Appointrdy job managementAppointrdy
Log in
DATA PROCESSING AGREEMENT

Data processing agreement (DPA)

Agreement between the customer (data controller) and Appointrdy (data processor) under GDPR Art. 28.

Last updated: May 11, 2026

1. Parties

This agreement is entered into between the Customer ("Data Controller") and Appointrdy ("Data Processor"), hello@appointrdy.com. It takes effect when the subscription is created and is an integrated part of the terms.

2. Purpose and scope

Appointrdy processes personal data on behalf of the Customer in order to deliver the Appointrdy service. The processing covers the data the Customer uploads about employees, end-customers, jobs, photos, vehicles and documents.

3. Nature of processing

  • Type of personal data: ordinary personal data (name, contact information, address, photos, time entries, location data).
  • Categories of data subjects: the Customer's employees, the Customer's end-customers.
  • Processing activities: storage, display, organisation, deletion, export.

4. Obligations of the Data Processor

  • Processes data only on the Customer's documented instructions.
  • Ensures confidentiality for all persons with access to data.
  • Implements appropriate technical and organisational security measures.
  • Assists the Customer with data subject rights and supervisory authority requests.
  • Notifies the Customer without undue delay in the event of a security breach.

5. Sub-processors

The Customer grants general prior authorisation to the following sub-processors:

  • Supabase — database and file storage (EU)
  • Cloudflare — operations and DDoS protection
  • Stripe — payment processing
  • Resend — transactional email

Changes to the list will be notified with 30 days' notice and the Customer may cancel the subscription if a change cannot be accepted.

6. Transfers to third countries

Data is processed primarily in the EU. Any transfers outside the EU/EEA happen on the basis of the EU Commission's Standard Contractual Clauses (SCCs).

7. Security measures

  • Encryption in transit (TLS 1.2+) and at rest
  • Role-based access control (RBAC) in the application
  • Daily backups with limited retention
  • System access logging
  • Principle of least privilege for Appointrdy staff

8. Assistance to the Customer

Appointrdy assists the Customer in answering data subject requests, performing impact assessments (DPIA) and responding to enquiries from supervisory authorities.

9. Deletion and return

Upon termination of the agreement, Appointrdy deletes or returns all data at the Customer's choice, no later than 90 days after cancellation, unless the law requires longer retention.

10. Audit

Appointrdy makes the necessary documentation available to the Customer to demonstrate compliance with GDPR Art. 28. Audits may be agreed with reasonable notice.

11. Liability

Each party is liable for its own GDPR violations. Further limitations of liability are set out in the terms.

Questions? Email hello@appointrdy.com or see our other legal pages: Terms, Privacy, Cookies, DPA, Security.