Saaty Legal
Data Processing Addendum
Effective 1 august 2026 · Version 1.0
This document is provided in English; the English version governs.
This document contains bracketed placeholder values and is pending final legal review.
1. Scope and roles
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between [COMPANY LEGAL NAME] (“Saaty”, the processor) and each business using the platform (the “Business”, the controller). It applies to personal data of the Business’s customers and staff that Saaty processes on the Business’s behalf (“Business Customer Data”): customer profiles, booking histories, notes, communications, and staff schedules.
It does not apply to data Saaty processes as an independent controller (platform accounts, security, billing, product analytics), which is governed by the Privacy Policy.
2. Details of processing
| Item | Description |
|---|---|
| Subject matter | Operation of the Saaty booking and customer-management platform |
| Duration | The term of the Business’s use of the platform, plus the deletion window below |
| Nature and purpose | Hosting, storage, transmission, display, backup, and analysis needed to provide booking, scheduling, CRM, and communication features |
| Data subjects | The Business’s customers, prospective customers, and staff |
| Categories of data | Contact details, booking and service history, notes entered by the Business, payment status, communication logs |
| Special categories | Not intended; incidental content entered by the Business in free-text fields |
3. Saaty's obligations as processor
- Process Business Customer Data only on the Business’s documented instructions — given through the platform’s features and settings — unless required otherwise by law, in which case Saaty informs the Business unless prohibited.
- Ensure persons authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational measures (Art. 32 GDPR): encryption in transit, access controls and role-based permissions, isolation between businesses, logging, backups, and tested recovery.
- Assist the Business, insofar as reasonably possible, in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection) — largely available self-service via the platform.
- Assist with the Business’s obligations regarding security, breach notification, and data protection impact assessments, taking into account the information available to Saaty.
- Notify the Business without undue delay after becoming aware of a personal data breach affecting Business Customer Data.
- Make available information reasonably necessary to demonstrate compliance, and allow for and contribute to audits conducted by the Business or its mandated auditor, no more than once per year on 30 days’ notice, at the Business’s expense.
4. Sub-processors
The Business gives general written authorization for Saaty to engage the sub-processors below. Saaty will notify Businesses of intended additions or replacements at least 30 days in advance (email or in-product), giving the Business the opportunity to object on reasonable data-protection grounds; if the objection cannot be resolved, the Business may terminate the affected services. Saaty imposes data-protection obligations on each sub-processor equivalent to this DPA and remains liable for their performance.
| Sub-processor | Purpose | Location of processing |
|---|---|---|
| Cloud hosting & database provider | Infrastructure, storage, backups | [HOSTING REGION(S)] |
| Cloudinary | Image hosting and delivery | EU/US |
| Resend | Transactional and campaign email delivery | US |
| Twilio | SMS delivery and phone verification | US |
| Stripe | Payment processing | EU/US |
| Calendar synchronization (only where the Business connects it) | Global |
5. International transfers
Where processing involves transfers out of the EU/EEA or UK, the parties rely on adequacy decisions where available and otherwise the EU Standard Contractual Clauses (Module 2, controller-to-processor) and the UK Addendum, which are incorporated into this DPA by reference. Saaty will implement supplementary measures where a transfer impact assessment shows they are needed.
6. Deletion and return
Upon termination of the Business’s use of the platform, Saaty will, at the Business’s choice, delete or return Business Customer Data within 90 days, except where retention is required by law. Export tools are available in the dashboard throughout the term.
7. The Business's obligations
- Have a lawful basis for the customer data it enters or collects through the platform, and provide its customers with the privacy information required by law.
- Configure permissions, staff roles, and retention appropriately, and keep its own account credentials secure.
- Not instruct Saaty to process data in violation of applicable data protection law.
8. Liability and precedence
Liability under this DPA is subject to the limitations of the Terms of Service, except where applicable data protection law does not permit such limitation. In case of conflict between this DPA and the Terms regarding the processing of Business Customer Data, this DPA prevails. Contact for this DPA: privacy@saaty.app.