Data Processing Agreement

Verwerkersovereenkomst pursuant to Article 28 GDPR

Last updated: March 24, 2026

This Data Processing Agreement (“DPA”) forms an integral part of the Terms & Conditions between:

Controller: The User of the GroomSome Service (“you” or “Controller”), being the grooming business that enters personal data of its clients into the Service; and

Processor: GroomSome, a sole proprietorship (eenmanszaak) registered with the Dutch Chamber of Commerce (KvK) under number 81487983, located in Harderwijk, the Netherlands (“GroomSome”, “we”, or “Processor”).

By using the GroomSome Service and entering personal data of your clients, you accept this DPA.

Article 1 — Definitions

Terms used in this DPA have the same meaning as defined in the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the GroomSome Terms & Conditions. In addition:

1.1 “Personal Data” means any personal data processed by the Processor on behalf of the Controller through the Service, as described in Annex 1.

1.2 “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.3 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Article 2 — Scope and Purpose of Processing

2.1 The Processor processes Personal Data solely on behalf of and on the documented instructions of the Controller, for the purpose of providing the GroomSome Service as described in the Terms & Conditions.

2.2 The nature, purpose, duration, types of Personal Data, and categories of data subjects are described in Annex 1 to this DPA.

2.3 The Processor shall not process Personal Data for any purpose other than as set out in this DPA, unless required to do so by EU or Dutch law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

Article 3 — Obligations of the Processor

3.1 The Processor shall:

process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by law;
ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2;
assist the Controller, taking into account the nature of processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising data subject rights (Chapter III GDPR);
assist the Controller in ensuring compliance with obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor;
at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless EU or Dutch law requires further storage;
make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

3.2 The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other EU or Dutch data protection provisions.

Article 4 — Sub-processors

4.1 The Controller provides general written authorisation for the Processor to engage Sub-processors. The current list of Sub-processors is set out in Annex 3 to this DPA.

4.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

4.3 If the Controller objects to a new Sub-processor on reasonable grounds relating to the protection of Personal Data, the parties shall discuss the concern in good faith. If no resolution can be reached within 30 days, the Controller may terminate the Agreement with immediate effect.

4.4 Where the Processor engages a Sub-processor, the Processor shall impose the same data protection obligations as set out in this DPA on that Sub-processor by way of a contract. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

Article 5 — International Transfers

5.1 The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place as required by Chapter V of the GDPR, such as EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission.

5.2 The Processor shall inform the Controller of any transfers to third countries and the safeguards relied upon.

Article 6 — Data Breach Notification

6.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Data Breach affecting Personal Data processed under this DPA.

6.2 The notification shall at minimum describe:

the nature of the Data Breach, including where possible the categories and approximate number of data subjects and records concerned;
the likely consequences of the Data Breach;
the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

6.3 The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.

6.4 The notification of a Data Breach shall not be construed as an acknowledgement of fault or liability by the Processor.

Article 7 — Audits

7.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.

7.2 The Controller may conduct an audit of the Processor’s processing activities, or appoint an independent third-party auditor to do so, no more than once per calendar year. The Controller shall provide at least 30 days’ prior written notice. The audit shall be conducted during normal business hours and shall not unreasonably disrupt the Processor’s operations.

7.3 The costs of the audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor.

Article 8 — Data Retention and Deletion

8.1 Upon termination or expiry of the Agreement, the Processor shall make all Personal Data available for export by the Controller for a period of 30 days.

8.2 After the 30-day export period, the Processor shall delete all Personal Data from its active systems within 30 days and from backup systems within 90 days, unless EU or Dutch law requires further retention (e.g., financial records under the Dutch fiscal retention obligation).

8.3 The Processor shall provide written confirmation of deletion upon the Controller’s request.

Article 9 — Liability

9.1 The liability of the Processor under this DPA is subject to the liability provisions in the Terms & Conditions (Article 9).

9.2 Each party is liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.

Article 10 — Duration and Termination

10.1 This DPA enters into force upon your acceptance of the Terms & Conditions and remains in effect for the duration of the processing of Personal Data by the Processor.

10.2 Obligations that by their nature should survive termination (including Articles 3(f), 6, 7, 8, and 9) shall survive termination of this DPA.

Article 11 — Governing Law

11.1 This DPA is governed by the laws of the Netherlands.

11.2 Any disputes arising from this DPA shall be submitted to the competent court in the district of Gelderland (Rechtbank Gelderland).

Annex 1 — Description of Processing

Subject matter	Processing of personal data of the Controller’s clients (pet owners) through the GroomSome SaaS platform for the purpose of appointment management, customer relationship management, and pet grooming business operations.
Duration	For the term of the Agreement between Controller and Processor, plus the post-termination retention period described in Article 8.
Nature and purpose	Storage, organisation, retrieval, and display of personal data entered by the Controller into the Service. Automated backup and replication for disaster recovery. Processing to provide appointment scheduling, customer management, and reporting features.
Categories of data subjects	Clients (customers) of the Controller’s pet grooming business, i.e., pet owners.
Types of personal data	Names (pet owner) Contact details (phone number, email address, postal address) Pet information (name, breed, age, medical/grooming notes, photos) Appointment history and preferences Notes entered by the Controller
Sensitive data	None expected. The Controller shall not enter special categories of personal data (Article 9 GDPR) into the Service.

Annex 2 — Technical and Organisational Measures

The Processor implements the following measures to protect Personal Data:

Encryption in transit	All data transmitted between users and the Service is encrypted using TLS 1.2 or higher.
Encryption at rest	Data stored in Azure Cosmos DB and Azure Blob Storage is encrypted at rest using AES-256 encryption managed by Microsoft Azure.
Authentication	User authentication is handled through Azure AD B2C with support for multi-factor authentication (MFA).
Access control	Role-based access control (RBAC). Access to production systems and databases is limited to the Processor on a need-to-know basis.
Infrastructure	Hosted on Microsoft Azure, EU West Europe region (Netherlands). Azure provides physical security, network security, and environmental controls certified under ISO 27001, SOC 2, and other standards.
Backup	Automated daily backups with point-in-time restore capability. Backups are stored within the EU.
Monitoring	Application monitoring through Sentry (EU region) for error detection. No personal data is intentionally sent to Sentry; error reports may incidentally contain technical context.
Incident response	Documented incident response procedure. Data Breaches are escalated and notified in accordance with Article 6 of this DPA.
Employee access	As a sole proprietorship, access to production data is limited to the owner/operator. No employees have access unless explicitly onboarded with confidentiality obligations.
Data minimisation	The Service collects and processes only the data entered by the Controller. We do not enrich, profile, or otherwise process Customer Data beyond what is necessary to provide the Service.

Annex 3 — List of Sub-processors

The following Sub-processors are authorised to process Personal Data under this DPA. This list may be updated in accordance with Article 4.2.

Sub-processor	Purpose	Location	Privacy / DPA
Microsoft Azure (Microsoft Corporation)	Cloud hosting, database (Cosmos DB), authentication (Azure AD B2C), blob storage	EU West Europe (Netherlands)	Microsoft DPA
Stripe (Stripe Payments Europe, Ltd.)	Payment processing	Ireland (EU)	Stripe Privacy Policy
Microsoft Clarity (Microsoft Corporation)	Website analytics and session recording (marketing site only, with consent)	EU / Global	Microsoft Privacy Statement
Sentry (Functional Software, Inc.)	Error monitoring and crash reporting	EU data region (ingest.de.sentry.io)	Sentry Privacy Policy

Contact

GroomSome (eenmanszaak)
KvK: 81487983
Harderwijk, the Netherlands
Email: info@groomsome.app