Data Processing Agreement
GDPR Article 28 terms for processing personal data on behalf of our business customers
Last updated: July 2026
Template — not legal advice. This Data Processing Agreement is a draft template published for transparency. It is not a substitute for legal advice and has not been reviewed by counsel. Before relying on or executing a DPA, have it reviewed and adapted by a qualified data-protection lawyer for your jurisdiction and circumstances. To request a countersigned DPA, contact us via the details in section 12.
1. Parties & scope
This Data Processing Agreement (“DPA”) forms part of the agreement between Inkspot (the “Processor”) and a business customer using the platform to offer their services (the “Controller”), and governs the Processor’s processing of personal data on the Controller’s behalf under Article 28 of the EU General Data Protection Regulation (“GDPR”).
Where Inkspot determines the purposes and means of processing (for example, operating the marketplace and our own accounts), Inkspot acts as an independent controller and our Privacy Policy applies instead of this DPA.
2. Definitions
“Personal data”, “processing”, “controller”, “processor”, “sub-processor”, “data subject” and “supervisory authority” have the meanings given in the GDPR. “Data Protection Laws” means the GDPR and all applicable laws relating to the processing of personal data and privacy.
3. Subject-matter, duration, nature & purpose
- Subject-matter: processing of personal data necessary to provide the Inkspot platform and services to the Controller.
- Duration: for the term of the underlying agreement and until deletion or return of the data as described in section 9.
- Nature & purpose: hosting, storage, transmission and related processing to enable bookings, messaging, payments, and account management between the Controller and their clients.
4. Types of data & categories of data subjects
- Categories of data subjects:the Controller’s clients and prospective clients, and the Controller’s own personnel who use the platform.
- Types of personal data: identity and contact details, account credentials, booking and appointment details, messages, and payment-related metadata. Special-category data should not be submitted to the platform except where strictly necessary and lawful.
5. Obligations of the Processor
The Processor shall:
- process personal data only on the Controller’s documented instructions, including for transfers, unless required to do otherwise by law;
- ensure persons authorised to process the data are bound by confidentiality (section 6);
- implement appropriate technical and organisational measures (section 7);
- respect the conditions for engaging sub-processors (section 8) and assist the Controller with data-subject requests and compliance obligations (sections 10–11);
- make available information necessary to demonstrate compliance and allow for audits (section 11).
6. Confidentiality
The Processor ensures that any person acting under its authority who has access to personal data processes it only on the Controller’s instructions and is subject to an appropriate duty of confidentiality.
7. Security measures (Art. 32)
Taking into account the state of the art and the risks of processing, the Processor maintains appropriate measures including encryption of data in transit, access controls and authentication, network and application security, logging and monitoring, and regular review of its security posture. Payment card data is handled by our PCI-DSS compliant payment provider and is not stored by Inkspot.
8. Sub-processors
The Controller authorises the Processor to engage the sub-processors below to deliver the service. We impose data-protection obligations on each that are no less protective than this DPA, and we will inform the Controller of intended changes so they may object.
- Supabase — database, storage and hosting infrastructure (EU region).
- Stripe — payment processing and marketplace payouts.
- Resend — transactional email delivery.
- Vercel — application hosting and content delivery.
- Google — analytics (where enabled) and sign-in.
- Apple — sign-in.
9. Assistance, return & deletion
The Processor assists the Controller, by appropriate technical and organisational measures, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection). On termination of the services, the Processor will, at the Controller’s choice, delete or return the personal data and delete existing copies unless retention is required by law.
10. Personal data breaches
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and provides information reasonably necessary for the Controller to meet its own notification obligations.
11. International transfers & audits
Where personal data is transferred outside the EEA, the Processor relies on an appropriate transfer mechanism such as the European Commission’s Standard Contractual Clauses together with any necessary supplementary measures. The Processor makes available information reasonably necessary to demonstrate compliance with this DPA and contributes to audits conducted by the Controller or an appointed auditor, subject to reasonable confidentiality and scheduling.
12. Requesting a signed DPA
To request a countersigned Data Processing Agreement or ask questions about data protection, contact us through our Help Center. See also our Privacy Policy and Cookie Policy.
Need a countersigned DPA?
Reach out and our team will arrange a reviewed agreement for your account.
Contact Support