Data Processing Agreement

1. Definitions

The following terms have the meanings set forth below:

• Personal Data: Any information relating to an identified or identifiable natural person (salon customers)
• Processing: Any operation performed on personal data (collection, storage, transmission, deletion)
• Data Controller: The salon - determines purposes and means of processing customer data
• Data Processor: Primer (WISE PEOPLE SRL) - processes data on behalf of the salon
• Data Subject: The salon's customers whose data is processed
• Subprocessor: Third parties engaged by Primer to process data (Twilio, Meta, etc.)
• GDPR: General Data Protection Regulation (EU) 2016/679
• SCCs: Standard Contractual Clauses approved by the European Commission
• Personal Data Breach: Security incident leading to unauthorized access, destruction, loss, or disclosure of personal data

2. Subject Matter and Duration

Subject Matter

This DPA governs the processing of personal data by Primer on behalf of the Salon for the purpose of providing WhatsApp Business messaging services through the Primer platform.

Duration

This DPA remains in effect for the duration of the salon's subscription to Primer's WhatsApp messaging services. Data retention obligations survive termination.

Nature of Processing

• Collection of customer phone numbers and consent records
• Transmission of messages via WhatsApp Business API
• Storage of message logs and delivery status
• Processing of opt-in/opt-out requests

3. Types of Personal Data Processed

4. Categories of Data Subjects

• Customers of the Salon who have provided their phone number
• Customers who have consented to receive WhatsApp messages
• Individuals who interact with the Salon's WhatsApp Business number

5. Processor Obligations (Primer's Commitments)

Primer shall:

5.1 Lawful Processing

• Process personal data only on documented instructions from the Salon
• Process data only for the purposes specified in this DPA
• Inform the Salon if any instruction infringes GDPR

5.2 Confidentiality

• Ensure all personnel processing data are bound by confidentiality obligations
• Limit access to personal data to those who need it for service delivery

5.3 Security Measures

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication
• Regular security testing and audits
• Secure data centers (Microsoft Azure, EU region)
• Logging and monitoring of data access
• Employee security training

5.4 Subprocessor Management

• Obtain Salon's consent before engaging new subprocessors
• Ensure subprocessors are bound by equivalent data protection obligations
• Remain liable for subprocessor compliance
• Maintain and provide list of current subprocessors

5.5 Data Subject Rights Assistance

• Assist Salon in responding to data subject requests (access, rectification, erasure, portability)
• Provide data export functionality
• Enable deletion requests within 30 days
• Notify Salon of any direct requests from data subjects

5.6 Data Breach Notification

• Notify Salon within 48 hours of becoming aware of a personal data breach
• Provide details of the breach including nature, categories affected, likely consequences, and measures taken
• Assist Salon in meeting their breach notification obligations to supervisory authorities

5.7 Data Protection Impact Assessments

• Assist Salon with DPIAs where required
• Provide necessary information about processing activities

5.8 Audit Rights

• Allow Salon to conduct audits of compliance with this DPA
• Provide relevant documentation upon request
• Cooperate with supervisory authority inspections

5.9 Data Deletion

• Upon termination, delete or return all personal data within 30 days
• Provide written confirmation of deletion
• Exception: Retain data required by law (consent records, financial records)

6. Controller Obligations (Salon's Responsibilities)

The Salon shall:

6.1 Lawful Basis

• Ensure valid legal basis for processing (consent for marketing, legitimate interest/contract for transactional)
• Obtain proper opt-in consent before sending WhatsApp messages
• Maintain records of consent

6.2 Data Accuracy

• Ensure customer data provided to Primer is accurate and up-to-date
• Promptly update or correct inaccurate data

6.3 Data Subject Information

• Inform customers about processing through privacy notices
• Provide information about their rights

6.4 Instructions

• Provide lawful processing instructions
• Not instruct Primer to process data unlawfully

6.5 Compliance

• Comply with GDPR and applicable local data protection laws
• Respond to data subject requests within legal timeframes
• Report breaches to supervisory authorities when required

7. Subprocessors

By signing this DPA, the Salon authorizes Primer to use the following subprocessors:

7.1 Authorized Subprocessors

7.2 New Subprocessors

• Primer will notify Salon at least 30 days before engaging new subprocessors
• Salon may object within 14 days with reasonable grounds
• If objection cannot be resolved, Salon may terminate WhatsApp services

7.3 Subprocessor Compliance

• All subprocessors are bound by written agreements with equivalent protections
• Primer remains fully liable for subprocessor compliance

8. International Data Transfers

8.1 Primary Data Location

Personal data is primarily stored in European Union data centers (Microsoft Azure EU regions).

8.2 Transfers Outside EU/EEA

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-US Data Privacy Framework certification (where applicable)
• Supplementary technical measures (encryption, pseudonymization)

8.3 Transfer Impact Assessments

Primer has conducted transfer impact assessments for all international transfers and determined that adequate protections are in place.

9. Security Measures

9.1 Technical Measures

• Encryption: TLS 1.2+ in transit, AES-256 at rest
• Access Control: Role-based access, multi-factor authentication
• Network Security: Firewalls, intrusion detection, DDoS protection
• Data Isolation: Logical separation of salon data
• Backup: Regular encrypted backups with tested recovery procedures

9.2 Organizational Measures

• Security policies and procedures
• Employee background checks and confidentiality agreements
• Regular security training
• Incident response procedures
• Vendor security assessments

9.3 WhatsApp-Specific Security

• End-to-end encryption provided by WhatsApp
• Secure API authentication with Twilio
• Message content not stored beyond retention period
• Audit logging of all message activity

10. Data Subject Rights

10.1 Supported Rights

• Right of Access: Export customer data via dashboard
• Right to Rectification: Update customer information
• Right to Erasure: Delete customer data and message history
• Right to Restriction: Pause messaging for specific customers
• Right to Portability: Export data in machine-readable format
• Right to Object: Process opt-out requests

10.2 Response Timeline

• Primer will respond to Salon requests within 5 business days
• This allows Salon to meet 30-day GDPR deadline

10.3 Direct Requests

• Redirect data subjects to the relevant Salon
• Notify the Salon of the request
• Not respond directly without Salon authorization

11. Data Breach Procedures

11.1 Detection

• Unauthorized access attempts
• Unusual data access patterns
• System intrusions
• Data exfiltration attempts

11.2 Notification

• Initial notification to Salon within 48 hours
• Detailed report within 72 hours including description, data categories affected, approximate number of records, likely consequences, and remediation measures

11.3 Cooperation

• Cooperate with Salon's breach investigation
• Assist with notifications to supervisory authorities and data subjects
• Implement additional safeguards as needed
• Provide post-incident report

12. Audit and Compliance

12.1 Documentation

• Categories of processing
• Data transfers
• Security measures
• Subprocessor agreements

12.2 Audit Rights

• Request compliance documentation annually
• Conduct remote audits with 30 days notice
• Conduct on-site audits with 60 days notice (at Salon's expense)
• Use qualified third-party auditors (bound by confidentiality)

12.3 Certifications

Primer will provide copies of relevant certifications and audit reports upon request.

13. Liability and Indemnification

13.1 Primer Liability

• Violates GDPR processor obligations
• Violates this DPA
• Acts outside or contrary to Salon's lawful instructions

13.2 Salon Liability

• Unlawful processing instructions
• Failure to obtain proper consent
• Violation of GDPR controller obligations
• Providing inaccurate data

13.3 Limitation

Total liability under this DPA is limited to the fees paid by Salon for WhatsApp services in the 12 months preceding the claim, except for intentional misconduct, gross negligence, or claims by data subjects or supervisory authorities.

14. Term and Termination

14.1 Term

This DPA is effective when Salon enables WhatsApp services and continues until services are terminated.

14.2 Termination Effects

• Primer stops processing within 24 hours
• Data deletion within 30 days
• Consent records retained for 5 years (legal requirement)
• Written confirmation of deletion provided

14.3 Survival

• Confidentiality obligations
• Data retention requirements
• Liability provisions
• Audit rights (for 2 years post-termination)

15. General Provisions

15.1 Governing Law

This DPA is governed by Romanian law and GDPR. Disputes shall be resolved in the courts of Cluj-Napoca, Romania.

15.2 Amendments

• Updates required by law or regulatory guidance
• Addition of subprocessors (per Section 7.2)
• Updates to security measures (improvements only)

15.3 Conflict

In case of conflict between this DPA and the main Terms of Service, this DPA prevails for data protection matters.

15.4 Severability

If any provision is found invalid, remaining provisions continue in effect.

16. Contact Information

For questions about this agreement: