This Data Processing Agreement ("DPA") forms an integral part of the Salonnare Terms of Service and automatically applies as soon as you create an account and enter personal data of your salon's end-clients into the Service. No separate signature is required - for a standalone signed PDF, email [email protected].
Parties: (1) the customer that has entered into a Salonnare subscription (the "Controller"), and (2) VanIersel Development (trading as Salonnare), based in Waalwijk, the Netherlands, [email protected] (the "Processor").
This DPA implements Article 28(3) GDPR and the obligations between controller and processor set out therein.
The Processor processes personal data solely on behalf of and on documented instructions from the Controller, in the context of the Salonnare Service.
This DPA applies for the duration of the underlying subscription agreement and terminates automatically upon its end, subject to section 10 (end of processing).
Nature: storage, display, structuring, retrieval, transmission (email/WhatsApp), erasure and backing up of personal data in a multi-tenant cloud SaaS environment.
Purpose: delivery of the Salonnare functionality (calendar, POS, invoicing, campaigns, notifications, reporting, client records) in accordance with the instructions the Controller gives via the application interface or support channels.
The Processor does not process personal data for its own purposes or third-party purposes, except as necessary to deliver the Service, for anonymous/aggregated product research or for legal obligations.
Data subjects: salon end-clients; salon employees/stylists; suppliers and contacts the Controller records.
Categories of personal data: contact details (name, email, phone), identifiers (client number), appointment history, services, invoices, payments, notes, photos, preferences, gift-card and loyalty balances, email/WhatsApp communication, reviews.
Special categories (Article 9 GDPR) - such as health notes (allergies, medication, skin conditions, pregnancy) - are stored in a dedicated encrypted vault, separated from regular client notes. The Processor applies the following additional safeguards:
• AES-256-GCM envelope encryption using a per-tenant data key, which is itself wrapped at rest with a platform master key.
• The master key is held exclusively in environment variables, separate from database backups; loss of the key renders all vault data permanently unreadable.
• Role-based access control through a dedicated permission flag (can_view_health_notes), auditable per membership; admins are not automatically passed through.
• Immutable access log: every read, write, download and deletion is recorded with actor, IP address and timestamp, and retained for 24 months.
• Default retention of 12 months + 30-day grace period, configurable per note by the Controller.
• Platform impersonation is technically blocked on the health-data routes (defence-in-depth).
The Controller remains responsible for establishing and documenting the appropriate legal basis under Article 9(2) GDPR (typically explicit consent or vital interests). The Processor provides the technical facility to record, prove and withdraw such consent through a separate consent-event log. See the "art9-health-data-vault" runbook for technical details.
The Processor processes personal data only on documented instructions from the Controller, unless required to do so by law. In that case, the Processor informs the Controller before processing, save for legal bars on such notification.
If the Processor believes that an instruction infringes the GDPR or other EU or Member State data-protection law, it informs the Controller without delay.
The Processor ensures that persons authorised to process personal data have committed to confidentiality in writing or are under an appropriate statutory obligation of confidentiality.
Access to production data is limited to the founder of VanIersel Development and expressly authorised persons, under 2FA.
The Controller grants the Processor general written authorisation to engage sub-processors. The current list is available at salonnare.com/sub-processors and is incorporated by reference.
The Processor notifies the Controller at least 30 days before engaging a new sub-processor or replacing an existing one. Within those 30 days the Controller may object with reasoning. If the objection cannot reasonably be resolved, the Controller may terminate the subscription agreement without notice period, for the portion in which the sub-processor is engaged.
The Processor imposes on each sub-processor the same or stricter obligations as set out in this DPA, via a written (sub-)processing agreement. The Processor remains fully liable for its sub-processors' compliance.
The Processor implements appropriate technical and organisational measures, including: TLS 1.3 in transit, AES-256 at rest, HSTS preload, row-level tenant isolation at database level, least-privilege production access with 2FA, audit logging of mutations, automatic rate limiting and anomaly detection, regular dependency and security updates.
The Processor evaluates security measures periodically and adjusts them when the state of the art or risk profile requires it.
The Processor provides the Controller with reasonable assistance in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) through appropriate technical and organisational measures, including in-app self-service exports (JSON/CSV) and API endpoints.
Data subject requests received directly by the Processor are forwarded unprocessed to the Controller, save where the Processor is legally obliged to handle them itself.
Upon request, the Processor assists the Controller with DPIAs and prior consultation of the supervisory authority (Articles 35-36 GDPR), subject to reasonable compensation for actual costs in extensive engagements.
The Processor notifies the Controller without undue delay, and in any case within 48 hours of discovery, of a personal data breach within the meaning of Article 33 GDPR.
The notification contains at minimum: nature of the breach, categories and approximate numbers affected, contact person, likely consequences and measures taken or proposed.
The Controller remains responsible for notifying the Dutch Data Protection Authority and, where applicable, the data subjects (Articles 33-34 GDPR). The Processor provides reasonable assistance.
On termination of the underlying agreement, the Controller has 30 days to download all personal data via the self-service export function (JSON/CSV) or API.
After that period, the Processor deletes all personal data from production systems. Data is removed from backups within the standard 30-day rotation. Data that the Processor must retain under EU or Dutch law (such as invoicing records under Article 52 AWR - 7-year tax retention) is kept for that statutory period and then destroyed.
On reasonable request, the Processor makes available the information necessary to demonstrate compliance with this DPA, including security policies and the latest penetration test report (under NDA).
The Controller may, at most once every 12 months and at its own cost, have an independent auditor perform an audit. Audits are announced at least 30 days in advance, scheduled by mutual agreement, and must not disrupt the service. Findings are confidential.
The Processor does not transfer personal data to third countries outside the EU/EEA without appropriate safeguards (EU Standard Contractual Clauses, certification under the EU-US Data Privacy Framework or another mechanism under Chapter V GDPR).
The current safeguards per sub-processor are listed at salonnare.com/sub-processors.
Liability under this DPA is subject to the liability limitation set out in the Terms of Service (salonnare.com/terms - section 12).
Nothing in this DPA limits the obligations under Article 82 GDPR; the parties remain fully liable towards data subjects and supervisory authorities.
This DPA is governed by Dutch law. Disputes are submitted to the competent court in Breda, the Netherlands, unless mandatory law provides otherwise.
