 9 GDPR) without explicit consent and additional protection
  • I WILL INFORM the data subjects for the processing by the Provider
  • ACCEPTS FULL RESPONSIBILITY for the legality of the uploaded data and will indemnify the Provider in case of violation

23.4. Applicable law for DPA:

DPA is governed by:

  • Regulation (EU) 2016/679 (GDPR) - directly applicable in all Member States
  • Personal Data Protection Act (PDPA) - Bulgarian legislation
  • Legislation of the Republic of Bulgaria (total)

23.5. Language versions:

The official language of the DPA is English. When translating into other languages, the Bulgarian version is valid.

SECTION IX-XIII: [The remaining sections remain the same]

Sections IX (Customer Obligations), X (Liability), XI (Termination), XII (Disputes), XIII (Final) remain the same as in the original document but are renumbered as they are now Articles 24-40 instead of 15-31.

CONFIRMATION OF ACCEPTANCE

By registering, confirming subscription and/or payment, the Customer expressly declares that:

  • Has carefully and completely read these Terms and Conditions (all 40 articles)
  • Has read and understands the integrated DPA (Section VIII, Articles 15-23)
  • Accepts the terms of the DPA and undertakes not to upload personal data without lawful basis
  • Understands and accepts all other provisions, conditions, rights and obligations
  • Is aware of the risks associated with the use of digital services
  • Accepts the limitations of liability
  • Understands ownership on a monthly vs annual plan
  • Will comply with the Acceptable Use Policy
  • Takes responsibility for uploaded content

CONTACTS:

Digital New Era Ltd.
UIC: 207276590
VAT number: BG207276590
Address. 47, Thessaloniki, gr. Sofia, Bulgaria
Email: contact@studionewera.com
Phone: +359 885 868 793
Website: https://studionewera.com
Customer portal: https://portal.studionewera.com

For Data Protection issues: contact@studionewera.com with subject „Data Protection Inquiry“

Date of acceptance: 10 March 2025.
Latest update: 10 January 2026.

© 2026 Digital New Era Ltd. All rights reserved.

NOTE: This document contains an integrated Data Processing Agreement (DPA) in Section VIII. No separate signing of the DPA is required - it is automatically accepted with acceptance of the Terms and Conditions.

Find us
+359 885 868 793
+359 888 280 668
contact@studionewera.com
gr. Sofia, ul. Solun 47
gr. Gabrovo, bul. Aprilov 26
Useful links
Terms and Policies
© All Rights Reserved

Website from Digital New Era