1. Parties and scope
This DPA is entered into between Polooma (Processor) and the Customer (Controller) identified in the Polooma account. It applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the Polooma service.
2. Subject matter and duration
Subject matter: provision of the Polooma platform — appointment booking, client management, communications, and reporting. Duration: for as long as the Polooma subscription is active, plus the deletion period set out in section 8.
3. Categories of data and data subjects
Data subjects: end clients of the Customer's salon (and their staff). Categories of personal data: contact data (name, email, phone), demographic data (age, gender if collected), service history, photos uploaded with consent, payment metadata (no card numbers — handled by Stripe/Adyen), notes voluntarily entered by salon staff. Special categories (Art. 9 GDPR), such as health-related notes, may be processed only when the Controller has obtained explicit consent.
4. Processor obligations
The Processor will: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorized to process the data are bound by confidentiality; (c) implement appropriate technical and organizational measures (Art. 32 GDPR) — see Annex A; (d) assist the Controller in responding to data subject requests; (e) assist with breach notification, DPIAs, and consultations with supervisory authorities; (f) delete or return Personal Data at the end of the agreement (Controller's choice).
5. Sub-processors
The Controller authorizes the Processor to engage sub-processors. The current list is published and maintained at polooma.com/legal/sub-processors (added once production launches). The Controller will be notified at least 30 days before adding a new sub-processor and may object on reasonable grounds.
6. International transfers
All processing takes place within the EU/EEA. If transfer outside the EU/EEA becomes necessary, the Processor will rely on Standard Contractual Clauses (SCCs) and inform the Controller in advance.
7. Security measures
See Annex A. Includes encryption at rest and in transit, RBAC, audit logging, MFA, regular vulnerability scanning, annual penetration testing, EU-only data residency, and 30-day backup retention.
8. Return and deletion
On termination of the Polooma subscription, the Processor will, at the Controller's choice: (a) return all Personal Data in a machine-readable format (JSON or CSV); or (b) delete it. Deletion is completed within 30 days of termination, except where retention is required by applicable law (in which case the Controller is notified). Backups containing Personal Data are deleted within 30 days of the next backup rotation.
9. Audit rights
The Controller may audit the Processor's compliance with this DPA — once per year, with 30 days' notice, during business hours, and not in a way that disrupts the Processor's operations. The Processor may satisfy this obligation by providing the Controller with the most recent SOC 2 / ISO 27001 audit report.
10. Liability
Liability under this DPA is governed by the Terms of Service. The Processor is liable for damages caused by processing only where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller.
11. Governing law
This DPA is governed by the laws of the EU member state where the Processor is established. Disputes follow the dispute resolution clause of the Terms of Service.
Annex A — Technical and organizational measures
Encryption: TLS 1.3 in transit, AES-256 at rest. Access control: RBAC with mandatory 2FA for admins. Logging: append-only audit log retained for 7 years. Backups: every 6 hours, 30-day retention. Penetration testing: annually by an independent firm. Staff: GDPR-trained, signed confidentiality agreements, access on need-to-know basis. Incident response: documented procedure with 72-hour notification to the Controller.