Data Processing Agreement
Last updated: May 11, 2026
1. Introduction and Definitions
This Data Processing Agreement ("DPA") forms part of the agreement between Day Spa Data LLC ("Processor," "we," "us") and the entity subscribing to the Day Spa Data platform ("Controller," "you," "your") for the provision of analytics services (the "Service").
This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA).
Key definitions used in this DPA:
- Controller: The entity that determines the purposes and means of processing personal data (you, the subscriber)
- Processor: The entity that processes personal data on behalf of the Controller (Day Spa Data LLC)
- Data Subject: An identified or identifiable natural person whose personal data is processed
- Personal Data: Any information relating to a Data Subject as defined under applicable data protection law
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion
2. Scope and Purpose of Processing
The Processor processes personal data solely for the purpose of providing the Service as described in the Terms of Service and Subscription Agreement. This includes:
- Extracting operational data from the Controller's spa management software via its CDC API
- Transforming, storing, and warehousing data in Google Cloud Platform (BigQuery)
- Providing analytics dashboards and reports via the web application
- User authentication and role-based access control
- Customer support and service communications
- AI-powered analytics via Anthropic's API (AI Data Analyst feature)
The Processor shall not process personal data for any purpose other than as instructed by the Controller or as required by applicable law.
3. Types of Personal Data Processed
The following categories of personal data are processed through the Service:
Dashboard user data:
- Name, email address, role, and location assignments
- Login timestamps, IP addresses, and user agent strings (for security audit logging)
- Dashboard usage and preference data
Spa client data (extracted from spa management software):
- Client names and contact information (email, phone)
- Visit history, appointment records, and services received
- Purchase history and gift card transactions
Employee data (extracted from spa management software):
- Employee names and identifiers
- Schedule and time clock records
- Performance metrics (services performed, revenue generated)
4. Data Subject Categories
The following categories of Data Subjects are affected by the processing:
- Dashboard users: Franchise owners, managers, and employees who access the analytics platform
- Spa clients: End customers of the Controller's spa locations whose data is extracted from the Controller's spa management software for analytics
- Spa employees: Staff members of the Controller's spa locations whose scheduling and performance data is processed
5. Processing Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 6
- Assist the Controller in responding to Data Subject requests (see Section 8)
- Assist the Controller in ensuring compliance with data breach notification obligations (see Section 9)
- Delete or return all personal data upon termination of the Service, subject to Section 10
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
6. Security Measures
The Processor implements the following technical and organizational measures to protect personal data:
- Encryption in transit: TLS 1.2 or higher for all data transmission
- Encryption at rest: AES-256 encryption via Google Cloud's default encryption
- Multi-tenant isolation: Each location's raw data is stored in a separate BigQuery dataset, preventing cross-tenant access at the database level
- Role-based access control: Dashboard permissions restrict data visibility based on user role and location assignments
- Server-side authentication: httpOnly session cookies; business data is never exposed to client-side JavaScript
- Credential management: API keys and secrets stored in Google Cloud Secret Manager
- Audit logging: Authentication events and administrative actions are logged
- Access controls: Production infrastructure access is restricted to authorized personnel
7. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Data warehouse (BigQuery), compute (Cloud Run), scheduling, secret management | US (us-east1) |
| Supabase | User authentication and metadata storage | US |
| Vercel | Web application hosting and content delivery | US |
| Resend | Transactional email delivery | US |
| Controller's spa management software vendor | Source spa management platform (API access) | US |
| Sentry | Error monitoring and performance tracking | US |
| PostHog | Product analytics (when enabled) | US |
| Stripe | Subscription billing and payment processing | US |
| Anthropic | AI language model processing (AI Data Analyst) | Global (US-primary) |
Each sub-processor is contractually bound to data protection obligations no less protective than those set out in this DPA. The Processor remains liable for the acts and omissions of its sub-processors.
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.
If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by applicable law.
The Processor shall provide reasonable technical and organizational assistance to enable the Controller to respond to Data Subject requests within the timeframes required by applicable law.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of the Processor's point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
10. Data Deletion and Return
Upon termination of the Service, the Controller has a 90-day window to request an export of all personal data in a standard machine-readable format (CSV or JSON).
After the 90-day export window, the Processor shall permanently and irreversibly delete all personal data from its systems, including backups, unless retention is required by applicable law. The Processor shall certify deletion in writing upon the Controller's request.
Usage logs and security audit data may be retained for up to 12 months after termination for security monitoring purposes, after which they are automatically purged.
11. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information reasonably necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit it initiates.
12. International Transfers
The Processor's primary data center is located in the Google Cloud us-east1 region (United States), and the vast majority of personal data is processed and stored within the United States. Certain sub-processors (e.g., the AI language model provider used for the AI Data Analyst) may process queries on globally distributed infrastructure. Sub-processor processing locations are listed in Section 7.
If the Controller is located outside the United States, or if Data Subjects are located in the European Economic Area (EEA), the parties agree that this DPA, together with the Standard Contractual Clauses (where applicable), provides appropriate safeguards for the transfer of personal data.
The Processor shall not transfer personal data to any country outside the United States without the Controller's prior written consent and appropriate safeguards under applicable law.
13. Term and Termination
This DPA shall remain in effect for the duration of the Controller's subscription to the Service and shall automatically terminate when all personal data has been deleted or returned in accordance with Section 10.
The obligations of the Processor regarding data protection and confidentiality shall survive termination of this DPA.
14. Contact
For questions about this Data Processing Agreement or to exercise any rights described herein, contact us at:
Day Spa Data LLC
Email: legal@dayspadata.com