Privacy
Policy

At DIGITAL PROTOTYPE LTD ("Company", "we", "our", "us"), we engineer proprietary software systems and manage enterprise infrastructure. As architects of complex digital environments, we treat data privacy not merely as a regulatory compliance checklist, but as a foundational cryptographic imperative.

This Privacy Policy meticulously outlines our data governance protocols, detailing how we collect, process, secure, and eventually destroy personal data. This document is fully aligned with the General Data Protection Regulation (EU) 2016/679 (GDPR), the Austrian Data Protection Act (DSG), and the Digital Operational Resilience Act (DORA).

For the purposes of the GDPR, DIGITAL PROTOTYPE LTD acts as the Data Controller for information collected via this website and during our initial consulting engagements. When we execute custom development, legacy migrations, or manage client infrastructure, we act strictly as a Data Processor, governed by dedicated Data Processing Agreements (DPAs) and rigid Service Level Agreements (SLAs).

We apply a principle of strict data minimization. We only ingest telemetry and personal data that is mathematically necessary to fulfill our engineering and business obligations.

• Identity and Communication Data: When you request an architectural audit or contact us, we collect your full name, corporate email address, corporate phone number, job title, and enterprise affiliation.
• Infrastructure and Diagnostic Telemetry: If you engage us for a diagnostic audit, we may process IP addresses, server logs, network routing configurations, and system metadata. Note: We do not access the payload of your proprietary databases during preliminary audits unless explicitly authorized under a cryptographic NDA.
• Financial and Transactional Data: For executed retainers, we process billing addresses, corporate tax identification numbers (e.g., VAT ID), and payment routing data. (Payment processing is handled via secure, PCI-DSS compliant third-party gateways; we do not store raw credit card numbers).

We do not sell, broker, or monetize your personal data. Processing is executed exclusively for the following deterministic outcomes:

• Contractual Execution (Art. 6(1)(b) GDPR): To blueprint, engineer, and deploy bespoke software solutions, perform legacy monolith migrations, and uphold our rigorous SLAs.
• Sovereign Perimeter Control and Security (Art. 6(1)(f) GDPR): To continuously monitor our own digital perimeter and the infrastructure we manage for our clients. We process access logs and threat telemetry to actively deflect cyber-attacks, neutralize lateral network movement, and ensure the integrity of our systems.
• Regulatory Compliance (Art. 6(1)(c) GDPR): To maintain auditable financial records, comply with EU tax regulations, and adhere to mandatory corporate reporting directives.

Relying on implicit network trust is a critical vulnerability. DIGITAL PROTOTYPE LTD enforces a strict Sovereign Perimeter Control architecture across all internal systems and client deployments.

Every data request—regardless of origin—is subjected to continuous, deterministic authentication. We utilize mutual TLS (mTLS) for all internal microservice communications. Personal and corporate data at rest is encrypted using AES-256 standard, and data in transit is secured via TLS 1.3. We deploy granular Role-Based Access Control (RBAC), ensuring that our own engineers only have ephemeral, time-boxed access to data environments precisely when required for incident resolution or deployment operations.

We are committed to European digital sovereignty. Our primary compute clusters, code repositories, and telemetry databases are geographically constrained to data centers within the European Economic Area (EEA), primarily in Austria and Germany.

When we utilize third-party sub-processors (e.g., specific cloud infrastructure providers, specialized CI/CD tooling), we ensure they are bound by strict DPAs. If a sub-processor transfers data outside the EEA, we mathematically enforce compliance through the execution of Standard Contractual Clauses (SCCs) as mandated by the European Commission, augmented by additional cryptographic safeguards.

Data is a liability if stored indefinitely. We enforce automated, deterministic data destruction protocols:

• Consultation Data: If an initial architectural consultation does not result in an executed contract, associated communication data is purged from our active systems within 12 months.
• Contractual and SLA Data: Retained for the duration of the active retainer, plus an additional 7 years to comply with Austrian commercial and tax law (UGB, BAO).
• Diagnostic Logs: System logs and telemetry processed for security purposes are subjected to automated log rotation and are permanently overwritten after 90 days, unless required for active forensic investigation.

As a data subject under the GDPR, you possess uncompromising rights regarding your personal information:

• Right to Access (Art. 15): Request a full, transparent export of the personal data we hold about you.
• Right to Rectification (Art. 16): Demand the immediate correction of mathematically or factually inaccurate data.
• Right to Erasure / "Right to be Forgotten" (Art. 17): Mandate the cryptographic destruction of your data, provided it is no longer required for legal compliance or active SLA fulfillment.
• Right to Portability (Art. 20): Receive your data in a structured, commonly used, and machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests.

To exercise these rights, initiate a formal request to our Data Protection Officer at legal123prototype.at. We guarantee a deterministic response and resolution within 30 days.

Our web platform avoids aggressive marketing trackers. We utilize strictly necessary session cookies required to maintain state logic (e.g., maintaining your context if you interact with our secure client portals). Any analytical telemetry gathered is fully anonymized on the edge before it hits our databases, ensuring we can monitor page performance without tracking individual user behavior across the internet.

As technology and regulatory frameworks evolve, so will our documentation. We treat this Privacy Policy as a version-controlled asset. Any substantial modifications to our data processing algorithms will be published on this exact URL.

Last Compiled and Verified: October 2024 (Version 3.1.0)