Data Processing Agreement
Last updated: May 22, 2026
1. Introduction and Definitions
This Data Processing Agreement ("DPA") forms part of the agreement between Day Spa Data LLC ("Processor," "we," "us") and the entity subscribing to the Day Spa Data platform ("Controller," "you," "your") for the provision of analytics services (the "Service").
This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). It does not, by itself, govern the handling of Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"); a separate Business Associate Agreement ("BAA") is required for that purpose (see Section 14).
Key definitions used in this DPA:
- Controller: The entity that determines the purposes and means of processing personal data (you, the subscriber)
- Processor: The entity that processes personal data on behalf of the Controller (Day Spa Data LLC)
- Data Subject: An identified or identifiable natural person whose personal data is processed
- Personal Data: Any information relating to a Data Subject as defined under applicable data protection law
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller
- Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion
- PHI: Protected Health Information as defined in 45 CFR § 160.103
- BAA: A Business Associate Agreement that complies with 45 CFR §§ 164.502(e) and 164.504(e)
2. Scope and Purpose of Processing
The Processor processes personal data solely for the purpose of providing the Service as described in the Terms of Service and Subscription Agreement. This includes:
- Extracting operational data from the Controller's spa management software via its CDC API
- Transforming, storing, and warehousing data in Google Cloud Platform (BigQuery)
- Providing analytics dashboards and reports via the web application
- User authentication and role-based access control
- Customer support and service communications
- AI-powered analytics via Anthropic's API (AI Data Analyst feature)
The Processor shall not process personal data for any purpose other than as instructed by the Controller or as required by applicable law.
3. Types of Personal Data Processed
The following categories of personal data are processed through the Service:
Dashboard user data:
- Name, email address, role, and location assignments
- Login timestamps, IP addresses, and user agent strings (for security audit logging)
- Dashboard usage and preference data
Spa client data (extracted from spa management software):
- Client names and contact information (email, phone, postal address)
- Demographic identifiers (date of birth, gender) as available in the source system
- Visit history, appointment records, and services received
- Purchase history and gift card transactions
Employee data (extracted from spa management software):
- Employee names and identifiers
- Schedule and time clock records
- Performance metrics (services performed, revenue generated)
Data categories the Processor does not ingest. The Processor does not extract free-text clinical or treatment notes, intake-form responses, allergy or medical-history fields, photographs, or other categories identified by the Processor as PHI-risk, from the Controller's spa management software, even when those fields are available via the source API. The Processor monitors source schemas for newly introduced PHI-risk fields and will refuse ingestion absent written instruction from the Controller and an executed BAA.
Sensitive categories of personal data within the meaning of GDPR Article 9 or analogous state law (data revealing health, sexual orientation, religion, etc.) are not within the intended scope of the Service. The Controller represents that it has not configured its spa management software to capture such data in fields the Processor ingests. If the Controller wishes to process such data, the parties must execute the BAA referenced in Section 14 (for PHI) or an equivalent supplementary agreement.
4. Data Subject Categories
The following categories of Data Subjects are affected by the processing:
- Dashboard users: Owners, managers, and employees who access the analytics platform
- Spa clients: End customers of the Controller's spa locations whose data is extracted from the Controller's spa management software for analytics
- Spa employees: Staff members of the Controller's spa locations whose scheduling and performance data is processed
5. Processing Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 6
- Assist the Controller in responding to Data Subject requests (see Section 8)
- Assist the Controller in ensuring compliance with data breach notification obligations (see Section 9)
- Where a BAA is in effect, additionally comply with the safeguards and use-and-disclosure restrictions set forth in 45 CFR Part 164, Subparts C and E, as further specified in the BAA
- Delete or return all personal data upon termination of the Service, subject to Section 10
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
6. Security Measures
The Processor implements technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Encryption in transit: TLS 1.2 or higher for all data transmission, both between the user's browser and the Service and between internal systems
- Encryption at rest: AES-256 encryption via Google Cloud's default encryption for all stored Customer Data
- Multi-tenant isolation: Each location's raw source data is stored in a separate BigQuery dataset; tenant isolation is enforced at the application layer (role and location scoping on every authenticated request) and at the BigQuery dataset boundary
- Role-based access control: Dashboard permissions restrict data visibility based on user role and location assignments. Cross-tenant access controls are validated server-side on every request
- Server-side authentication: httpOnly session cookies; raw business data is never exposed to client-side JavaScript
- Credential management: Production API keys, secrets, and service account credentials are stored in Google Cloud Secret Manager or our hosting provider's encrypted environment store; credentials are not committed to source control
- Audit logging: Authentication events, administrative actions, permission denials, impersonation start/stop events, and (for accounts subject to a BAA) record-level access events are logged. Audit records are retained for at least six (6) years where HIPAA documentation requirements apply
- Personnel access controls: Production infrastructure access is restricted to authorized personnel, gated by individual accounts, and reviewed periodically
- Backup and recovery: Business data is stored in a managed cloud data warehouse with provider-managed redundancy and time-travel recovery capabilities
The Processor reviews and updates these measures from time to time to address new risks. Where a BAA is in effect, the Processor additionally implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C) as further described in the BAA.
7. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object. The HIPAA-eligibility column indicates whether the sub-processor offers a contractual basis for processing PHI on its platform; HIPAA-eligible status is required only where a BAA is in effect between Controller and Processor.
| Sub-processor | Purpose | Location | HIPAA-eligible |
|---|---|---|---|
| Google Cloud Platform | Data warehouse (BigQuery), compute (Cloud Run), scheduling, object storage, secret management, operational logging | US (us-east1) | Yes (BAA available) |
| Supabase | User authentication and metadata storage | US | Yes (Team plan + HIPAA add-on) |
| Vercel | Web application hosting and content delivery | US | Yes (Enterprise plan) |
| Resend | Transactional email delivery (account, password, inquiry, aggregate-metric reports) | US | Not in PHI scope |
| Controller's spa management software vendor | Source spa management platform (API access) | US | Controller-negotiated |
| Sentry | Error monitoring, performance tracing, session replay (text-masked) | US | Yes (Business plan + BAA) |
| PostHog | Product analytics (currently disabled by default) | US | Self-hosted required for PHI |
| Stripe | Subscription billing and payment processing (Controller billing data only; no spa-client data) | US | Not in PHI scope |
| Anthropic | AI language model processing (AI Data Analyst). For Controllers under a BAA, traffic is routed via a HIPAA-eligible inference path | Global (US-primary) | Yes (via HIPAA-eligible path) |
| Slack | Operational alerting to internal Processor channels (aggregate telemetry only; no Data Subject identifiers in payloads) | US | Not in PHI scope |
Each sub-processor is contractually bound to data protection obligations no less protective than those set out in this DPA. The Processor remains liable for the acts and omissions of its sub-processors.
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.
If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by applicable law.
The Processor shall provide reasonable technical and organizational assistance to enable the Controller to respond to Data Subject requests within the timeframes required by applicable law. Where a BAA is in effect, requests by individuals to exercise rights under 45 CFR §§ 164.524, 164.526, and 164.528 are handled in accordance with the BAA.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, and in any event within the timeframes required by applicable law (including, where a BAA is in effect, the HIPAA Breach Notification Rule's 60-day window for Business Associates under 45 CFR § 164.410, and any shorter window the parties agree to in the BAA). The Processor targets initial notification within 72 hours of discovery where feasible. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of the Processor's point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. Where a BAA is in effect, the Processor will additionally provide the information required by 45 CFR § 164.410(c) to support the Controller's notification obligations under 45 CFR §§ 164.404 and 164.406.
10. Data Deletion and Return
Upon termination of the Service, the Controller has a 90-day window to request an export of all personal data in a standard machine-readable format (CSV or JSON).
After the 90-day export window, the Processor shall permanently and irreversibly delete all personal data from its systems, including backups, unless retention is required by applicable law. The Processor shall certify deletion in writing upon the Controller's request. Where a BAA is in effect, the return-or-destruction provisions of the BAA control with respect to PHI.
Security and compliance audit logs are retained for a minimum of six (6) years after generation to satisfy HIPAA documentation requirements under 45 CFR § 164.316(b)(2) and analogous obligations under other applicable laws. Non-security usage logs are retained for up to 12 months after termination for security monitoring purposes, after which they are automatically purged.
11. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information reasonably necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit it initiates.
12. International Transfers
The Processor's primary data center is located in the Google Cloud us-east1 region (United States), and the vast majority of personal data is processed and stored within the United States. Certain sub-processors (e.g., the AI language model provider used for the AI Data Analyst) may process queries on globally distributed infrastructure. Sub-processor processing locations are listed in Section 7.
If the Controller is located outside the United States, or if Data Subjects are located in the European Economic Area (EEA), the parties agree that this DPA, together with the Standard Contractual Clauses (where applicable), provides appropriate safeguards for the transfer of personal data.
The Processor shall not transfer personal data to any country outside the United States without the Controller's prior written consent and appropriate safeguards under applicable law.
13. Term and Termination
This DPA shall remain in effect for the duration of the Controller's subscription to the Service and shall automatically terminate when all personal data has been deleted or returned in accordance with Section 10.
The obligations of the Processor regarding data protection and confidentiality shall survive termination of this DPA.
14. HIPAA and Protected Health Information
Scope. This DPA governs the processing of Personal Data generally. It does not, by itself, satisfy the requirements of 45 CFR §§ 164.502(e) and 164.504(e) for the processing of PHI. If the Controller is a Covered Entity or another Business Associate that wishes to process PHI through the Service, the parties must execute a separate Business Associate Agreement.
Default position. Absent an executed BAA, the Controller represents that it will not submit PHI to the Service, and the Processor is not obligated to safeguard Personal Data submitted via the Service as PHI under HIPAA.
If a BAA is executed. The BAA supplements this DPA and, in case of conflict with respect to PHI, the BAA controls. The Processor will: (a) use and disclose PHI only as permitted by the BAA or required by law; (b) implement the safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C); (c) report security incidents and breaches of unsecured PHI to the Controller as required by 45 CFR § 164.410 and the BAA; (d) ensure sub-processors that handle PHI are bound by equivalent terms; (e) make PHI available as required by 45 CFR §§ 164.524, 164.526, and 164.528; and (f) make its books, records, and policies relating to the use and disclosure of PHI available to HHS upon request.
Customer responsibility. The Controller is solely responsible for determining whether the data it submits constitutes PHI, for complying with HIPAA and other applicable health-privacy laws with respect to data the Controller collects, and for providing any required Notice of Privacy Practices to its end consumers.
Right to refuse PHI. Absent an executed BAA, the Processor may delete, refuse to ingest, or block any data field it reasonably believes contains PHI, without liability for the affected portion of the Service.
15. Contact
For questions about this Data Processing Agreement or to exercise any rights described herein, contact us at:
Day Spa Data LLC
Email: legal@dayspadata.com