Data Processing Agreement

This DPA applies to the processing of personal data by Pepperoni Booking on behalf of the Studio in connection with the platform services for the duration of the subscription agreement.

Data processed: Studio client names, email addresses, phone numbers, booking history, subscription records, health intake form data, and emergency contacts — solely to operate the booking and studio management platform.

Pepperoni Booking processes personal data only on documented instructions from the Controller (the Studio). The platform provides the tools; the Studio controls who is enrolled, what data is collected, and who has access. If Pepperoni Booking is required by law to process beyond these instructions, it will notify the Studio unless prohibited by law.

All personnel with access to personal data are bound by confidentiality obligations (contractual or statutory). Access is restricted to those who need it to deliver the services. Confidentiality obligations survive termination of this DPA.

• • Encryption at rest (AES-256) and in transit (TLS 1.3)
• • Role-based access control — studio data is tenant-isolated at the database schema level
• • JWT authentication with short-lived tokens and refresh rotation
• • Automated security scanning and dependency updates (Renovate)
• • Error monitoring with PII scrubbing before capture (Sentry)
• • Infrastructure on Google Cloud Platform (ISO 27001 certified)

The Studio grants general authorisation for the sub-processors listed at pepperonibooking.com/subprocessors. Pepperoni Booking will notify the Studio at least 30 days before engaging a new sub-processor. The Studio may object within that period on legitimate data protection grounds.

All sub-processors are bound by data protection terms at least as protective as this DPA. Pepperoni Booking remains fully liable for sub-processor compliance.

Pepperoni Booking provides tools to assist the Studio in responding to data subject requests (Articles 15–22 GDPR):

• Export (Art. 15 & 20): Admin dashboard → Settings → Privacy → Export student data
• Erasure (Art. 17): 30-day grace period with automated execution. Admin or client-initiated.

Where personal data is transferred outside the EEA or UK, Pepperoni Booking relies on the European Commission's 2021 Standard Contractual Clauses (SCCs) or equivalent UK International Data Transfer Agreements (IDTAs) with each sub-processor. All sub-processors are listed with their transfer safeguard at pepperonibooking.com/subprocessors.

Within 30 days of termination or account deletion, Pepperoni Booking will, at the Controller's election, either return all personal data in machine-readable JSON format or permanently delete it. Anonymised booking records (no PII) may be retained for business analytics and legal/tax purposes.

The Controller may request an audit of Pepperoni Booking's data processing activities up to once per year with 30 days' written notice. Pepperoni Booking will provide documentation, and may satisfy audit obligations by sharing a current SOC 2 Type 2 report or equivalent third-party certification. The Controller bears the cost of any on-site audit.

In the event of a personal data breach, Pepperoni Booking will notify the Controller without undue delay and within 48 hours of becoming aware, providing sufficient information to enable the Controller to meet its 72-hour supervisory authority notification obligation under GDPR Article 33.