Data Processing Agreement

This data processing agreement (hereinafter: "Data Processing Agreement") forms an integral part of the terms of service between De Rechter Software and the Customer (hereinafter: the "Agreement"). It sets out the arrangements regarding the processing of personal data that De Rechter Software carries out on behalf of the Customer in providing Stippa, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

1. Parties and roles

• Controller: the Customer, who determines the purposes and means of the processing of the personal data of its End Clients.
• Processor: De Rechter Software, a sole proprietorship established at Molenwater 20, 4511 BN Breskens, the Netherlands, Chamber of Commerce number 98466402, VAT number NL005332100B80, operator of Stippa, which processes the personal data solely on behalf of and on the instructions of the Customer.

2. Subject matter, nature, duration and purpose of the processing

The Processor processes personal data solely for the purpose of providing the Stippa service: a platform for managing and booking appointments, managing customers and staff, sending notifications and processing payments. The processing continues for as long as the Agreement is in force and ends in accordance with section 10.

3. Categories of data and data subjects

The processing concerns the following categories of data subjects and personal data:

• Data subjects: End Clients of the Customer and staff of the Customer.
• Data: name, email address, phone number, appointment data (date, time, service, staff member, notes) and payment-related data (via Stripe; no full card details).

The Processor does not process special categories of personal data, unless the Customer enters these itself; the Customer is responsible for that and warrants a lawful basis.

4. Obligations of the Processor

• The Processor processes the personal data solely on the basis of documented instructions from the Customer, including the Agreement, also with regard to transfers to a third country, unless a legal obligation provides otherwise; in that case the Processor notifies the Customer in advance, unless that legislation prohibits this.
• The Processor immediately notifies the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection rules.
• The Processor ensures that persons who have access to the personal data are bound by a duty of confidentiality.
• The Processor takes appropriate technical and organisational measures (see section 5).
• The Processor provides the Customer with reasonable cooperation in responding to data subjects' requests (access, rectification, erasure, restriction, data portability and objection) and in fulfilling the Customer's obligations under Articles 32 to 36 GDPR (security, notification of data breaches, data protection impact assessments and prior consultation of the supervisory authority).
• The Processor does not use the personal data for its own purposes and never sells it.

5. Security measures

The Processor takes at least the following measures:

• Encryption of data in transit (TLS 1.2 or higher) and at rest;
• Encryption of sensitive tokens with AES-256-GCM before storage;
• Role-based access control with row-level security in the database;
• Logging of changes (audit logs) for the purpose of security and traceability;
• Regular assessment of the effectiveness of the measures.

6. Sub-processors

The Customer grants the Processor general authorisation to engage the sub-processors listed below:

• Supabase Inc. for database hosting (hosted in the EU)
• Vercel Inc. for hosting of the web application
• Upstash, Inc. for rate limiting and abuse prevention (transient processing of IP addresses)
• Cloudflare, Inc. for bot and abuse protection (Turnstile)
• Sentry (Functional Software, Inc.) for error monitoring and application stability
• Inngest, Inc. for background job execution, such as sending reminders
• Grafana Labs for log management (Loki), only when enabled
• Stripe Payments Europe Ltd. and Mollie B.V. for payment processing (Mollie is hosted in the EU)
• Resend, Inc. for transactional email delivery (confirmations, reminders and notifications)
• Twilio Inc. / WhatsApp Business for optional messaging services
• PostHog for product analytics

The following integrations are only enabled when the Customer or a staff member connect them: Google LLC for calendar synchronisation (see the privacy policy) and Moneybird B.V. for an accounting integration.

The Processor imposes by contract on each sub-processor the same data protection obligations as set out in this Data Processing Agreement. The Processor remains fully liable to the Customer for the performance of the obligations by the sub-processor.

In the event of an intended change or addition of a sub-processor, the Processor informs the Customer at least 30 days in advance. The Customer may object to the change on reasonable grounds within that period; the parties will then enter into consultation. If no solution is reached, the Customer may terminate the relevant service or the Agreement.

7. Transfers outside the EEA

To the extent that personal data is transferred to a sub-processor outside the European Economic Area, such transfer takes place solely on the basis of an appropriate safeguard in accordance with Chapter V GDPR: for transfers to the United States, primarily on the basis of the EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) for parties certified thereunder, and as an additional or fallback safeguard on the basis of the European Commission's standard contractual clauses (Standard Contractual Clauses, implementing decision (EU) 2021/914).

8. Data breaches

The Processor informs the Customer without undue delay, and at the latest within 48 hours, after it has become aware of a personal data breach. In doing so, the Processor provides the information that the Customer reasonably needs in order to comply with its potential notification obligation to the Dutch Data Protection Authority and to data subjects.

9. Audits

Upon request, the Processor makes available to the Customer the information necessary to demonstrate compliance with the obligations referred to in Article 28 GDPR. The Customer may, with due observance of a reasonable notice period and at most once per year, carry out (or have carried out) an audit by the Customer itself or an independent auditor mandated by the Customer. The reasonable costs thereof are borne by the Customer, unless the audit reveals a material shortcoming on the part of the Processor.

10. Return and deletion

After termination of the Agreement, the Processor will, at the Customer's choice, either make all personal data available to the Customer as a data export or delete it, and delete existing copies, unless a statutory retention obligation (such as the tax retention obligation for payment data) provides otherwise. In the absence of a choice within the 30-day period referred to in the terms of service, the data is deleted.

11. Liability and governing law

The liability provisions and the governing law from the terms of service apply to this Data Processing Agreement. In the event of a conflict between this Data Processing Agreement and the terms of service, this Data Processing Agreement prevails to the extent that it concerns the processing of personal data.

12. Contact

For questions about this Data Processing Agreement or for a signed copy, you can make contact via support@stippa.nl.