Data Processing Agreement (DPA)
Draft — subject to legal review before launch · Annex to the Terms of Service
Preamble
This Data Processing Agreement (DPA) forms an integral part of the Terms of Service and governs the processing that the Processor (Mészáros János, sole proprietor, the operator of GrabTheSlot) performs on behalf of the Controller (the Subscriber) within the GrabTheSlot service, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
This DPA enters into force automatically upon acceptance of the Terms of Service for every Subscriber and remains in force for the duration of the subscription.
1. Parties and definitions
- Controller: the Subscriber — the business using GrabTheSlot, which determines the purposes and means of processing its own end-customers' personal data.
- Processor: Mészáros János, sole proprietor, the operator of GrabTheSlot, who processes personal data on behalf of and according to the instructions of the Controller.
- Data subjects: the Controller's end-customers (people who book) and the staff members of the Controller's account.
- Sub-processor: a third party engaged by the Processor to carry out processing tasks (listed in Section 5).
2. Subject matter, nature, purpose and duration
- Subject matter: processing of the personal data of the Controller's end-customers and staff members through the GrabTheSlot booking platform.
- Nature: storage, modification, retrieval, deletion, structured organisation, backup, and anonymised statistical aggregation.
- Purpose: the technical provision of the booking, client management and notification service to the Controller.
- Duration: the subscription term plus the retention and deletion periods defined in Section 8.
3. Categories of data subjects and data
- Identifiers: name, email address, phone number
- Booking data: time, selected service, assigned staff member, price
- Client notes recorded by the Controller
- Log data: IP address, browser, timestamps of booking events (technical purposes)
- Staff data: name, email, role, permissions
The Processor does NOT process: payment card or payment data — these are processed exclusively by Paddle (Merchant of Record), which acts as an independent controller for payment data.
4. Obligations of the Processor (GDPR Art. 28(3))
The Processor undertakes to:
- process personal data only on the Controller's documented instructions, including transfers to third countries;
- ensure that persons authorised to process the data are bound by confidentiality;
- implement the technical and organisational measures required by GDPR Art. 32 (Section 6);
- engage sub-processors only under the general authorisation of Section 5, giving the Controller the opportunity to object to changes;
- assist the Controller in responding to data subject rights requests (GDPR Art. 12–22);
- assist the Controller with its obligations under GDPR Art. 32–36 (security, breach notification, impact assessments);
- at the end of the engagement, return or delete the personal data at the Controller's choice;
- make available the information necessary to demonstrate compliance and allow audits requested by the Controller.
5. Sub-processors
By accepting this DPA, the Controller grants general authorisation for the following sub-processors:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase Inc. | Database operation, authentication, file storage | EU (Frankfurt, Germany) |
| Hetzner Online GmbH | Server operation and hosting | EU (Nuremberg / Falkenstein, Germany) |
| Resend Inc. | Transactional email delivery | US (EU–U.S. Data Privacy Framework) |
| Paddle.com Market Limited | Payment processing (Merchant of Record) — solely for the Controller's own billing data | EU / UK |
New sub-processors: the Processor announces any new sub-processor by email at least 30 days before the change takes effect. The Controller may object; if no agreement is reached within a reasonable period, the Controller may terminate the subscription with immediate effect.
6. Security measures (GDPR Art. 32)
- Encryption in transit: all HTTP traffic over TLS 1.2+ (HSTS enabled)
- Encryption at rest: database and file storage encrypted within the Supabase / Hetzner infrastructure
- Tenant isolation: Row-Level Security (RLS) rules ensure each Subscriber's data is reachable only by its own account
- Access control: strong password policy, hashed credentials, session limits
- Role-based access (RBAC): separate owner / staff / delegated roles with layered authorisation checks
- Logging and incident detection: system error logs, booking audit log
- Backups: automated daily backups
- Data minimisation: only data necessary for providing the service is stored
- Internal access restriction: production data is accessible only to the person responsible for operations, in a documented manner
7. Personal data breaches (GDPR Art. 33)
Upon detecting a personal data breach, the Processor notifies the Controller by email without undue delay, and no later than 48 hours after becoming aware of it, including the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed. The Controller is responsible for notifying its competent supervisory authority under GDPR Art. 33; the Processor provides all necessary information.
8. Return and deletion
Upon termination of the subscription, the Controller may export its data; after a grace period allowing reactivation, the Processor deletes the personal data, except where retention is required by EU or member state law (e.g. invoicing records).
9. International transfers
Personal data is stored primarily within the EEA (Germany). Transfers outside the EEA happen only with the safeguards of GDPR Chapter V:
- Resend Inc. (US): under the EU–U.S. Data Privacy Framework adequacy decision.
- Paddle.com Market Limited (UK): under the European Commission's adequacy decision for the United Kingdom.