Data Processing Agreement
Last Updated: February 2026
Between:
Trimlinea ("Processor", "we", "us")
4th Floor, 14 Museum Place, Cardiff, CF10 3BH
Business Type: Sole Trader
ICO Registration: ZC083991
AND
The business entity that has entered into the Master Services Agreement ("Controller", "Client", "you")
Effective Date: The date the Master Services Agreement becomes effective
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement ("Agreement") between the parties and governs the processing of personal data by Processor on behalf of Controller.
1. Definitions
| Term | Definition |
|---|---|
| Applicable Data Protection Law | UK GDPR, Data Protection Act 2018, and PECR, as amended |
| Controller | The party that determines the purposes and means of processing personal data |
| Data Subject | An identified or identifiable natural person |
| Personal Data | Any information relating to a Data Subject |
| Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data |
| Processing | Any operation performed on Personal Data (collection, storage, use, disclosure, etc.) |
| Processor | The party that processes Personal Data on behalf of the Controller |
| Sub-Processor | A third party engaged by Processor to process Personal Data |
| UK GDPR | The General Data Protection Regulation as retained in UK law |
2. Scope & Roles
2.1 Controller and Processor
The parties agree that:
- Controller is the data controller for Customer Personal Data
- Processor is the data processor, processing Customer Personal Data on Controller's behalf
2.2 Scope of Processing
This DPA applies to:
- Personal data of Controller's end-customers (people booking appointments)
- Personal data processed through the Platform on Controller's behalf
This DPA does NOT apply to:
- Controller's own account data (governed by Processor's Privacy Policy)
- Data for which Processor is an independent controller
2.3 Processor's Role as Controller
Processor acts as an independent controller for:
- Controller's administrator and staff account data
- Billing and subscription data
- Platform usage analytics (anonymised)
- Communications with Controller's representatives
- Platform feedback requests to end-customers (see Section 2.4)
2.4 Platform Feedback Communications
Controller acknowledges that Processor may, as an independent controller, contact end-customers by email to request feedback about the Platform experience. This processing is based on Processor's legitimate interest in improving the Platform.
Safeguards:
- Communications will identify Trimlinea as sender (not the Controller's business)
- Each email includes an unsubscribe link; opt-outs are honoured within 48 hours
- Data is used solely for Platform feedback, not marketing
- Controller may opt out its end-customers by written notice to Processor
3. Details of Processing
3.1 Subject Matter
Provision of online booking platform services, including appointment scheduling, customer management, and payment processing.
3.2 Duration
Processing continues for the duration of the Agreement, plus any retention period required by law or specified herein.
3.3 Nature and Purpose
| Purpose | Processing Activities |
|---|---|
| Booking management | Storing and displaying appointments, availability, service preferences |
| Customer communications | Sending booking confirmations, reminders, cancellations on Controller's behalf |
| Payment processing | Facilitating card payments via Stripe, recording transactions |
| Reporting | Generating business reports and analytics for Controller |
| Support | Troubleshooting issues, responding to Controller's requests |
3.4 Categories of Data Subjects
- Controller's end-customers (people booking appointments)
- Walk-in customers whose details are entered manually
3.5 Categories of Personal Data
| Category | Data Elements |
|---|---|
| Identity Data | First name, last name |
| Contact Data | Email address, phone number |
| Account Data | User ID, password (hashed), account preferences |
| Booking Data | Appointment dates/times, services, notes, barber preferences |
| Payment Data | Payment method, transaction IDs, amounts (card details held by Stripe) |
| Technical Data | IP address, browser type, device information |
3.6 Special Categories
Processor does not intentionally process special category data (health, religion, etc.). If Controller collects such data (e.g., in booking notes), Controller is solely responsible for ensuring a lawful basis.
4. Controller's Obligations
Controller warrants and agrees that:
4.1 Lawful Processing
- Controller has a lawful basis for collecting and sharing Personal Data with Processor
- Controller has provided appropriate privacy notices to Data Subjects
- Controller has obtained necessary consents where required
4.2 Instructions
- Controller's instructions to Processor are lawful under Applicable Data Protection Law
- Controller will not instruct Processor to process data in a manner that violates law
4.3 Data Accuracy
- Controller is responsible for the accuracy of Personal Data provided
- Controller will notify Processor of corrections as needed
4.4 Data Subject Rights
- Controller is responsible for responding to Data Subject requests
- Controller will instruct Processor to assist with such requests
4.5 Compliance
- Controller will comply with Applicable Data Protection Law
- Controller will maintain appropriate records of processing activities
5. Processor's Obligations
5.1 Processing Instructions
Processor shall:
- Process Personal Data only on Controller's documented instructions
- Inform Controller if an instruction infringes Applicable Data Protection Law
- Not process Personal Data for any purpose other than providing the Services
Documented Instructions: The Agreement, this DPA, Controller's use of Platform features, and written instructions from Controller constitute documented instructions.
5.2 Confidentiality
Processor shall ensure that persons authorised to process Personal Data:
- Are subject to confidentiality obligations
- Process data only as instructed
- Receive appropriate data protection training
5.3 Security Measures
Processor shall implement appropriate technical and organisational measures, including:
| Category | Measures |
|---|---|
| Access Control | Role-based access, unique user accounts, strong authentication |
| Encryption | TLS 1.2+ in transit, AES-256 at rest |
| Network Security | Firewalls, intrusion detection, DDoS protection |
| Application Security | Secure coding practices, regular updates, vulnerability scanning |
| Physical Security | Secure data centre facilities (via hosting provider) |
| Personnel Security | Background checks, confidentiality agreements, training |
| Incident Management | Detection, response, and notification procedures |
| Business Continuity | Backups, disaster recovery, redundancy |
| Audit & Monitoring | Logging, monitoring, regular security assessments |
5.5 Assistance with Data Subject Rights
Upon Controller's request, Processor shall assist with:
- Responding to Data Subject access requests
- Rectification, erasure, or restriction of processing
- Data portability requests
- Objections to processing
Processor may charge reasonable fees for assistance beyond standard Platform features.
5.7 Personal Data Breaches
In the event of a Personal Data Breach affecting Controller's data:
| Obligation | Timeframe |
|---|---|
| Notification to Controller | Without undue delay, within 48 hours of becoming aware |
| Information provided | Nature of breach, categories/numbers affected, likely consequences, mitigation measures |
| Ongoing updates | As investigation progresses |
| Documentation | Records of breaches and remediation |
Processor will cooperate with Controller's breach response and notifications to supervisory authorities or Data Subjects.
5.8 Data Deletion
Upon termination of the Agreement:
- Processor will delete Controller's Personal Data within 90 days
- Controller may request data export before deletion (within 30 days of termination)
- Processor may retain data as required by law (with notice to Controller)
- Backup copies will be purged within 180 days
5.9 Audit and Inspection
Processor shall:
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits and inspections by Controller or Controller's auditor
- Provide audit reports, certifications, and security assessments upon request
Audit Conditions:
- Reasonable advance notice (minimum 30 days for on-site)
- During normal business hours
- Subject to confidentiality obligations
- Controller bears costs of audits (unless breach discovered)
- Maximum one audit per year (unless breach or regulatory requirement)
6. Sub-Processors
6.1 Authorised Sub-Processors
Controller provides general authorisation for Processor to engage Sub-Processors listed in Annex B.
6.2 Sub-Processor Requirements
Processor shall:
- Enter into written agreements with Sub-Processors imposing equivalent obligations
- Remain liable for Sub-Processor compliance
- Conduct due diligence on Sub-Processor security
6.3 Changes to Sub-Processors
Before engaging a new Sub-Processor:
- Processor will notify Controller at least 30 days in advance
- Notification will include Sub-Processor name, location, and processing activities
- Controller may object in writing within 14 days with reasonable grounds
- If objection cannot be resolved, Controller may terminate affected Services
6.4 Current Sub-Processors
See Annex B for the current list of authorised Sub-Processors, or visit /subprocessors.
7. International Transfers
7.1 Transfer Restrictions
Processor shall not transfer Personal Data outside the UK/EEA unless:
- An adequacy decision applies to the destination country
- Appropriate safeguards are in place (Standard Contractual Clauses)
- A derogation applies under Applicable Data Protection Law
7.2 Current Transfers
| Sub-Processor | Location | Safeguard |
|---|---|---|
| Stripe, Inc. | USA | Standard Contractual Clauses |
| ZeptoMail (Zoho) | USA/India | Standard Contractual Clauses |
| Microsoft Azure | UK | Adequacy (domestic) |
| Cloudflare | Global/USA | Standard Contractual Clauses |
| Vercel | USA | Standard Contractual Clauses |
7.3 Standard Contractual Clauses
Where required, the parties agree to the UK International Data Transfer Agreement (IDTA) or EU SCCs with UK Addendum, as applicable.
7.4 Additional Measures
Processor implements supplementary measures including:
- Encryption of data in transit and at rest
- Access controls and authentication
- Pseudonymisation where feasible
- Assessment of destination country laws
8. Liability
8.1 Liability Allocation
Each party is liable for its own breaches of Applicable Data Protection Law. Controller acknowledges that Processor processes Personal Data solely on Controller's instructions and Controller remains primarily responsible for compliance with data protection obligations relating to Customer Data.
8.2 Controller Indemnification
Controller shall indemnify Processor from claims, damages, losses, fines, and expenses arising from:
- Controller's breach of this DPA or the Agreement
- Controller's breach of Applicable Data Protection Law
- Controller's unlawful, inaccurate, or inadequate processing instructions
- Controller's failure to obtain valid consent or establish a lawful basis
- Controller's failure to provide adequate privacy notices to Data Subjects
- Controller's failure to respond to Data Subject requests in accordance with law
- Claims by Data Subjects arising from Controller's acts or omissions
- Fines or enforcement actions by the ICO arising from Controller's acts or omissions
8.3 Processor Indemnification
Processor shall indemnify Controller from claims, damages, losses, fines, and expenses arising from:
- Processor's breach of this DPA (where Processor acts outside Controller's documented instructions)
- Processor's breach of its security obligations under Section 5.3
- Processor's failure to notify Controller of a Personal Data Breach as required
- Fines imposed directly on Processor by a supervisory authority for Processor's own breach
Processor's indemnification does NOT apply to:
- Claims arising from Controller's instructions (even if subsequently found to be unlawful)
- Claims arising from Controller's failure to fulfil its own data protection obligations
- Claims arising from Personal Data Breaches caused by Controller's acts or omissions
8.5 Limitation
Subject to Sections 8.2 and 8.3, liability under this DPA is subject to the limitations in the Agreement, except:
- Controller's indemnification obligations under Section 8.2 are not subject to the liability cap
- Processor's liability for data protection breaches within Processor's control is capped at the greater of: (a) fees paid in the preceding 12 months, or (b) £50,000
- Liability for wilful misconduct, gross negligence, or fraud is not limited
9. Term and Termination
9.1 Term
This DPA remains in effect for the duration of the Agreement and any period during which Processor retains Personal Data.
9.2 Termination
This DPA terminates automatically when:
- The Agreement terminates; and
- All Personal Data has been deleted or returned
9.3 Survival
Sections relating to confidentiality, liability, and data retention survive termination.
10. General Provisions
10.1 Precedence
In case of conflict between this DPA and the Agreement regarding data protection, this DPA prevails.
10.2 Amendments
This DPA may be amended by written agreement of both parties or by Processor to reflect changes in Applicable Data Protection Law (with notice).
10.3 Severability
If any provision is found unenforceable, the remaining provisions continue in effect.
10.4 Governing Law
This DPA is governed by the laws of England and Wales.
10.5 Supervisory Authority
The lead supervisory authority is the UK Information Commissioner's Office (ICO).
11. Contact Information
Processor Contact
Controller Contact
Annexes
Annex A: Processing Details
A.1 Subject Matter of Processing
Provision of online booking and business management platform services.
A.2 Duration of Processing
From the Effective Date until termination of the Agreement plus any legal retention period.
A.3 Nature of Processing
| Activity | Description |
|---|---|
| Collection | Receiving data via booking forms, account registration |
| Storage | Storing in secure databases |
| Organisation | Structuring data for display and reporting |
| Retrieval | Displaying data to Controller and authorised staff |
| Use | Sending communications, processing payments |
| Disclosure | Sharing with Sub-Processors as described |
| Deletion | Removing data on instruction or termination |
A.4 Purpose of Processing
- Appointment booking and management
- Customer relationship management
- Payment processing
- Automated communications (confirmations, reminders)
- Business reporting and analytics
- Platform operation and support
A.5 Categories of Data Subjects
- End-customers who book appointments
- Walk-in customers entered manually
A.6 Categories of Personal Data
- Identity: First name, last name
- Contact: Email, phone number
- Account: Username, password (hashed), preferences
- Booking: Dates, times, services, notes, preferences
- Payment: Method, transaction records, amounts
- Technical: IP address, device info, logs
A.7 Special Categories
None intentionally processed. Controller responsible for any special category data entered in free-text fields.
Annex B: Authorised Sub-Processors
| Sub-Processor | Service | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Customer name, email, payment details, transaction data | USA | SCCs, PCI DSS |
| ZeptoMail (Zoho) | Email delivery | Names, email addresses, booking details | USA/India | SCCs, ISO 27001 |
| Microsoft Azure | Backend infrastructure & database | All Platform data | UK (UK South/UK West) | ISO 27001, SOC 2, GDPR DPA |
| Cloudflare, Inc. | CDN, DNS, DDoS protection | Request data, cached content | Global (edge network) | ISO 27001, SOC 2, SCCs |
| Vercel Inc. | Frontend hosting | Static assets, request logs | USA (global edge) | SOC 2, SCCs |
| Google LLC | Analytics (consent-based) | IP, usage data (anonymised) | USA | SCCs, consent |
| Sentry | Error monitoring (consent-based) | Error logs, device info | USA | SCCs, consent |
Controller will be notified of Sub-Processor changes via email. Current list is also available at trimlinea.co.uk/subprocessors.
Annex C: Technical and Organisational Measures
C.1 Access Control
| Measure | Implementation |
|---|---|
| User authentication | Unique accounts, strong passwords, JWT tokens |
| Role-based access | Permissions based on user role (Admin, Barber, Client) |
| Multi-tenancy isolation | Strict separation of Client data via BrandId |
| Session management | Automatic timeout, secure token handling |
| Admin access logging | All administrative actions logged |
C.2 Encryption
| Measure | Implementation |
|---|---|
| Data in transit | TLS 1.2 or higher (HTTPS enforced) |
| Data at rest | AES-256 database encryption |
| Password storage | Bcrypt hashing with salt |
| Token security | JWT with cryptographic signing |
C.3 Network Security
| Measure | Implementation |
|---|---|
| Firewalls | Network-level and application-level |
| DDoS protection | Via hosting provider |
| Intrusion detection | Monitoring and alerting |
| VPN/secure access | For administrative access |
C.4-C.9 Additional Measures
Application Security
- OWASP guidelines, input validation
- Regular vulnerability checks
- Timely patching
- Security review of changes
Physical Security
- Secure data centre facilities
- Access controls and monitoring
- Environmental controls
- Redundant power and connectivity
Personnel Security
- Confidentiality obligations
- Data protection training
- Least privilege principle
- Prompt access revocation on offboarding
Business Continuity
- Regular automated backups
- Tested disaster recovery procedures
- High-availability infrastructure
- Uptime monitoring and alerting