Data Processing Addendum

Last updated: 25 June 2026 · Version 1.0 (draft)

Template notice. This DPA template is for business customers who act as a data controller and use Stalldo to process personal data of their own contacts (e.g. a barn managing boarder or staff data). It is not legal advice and must be finalised by qualified counsel, with Standard Contractual Clauses and an up-to-date sub-processor list attached. A German version (AVV) is required for DACH. Bracketed values are placeholders.

1. Roles

This Addendum forms part of the Terms between the customer ("Controller") and [Stalldo] ("Processor"). It applies where Stalldo processes personal data on the Controller's behalf under Art. 28 GDPR. Where Stalldo determines purposes and means (e.g. its own account and billing data), Stalldo acts as controller under the Privacy Policy.

2. Subject matter & duration

The Processor processes personal data to provide the Stalldo service for the duration of the Controller's use, plus any limited period required to return or delete data.

3. Nature & purpose; data and data subjects

Purpose: hosting, storage, syncing, sharing and processing of the Controller's content to deliver the service.
Data subjects: the Controller's staff, boarders, clients and contacts.
Categories: names, contact details, roles/permissions, scheduling, financial entries, documents and notes the Controller chooses to store.

4. Processor obligations

Process personal data only on the Controller's documented instructions, including for transfers, unless required by law.
Ensure persons authorised to process the data are bound by confidentiality.
Implement appropriate technical and organisational security measures (Art. 32) — encryption in transit, access controls, permissioned sharing, reputable infrastructure.
Assist the Controller with data-subject requests and with security, breach-notification and impact-assessment obligations, taking into account the information available.
Notify the Controller without undue delay after becoming aware of a personal-data breach.
At the Controller's choice, delete or return personal data at the end of the service, subject to legal retention.
Make available information needed to demonstrate compliance and allow for audits, on reasonable notice and confidentiality terms.

5. Sub-processors

The Controller authorises the use of sub-processors, currently including Cloudflare (hosting, edge, CDN, bot protection), Supabase (database, auth, storage), [email provider] and [AI provider, where used]. We impose data-protection obligations on each sub-processor equivalent to this DPA and will give notice of changes, allowing the Controller to object on reasonable grounds.

6. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on EU Standard Contractual Clauses and supplementary measures as required.

7. Liability

Each party's liability under this DPA is subject to the limitations agreed in the Terms, to the extent permitted by law.

To request a signed DPA or the current sub-processor list, contact privacy@stalldo.com.