Data Processing Agreement (Art. 28 GDPR)

Last updated: 5 May 2026. This Data Processing Agreement ("DPA") implements the obligations under Art. 28 GDPR. It is concluded between the business customer ("controller") and Studio Apps Sp. z o.o. ("processor") upon entering into the hosting agreement for a booking website or comparable services where third-party personal data is processed.

§ 1 Subject and duration

(1) Subject: processing of personal data the controller entrusts to the processor within the agreed hosting services — particularly booking inquiries received via the customer website's form.

(2) Duration: tied to the main contract. Ends automatically with termination of hosting.

§ 2 Nature and purpose

Operation of the booking website, receipt and storage of booking inquiries, sending of confirmation and notification emails to controller and end-users, security monitoring (anti-spam/bot).

§ 3 Data categories and data subjects

Categories of personal data: first/last name, email, phone (if provided), desired booking date/period, party size, message, technical metadata (IP, user-agent, timestamp).

Categories of data subjects: end-users (guests/interested parties) of the controller's booking website.

§ 4 Obligations of the processor

(1) Processing only on documented instructions of the controller.

(2) Confidentiality of staff (statutory or contractual).

(3) Appropriate TOMs per Art. 32 GDPR — see Schedule 1.

(4) Assistance with data subject rights (Art. 12-22) and DPIAs (Art. 35 f.).

(5) Notification of personal data breach to the controller without undue delay, no later than 48 hours after becoming aware (so the controller can meet the 72h Art. 33 deadline).

(6) On termination: deletion or return of all personal data, at controller's choice.

(7) Provision of all information necessary to demonstrate Art. 28 compliance.

§ 5 Sub-processors

(1) The controller agrees to the use of the sub-processors listed in Schedule 2 (general authorisation under Art. 28(2) sentence 1 GDPR).

(2) Intended additions or replacements: 30-day prior notice by email. Controller may object on legitimate grounds within 14 days; on legitimate objection either party may terminate the contract on reasonable notice.

(3) Sub-processor agreements impose the same data protection level as this DPA.

§ 6 International transfers

Transfers to third countries (in particular the USA) only on the basis of EU Standard Contractual Clauses per Implementing Decision 2021/914 (Module 3 — processor to sub-processor) and supplementary measures, plus — where applicable — the Adequacy Decision 2023/1795 (EU-US DPF).

§ 7 Audit rights

(1) Compliance demonstrated by current certifications (e.g. sub-processor ISO 27001) and written TOM descriptions made available on request.

(2) On-site audits: with at least 30 days' prior notice, during business hours, proportionate to the issue. The processor charges a reasonable fee, except for audits triggered by concrete breach indications.

§ 8 Liability

Liability provisions of the main contract apply (§ 15 T&C). Externally, liability vis-à-vis data subjects follows Art. 82 GDPR.

§ 9 Final provisions

(1) In conflict with the main contract, this DPA prevails on data protection.

(2) Severability.

Schedule 1 — Technical and Organisational Measures

• Confidentiality: RLS on database; strong-password authentication and MFA where available; need-to-know access; admin audit logs.
• Integrity: TLS 1.2+ on all public endpoints; encrypted DB connections; backup integrity checks.
• Availability: daily automatic backups (7-day PITR); high-availability providers (Vercel, Supabase); 99.5% target.
• Resilience: Edge CDN (Cloudflare), API rate-limiting, WAF.
• Encryption: at rest (Supabase storage encryption); in transit (TLS).
• Pseudonymisation: UUIDs preferred over speaking IDs; admin identities separated.
• Review cycle: quarterly security reviews; annual TOM update; automated dependency updates.
• Separation: logical tenant separation; separate prod/dev environments.

Schedule 2 — Approved sub-processors