Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the UK GDPR or the Terms of Service.

• "Controller" means the salon operator who determines the purposes and means of the processing of Personal Data relating to their salon clients, as defined in UK GDPR Article 4(7).
• "Processor" means [Company Name] trading as The Salon Suite, which processes Personal Data on behalf of the Controller, as defined in UK GDPR Article 4(8).
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA — primarily the salon's clients.
• "Personal Data" means any information relating to a Data Subject as defined in UK GDPR Article 4(1), including names, contact details, appointment records, colour formulas, consultation notes, allergy information and photographs.
• "Special Category Data" means Personal Data revealing racial or ethnic origin, health data (including allergies and skin/scalp conditions) or other categories listed in UK GDPR Article 9(1).
• "Processing" means any operation or set of operations performed on Personal Data, as defined in UK GDPR Article 4(2), including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, as defined in UK GDPR Article 4(12).
• "UK GDPR" means the United Kingdom General Data Protection Regulation, being the retained EU law version of Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
• "DPA 2018" means the Data Protection Act 2018.

2. Scope and Purpose of Processing

2.1. The Processor shall process Personal Data solely for the purpose of providing the salon management Service to the Controller, as described in the Terms of Service.

2.2. The subject matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of Data Subjects are as follows:

Subject matter: Processing of Personal Data entered into or generated by the Salon Suite web application in the course of the Controller's salon management activities.

Duration: For the duration of the Controller's subscription to the Service and for up to thirty (30) days following termination, plus an additional thirty (30) days for deletion from backups, unless a longer period is required by UK law.

Nature and purpose of processing: Collection, storage, organisation, retrieval, consultation, use, transmission, and deletion of Personal Data in order to provide salon management functionality, including appointment management, client records, colour formulas, consultation records, client communications, and related business analysis and reporting.

Types of Personal Data: Names, contact details (email address, phone number, postal address), appointment history, service history, colour formulas, consultation notes, marketing preferences, and, where recorded by the Controller, limited health or allergy information relating to hair and beauty services.

Categories of Data Subjects: The Controller's salon clients and prospective clients; the Controller's staff members who are set up as users within the Service; and the Controller as account holder.

2.3. The Processor shall not process Personal Data for any purpose other than those specified in this DPA, unless required to do so by United Kingdom law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits such information on important grounds of public interest).

3. Obligations of the Processor

The Processor shall:

3.1. Processing Instructions

Process Personal Data only on the documented instructions of the Controller (which are set out in this DPA, the Terms of Service and any subsequent written instructions), including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by United Kingdom law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other UK data protection provisions.

3.2. Confidentiality

Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This includes all employees, contractors and agents of the Processor who may have access to Personal Data in the course of their duties.

3.3. Security

Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by UK GDPR Article 32, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. These measures are detailed in Section 7 of this DPA.

3.4. Sub-processors

Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller, and comply with the requirements set out in Section 5 of this DPA.

3.5. Data Subject Requests

Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR (access, rectification, erasure, portability, restriction and objection). See Section 9 of this DPA.

3.6. Compliance Assistance

Assist the Controller in ensuring compliance with the obligations pursuant to UK GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

• Security of processing (Article 32);
• Notification of a personal data breach to the supervisory authority (Article 33);
• Communication of a personal data breach to the data subject (Article 34);
• Data protection impact assessments (Article 35) — see Section 10;
• Prior consultation with the ICO (Article 36).

3.7. Deletion or Return of Data

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless United Kingdom law requires storage of the Personal Data. The Controller may request data export at any time during the subscription and for thirty (30) days following termination. After this period, the Processor shall permanently delete all Personal Data, including from backup systems, within thirty (30) additional days.

3.8. Demonstration of Compliance

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in UK GDPR Article 28 and this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. See Section 11 of this DPA.

4. Obligations of the Controller

The Controller shall:

• 4.1. Ensure that it has a valid lawful basis under UK GDPR Article 6 (and, where applicable, Article 9 for special category data such as allergy and health information) for the collection and processing of Personal Data entered into the Service.
• 4.2. Provide appropriate privacy notices to Data Subjects informing them of the processing of their Personal Data, including the involvement of the Processor.
• 4.3. Ensure that it has obtained any necessary consents from Data Subjects for the processing of their Personal Data through the Service, including consent for the sending of appointment reminders via email and SMS.
• 4.4. Ensure that all Personal Data provided to the Processor is accurate and up to date.
• 4.5. Promptly inform the Processor of any data subject requests received directly and cooperate with the Processor to fulfil such requests.
• 4.6. Comply with all applicable data protection laws in relation to Personal Data processed through the Service.
• 4.7. Not provide instructions to the Processor that would cause the Processor to violate applicable data protection law.

5. Sub-processors

5.1. Authorised Sub-processors

The Controller provides general written authorisation for the Processor to engage the following sub-processors for the purposes specified:

5.2. Engagement of New Sub-processors

The Processor shall notify the Controller in writing (via email to the address associated with the Controller's Account) at least thirty (30) days before engaging any new sub-processor or replacing an existing sub-processor. The notification shall include the name of the sub-processor, the processing activities to be carried out, and the location of processing.

The Controller shall have the right to object to the appointment of a new sub-processor on reasonable data protection grounds by notifying the Processor in writing within fourteen (14) days of receiving the notification. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected Service by providing thirty (30) days' written notice.

5.3. Sub-processor Obligations

The Processor shall:

• Enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set out in this DPA;
• Ensure that each sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures;
• Remain fully liable to the Controller for the performance of each sub-processor's obligations.

6. International Transfers

6.1. The Processor acknowledges that certain sub-processors listed in Section 5 are located outside the United Kingdom. Where Personal Data is transferred to a country outside the UK that has not received an adequacy decision from the Secretary of State, the Processor shall ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46, including:

• The UK International Data Transfer Agreement (IDTA) issued by the ICO; or
• EU Standard Contractual Clauses (SCCs) supplemented by the UK Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses).

For such transfers, the Processor shall put in place appropriate safeguards in accordance with UK GDPR Article 46, including the ICO International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission's Standard Contractual Clauses, supplemented where necessary by additional technical and organisational measures.

6.2. The Processor shall conduct transfer impact assessments for each international transfer, evaluating the legal framework of the recipient country and any supplementary measures necessary to ensure an essentially equivalent level of protection.

6.3. The Processor shall inform the Controller if it becomes aware of any change in circumstances that may affect the lawfulness or adequacy of safeguards for international transfers, and shall cooperate with the Controller to implement additional safeguards if necessary.

6.4. Copies of the relevant transfer mechanisms are available upon request by emailing hello@thesalonsuite.uk.

7. Security Measures

7.1. In accordance with UK GDPR Article 32, the Processor implements and maintains the following technical and organisational security measures:

Technical Measures

• Encryption of all data in transit using TLS 1.2 or higher;
• Encryption of sensitive data at rest using AES-256;
• Password hashing using bcrypt with appropriate cost factor;
• Role-based access controls restricting data access to authorised personnel;
• Regular patching and updating of software and dependencies;
• Automated monitoring and alerting for security anomalies;
• Secure software development lifecycle practices;
• Infrastructure hosted with providers maintaining SOC 2 Type II compliance (Supabase, Vercel).

Organisational Measures

• Confidentiality obligations binding all staff with access to Personal Data;
• Data protection awareness training for all relevant personnel;
• Access to Personal Data on a need-to-know basis only;
• Regular review and assessment of security measures;
• Documented incident response procedures;
• Business continuity and disaster recovery planning.

7.2. The Processor shall regularly test, assess and evaluate the effectiveness of these measures and shall update them as necessary to reflect changes in technology, threats, and the nature of the Personal Data processed.

8. Data Breach Notification

8.1. The Processor shall notify the Controller of any Data Breach without undue delay and in any event within twenty-four (24) hours of becoming aware of the breach.

8.2. The notification shall include, to the extent available at the time of notification:

• A description of the nature of the Data Breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned;
• The name and contact details of the Processor's data protection contact;
• A description of the likely consequences of the Data Breach;
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

8.3. Where it is not possible to provide all information at the time of initial notification, the Processor shall provide the information in phases without further undue delay as it becomes available.

8.4. The Processor shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation and remediation of the Data Breach.

8.5. The Processor shall document all Data Breaches, including the facts relating to the breach, its effects and the remedial action taken, in accordance with UK GDPR Article 33(5).

8.6. The 24-hour notification period under this DPA is designed to give the Controller sufficient time to meet their own obligation to notify the ICO within 72 hours of becoming aware of a breach (UK GDPR Article 33(1)).

9. Data Subject Requests

9.1. If the Processor receives a request directly from a Data Subject exercising their rights under UK GDPR Chapter III (including rights of access, rectification, erasure, restriction, portability and objection), the Processor shall promptly notify the Controller and shall not respond to the request directly unless authorised to do so by the Controller or required by law.

9.2. The Processor shall assist the Controller in fulfilling Data Subject requests by:

• Providing the Controller with the technical ability to export, correct or delete Client Data through the Service's built-in functionality;
• Providing additional technical assistance where the Service's standard functionality is insufficient to fulfil a particular request;
• Responding promptly (within five business days) to the Controller's requests for assistance.

9.3. The Processor may charge a reasonable fee for assistance with Data Subject requests that are manifestly unfounded, excessive or require substantial bespoke technical work beyond the Service's standard functionality.

10. Data Protection Impact Assessments

10.1. The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) under UK GDPR Article 35, where the Controller's use of the Service is likely to result in a high risk to the rights and freedoms of Data Subjects.

10.2. The Processor shall provide the Controller with such information about the Processing as may be reasonably necessary for the Controller to carry out a DPIA, including information about the Processor's security measures, sub-processors and data flows.

10.3. Where a DPIA indicates that prior consultation with the ICO is required under UK GDPR Article 36, the Processor shall cooperate with the Controller and the ICO as necessary.

11. Audits and Compliance

11.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in UK GDPR Article 28 and this DPA.

11.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent third-party auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide at least thirty (30) days' written notice of any proposed audit;
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations;
• The Controller (or its auditor) shall comply with reasonable confidentiality obligations and the Processor's security policies during the audit;
• Audit scope shall be limited to the Processor's processing activities under this DPA;
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor.

11.3. The Processor may satisfy audit requirements by providing:

• Relevant third-party certifications or audit reports (e.g. SOC 2 reports from sub-processors);
• Responses to written audit questionnaires;
• Summary documentation of security measures and compliance practices.

11.4. Audits shall be limited to once per twelve-month period, unless a Data Breach has occurred or the Controller has reasonable grounds to believe the Processor is in breach of this DPA.

12. Duration and Termination

12.1. This DPA shall commence on the date the Controller creates an Account and shall continue for the duration of the Controller's use of the Service.

12.2. This DPA shall automatically terminate when the Controller's subscription ends and all Personal Data has been deleted or returned in accordance with Section 3.7.

12.3. Obligations in this DPA that by their nature should survive termination shall continue to apply after termination, including Sections 3.2 (Confidentiality), 3.7 (Deletion or Return of Data), 8 (Data Breach Notification) and 13 (Governing Law).

12.4. Upon termination:

• The Controller shall have thirty (30) days to export all Personal Data using the Service's export functionality;
• After the 30-day export period, the Processor shall permanently delete all Personal Data from its active systems;
• Personal Data in backup systems shall be deleted within thirty (30) additional days of deletion from active systems;
• The Processor shall provide written confirmation of deletion upon the Controller's request.

13. Governing Law

13.1. This DPA is governed by and construed in accordance with the laws of England and Wales.

13.2. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13.3. In the event of any conflict between the terms of this DPA and the Terms of Service, the terms of this DPA shall prevail with respect to data protection matters.

14. Contact

For any questions regarding this Data Processing Agreement or data protection matters, please contact:

• Data Protection Contact: hello@thesalonsuite.uk
• Company: [Company Name] trading as The Salon Suite
• Address: [Company Address]
• ICO Registration: [ICO Number]
• Website: thesalonsuite.uk