Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between SalonPay, Inc. ("SalonPay", "Processor") and the salon, agency, or organization ("Customer", "Controller") that uses the SalonPay service (the "Service"). It governs the processing of personal data that SalonPay performs on Customer's behalf in connection with the Service.
1. Roles of the parties
Customer is the controller of the personal data its team uploads or generates in the Service, including data about its end customers (clients of the salon). Where Customer is itself acting as a processor for another party (for example, when a salon stores customer records on behalf of a parent organization), SalonPay acts as a sub-processor. SalonPay processes personal data only on documented instructions from Customer, including those expressed through the configuration and use of the Service.
2. Scope and purpose of processing
| Item | Description |
|---|---|
| Subject matter | Provision of the SalonPay multi-tenant SaaS platform. |
| Duration | For the term of the underlying agreement, plus the retention windows in section 7. |
| Nature and purpose | Storage, retrieval, organization, transmission, and analysis of salon operational data so Customer can manage appointments, payments, marketing, and team operations. |
| Data subjects | Customer's employees and contractors (stylists, managers, front desk staff) and Customer's end customers (salon clients). |
| Categories of data | Identification (name, email, phone), professional details (role, schedule, commission), appointment history, service notes, payment metadata, communication logs, IP address, device and usage telemetry. |
| Special categories | SalonPay does not require the input of special-category data. Customer is responsible for any decision to enter such data into free-text fields. |
3. Customer obligations
Customer warrants that it has obtained the lawful basis (including any required consents and notices) for the personal data it provides to SalonPay and for the processing instructions it gives. Customer is responsible for the accuracy, quality, and legality of personal data it submits, and for the configuration of access controls, retention, and deletion within the Service.
4. Security measures
SalonPay maintains technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:
- Encryption at rest: AES-256-GCM encryption of all third-party OAuth tokens and other secrets stored in our database. Underlying database storage is encrypted at the disk layer by our infrastructure provider.
- Encryption in transit: TLS 1.2 or higher for all client and server communications, with HSTS enabled and modern cipher suites.
- Tenant isolation: Postgres row-level security policies on every tenant-scoped table. RLS is enforced at the database engine, not at the application layer.
- Access control: Least-privilege role-based access for SalonPay personnel, hardware-backed multi-factor authentication, and quarterly access reviews.
- Audit logging: Application audit logs for administrative and security-relevant events; logs are retained at least one year.
- Backups: Daily automated database backups with documented point-in-time recovery and quarterly restore drills.
- Vulnerability management: Dependency scanning, automated security advisories, and a coordinated disclosure program at security@salonpay.io.
- Personnel: Background checks where lawful, written confidentiality obligations, and annual security training.
5. Sub-processors
Customer authorizes SalonPay to engage the sub-processors listed below to assist with the processing of personal data. SalonPay remains responsible for the acts and omissions of its sub-processors as if they were its own.
| Sub-processor | Function | Region |
|---|---|---|
| Supabase | Managed Postgres database, authentication, file storage | United States |
| Vercel | Application hosting, edge network, build infrastructure | United States and global edge |
| Resend | Transactional and notification email delivery | United States |
| Twilio | SMS delivery for booking reminders and notifications | United States |
| Square | Card processing and merchant onboarding via OAuth | United States |
| Inngest | Background workflow execution and scheduled jobs | United States |
| Sentry | Error and performance monitoring | United States |
| Stripe | SalonPay subscription billing | United States |
SalonPay will give Customer at least thirty days' written notice (by email or in-product notice) before adding or replacing a sub-processor. Customer may object on reasonable data protection grounds, in which case the parties will work in good faith to resolve the concern; if no resolution is reached, Customer may terminate the affected portion of the Service without penalty.
6. International transfers
Where personal data of EEA, UK, or Swiss data subjects is transferred to the United States or another country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference. Supplementary technical measures include encryption in transit and at rest as described in section 4.
7. Data subject rights and assistance
SalonPay will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, in fulfilling Customer's obligation to respond to data subject requests for access, rectification, erasure, restriction, portability, and objection. Where SalonPay receives a request directly from a data subject, it will (without responding substantively) refer the request to Customer.
8. Breach notification
SalonPay will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer's personal data. Notification will include, to the extent known: a description of the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate possible adverse effects. SalonPay will continue to update Customer as additional information becomes available.
9. Audit rights
Customer may, on reasonable advance written notice and no more than once per twelve months (or more frequently when reasonably required following a confirmed breach), request information necessary to verify SalonPay's compliance with this DPA. SalonPay will respond by providing relevant security documentation, third-party audit reports (such as SOC 2 Type II when available), and written responses to a reasonable security questionnaire. On-site audits will be considered only where the documentary process is insufficient and will be subject to mutually agreed scope, timing, confidentiality, and reimbursement of reasonable costs.
10. Return and deletion
On termination of the Service, Customer may export personal data through the in-product export tools for ninety days. After that period, SalonPay will delete the personal data from active systems within thirty days and from backups within a further ninety days, except where retention is required by applicable law. On Customer's written request and at Customer's expense, SalonPay will provide written confirmation of deletion.
11. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the underlying SalonPay Terms of Service. Nothing in this DPA is intended to alter the allocation of liability between the parties under applicable data protection law.
12. Conflict and order of precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.
13. Termination
This DPA terminates automatically on termination of the underlying agreement. The obligations regarding confidentiality, security, and return or deletion of personal data survive termination.
14. Governing law
This DPA is governed by the laws of the State of Delaware, except that the Standard Contractual Clauses are governed by the law specified in those clauses.
15. Contact
Notices under this DPA, including breach notifications and sub-processor objections, may be sent to privacy@salonpay.io with a copy to legal@salonpay.io.