Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the agreement between StampPilot and the Customer for the provision of services.

1. Definitions

'Personal Data', 'Processing', 'Controller', and 'Processor' have the meanings given in the GDPR (General Data Protection Regulation).

2. Roles

The Customer acts as the Controller for customer data processed through StampPilot. StampPilot acts as the Processor, processing data on behalf of the Customer.

3. Processing Purpose

StampPilot processes personal data solely for providing the contracted services: loyalty program management, reservation handling, and review collection.

4. Security Measures

StampPilot implements appropriate technical and organizational measures including encryption at rest and in transit, access controls, and regular security reviews.

5. Sub-processors

StampPilot uses the following sub-processors: Vercel (hosting), Neon (database), Stripe (payments). The Customer authorizes the use of these sub-processors.

6. Data Subject Rights

StampPilot will assist the Customer in fulfilling data subject requests (access, rectification, erasure, portability) within the required timeframes.

7. Data Breach Notification

StampPilot will notify the Customer of any personal data breach without undue delay, and in any case within 72 hours of becoming aware of the breach.

8. Term and Termination

This DPA remains in effect as long as StampPilot processes personal data on behalf of the Customer. Upon termination, data will be deleted or returned as requested.

Last updated: January 2025