Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the SetSally Terms of Service and applies whenever you (the "Controller") use SetSally to process personal data of your end-customers or staff (the "End-User Data"). It reflects the parties' agreement with respect to the processing of End-User Data in compliance with the requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and equivalent laws.

Capitalised terms not defined here have the meaning given in the GDPR.

• Controller: the customer — the business that decides why and how End-User Data is processed.
• Processor: SetSally — processes End-User Data only on the Controller's documented instructions, as set out in this DPA and the Terms.
• Sub-processors: the third parties listed in the Privacy Policy that we engage to process End-User Data on our behalf.

SetSally processes End-User Data for the purpose of providing the SetSally service to the Controller (booking management, work orders, invoicing, communications). The processing runs for as long as your account is active. Upon termination we delete or return End-User Data in line with clause 10.

SetSally processes End-User Data only to provide the Service and as instructed by the Controller through the SetSally interface (creating bookings, sending invoices, generating reminders, etc.). SetSally does not sell End-User Data, does not use it for advertising, and does not train third-party AI models on it.

SetSally does not intentionally process special categories of data (Art. 9 GDPR) such as health, political opinions, or biometric data. If you upload such data, you do so at your own risk and must have a lawful basis under Art. 9(2).

SetSally will process End-User Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by EU or member-state law. In that case, SetSally will inform the Controller of the legal requirement before processing, unless that law prohibits such notification.

SetSally ensures that personnel authorised to process End-User Data have committed themselves to confidentiality or are under statutory confidentiality obligation. Access is restricted to staff with a need-to-know (e.g. support engineers helping you troubleshoot).

SetSally implements technical and organisational measures appropriate to the risk, including:

• TLS 1.2+ in transit; AES-256 at rest
• Encryption keys managed by our hosting and database providers
• Role-based access control with least-privilege
• Audit logging of data access
• Annual third-party penetration tests
• Incident response plan with 72-hour breach notification
• Background checks on staff with data access

The full technical and organisational measures list is available on request at dpa@setsally.com.

The Controller authorises SetSally to engage sub-processors, provided that SetSally:

• Notifies the Controller at least 30 days before adding or replacing a sub-processor (by email and an in-app notice)
• Imposes data protection terms no less protective than this DPA on each sub-processor
• Remains fully liable for the acts and omissions of each sub-processor

The current list of sub-processors is published in the Privacy Policy and updated whenever it changes. The Controller may object to a new sub-processor on reasonable data protection grounds within 30 days of notice. If we cannot resolve the objection, the Controller may terminate the affected Service without penalty.

SetSally will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to data subject requests (Art. 12-22 GDPR). Where a data subject contacts us directly, we will forward the request to the Controller unless instructed otherwise.

SetSally will notify the Controller without undue delay, and in any case within 48 hours, of becoming aware of a personal data breach affecting End-User Data. The notification will describe the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it.

SetSally hosts the Service in the European Union. For any transfer of End-User Data outside the EEA, the UK, or Switzerland, SetSally relies on:

• Adequacy decisions (e.g. the EU-US Data Privacy Framework) where available
• Standard Contractual Clauses (SCCs) adopted by the European Commission, with supplementary technical measures (encryption, access controls)

Copies of relevant SCCs and the supplementary measures are available on request at dpa@setsally.com.

SetSally will provide reasonable assistance to the Controller in conducting a Data Protection Impact Assessment or consulting with a supervisory authority under Art. 35-36 GDPR, where the Controller's request is reasonable and supported by the nature of the processing.

SetSally will make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow audits (including inspections) once per year, on reasonable notice, at the Controller's cost, in a way that does not interfere with SetSally's operations. The Controller may instead accept SetSally's independent audit reports (e.g. SOC 2) where they cover the same scope.

On termination of the Service, SetSally will return End-User Data to the Controller in a structured, commonly used, machine-readable format (JSON export) and delete all End-User Data within 90 days, except where retention is required by law (e.g. tax invoices for 10 years).

Liability under this DPA is governed by the limitation of liability in the Terms of Service, except that nothing limits any liability that cannot be limited under applicable law (e.g. Art. 82 GDPR).

In case of conflict between this DPA and the Terms, this DPA prevails with respect to the processing of personal data.