Saaty/Legal

Saaty Legal

Data Processing Addendum

Effective 1 Ağustos 2026 · Version 1.0

This document is provided in English; the English version governs.

This document contains bracketed placeholder values and is pending final legal review.

1. Scope and roles

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between [COMPANY LEGAL NAME] (“Saaty”, the processor) and each business using the platform (the “Business”, the controller). It applies to personal data of the Business’s customers and staff that Saaty processes on the Business’s behalf (“Business Customer Data”): customer profiles, booking histories, notes, communications, and staff schedules.

It does not apply to data Saaty processes as an independent controller (platform accounts, security, billing, product analytics), which is governed by the Privacy Policy.

2. Details of processing

ItemDescription
Subject matterOperation of the Saaty booking and customer-management platform
DurationThe term of the Business’s use of the platform, plus the deletion window below
Nature and purposeHosting, storage, transmission, display, backup, and analysis needed to provide booking, scheduling, CRM, and communication features
Data subjectsThe Business’s customers, prospective customers, and staff
Categories of dataContact details, booking and service history, notes entered by the Business, payment status, communication logs
Special categoriesNot intended; incidental content entered by the Business in free-text fields

3. Saaty's obligations as processor

  • Process Business Customer Data only on the Business’s documented instructions — given through the platform’s features and settings — unless required otherwise by law, in which case Saaty informs the Business unless prohibited.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Art. 32 GDPR): encryption in transit, access controls and role-based permissions, isolation between businesses, logging, backups, and tested recovery.
  • Assist the Business, insofar as reasonably possible, in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection) — largely available self-service via the platform.
  • Assist with the Business’s obligations regarding security, breach notification, and data protection impact assessments, taking into account the information available to Saaty.
  • Notify the Business without undue delay after becoming aware of a personal data breach affecting Business Customer Data.
  • Make available information reasonably necessary to demonstrate compliance, and allow for and contribute to audits conducted by the Business or its mandated auditor, no more than once per year on 30 days’ notice, at the Business’s expense.

4. Sub-processors

The Business gives general written authorization for Saaty to engage the sub-processors below. Saaty will notify Businesses of intended additions or replacements at least 30 days in advance (email or in-product), giving the Business the opportunity to object on reasonable data-protection grounds; if the objection cannot be resolved, the Business may terminate the affected services. Saaty imposes data-protection obligations on each sub-processor equivalent to this DPA and remains liable for their performance.

Sub-processorPurposeLocation of processing
Cloud hosting & database providerInfrastructure, storage, backups[HOSTING REGION(S)]
CloudinaryImage hosting and deliveryEU/US
ResendTransactional and campaign email deliveryUS
TwilioSMS delivery and phone verificationUS
StripePayment processingEU/US
GoogleCalendar synchronization (only where the Business connects it)Global

5. International transfers

Where processing involves transfers out of the EU/EEA or UK, the parties rely on adequacy decisions where available and otherwise the EU Standard Contractual Clauses (Module 2, controller-to-processor) and the UK Addendum, which are incorporated into this DPA by reference. Saaty will implement supplementary measures where a transfer impact assessment shows they are needed.

6. Deletion and return

Upon termination of the Business’s use of the platform, Saaty will, at the Business’s choice, delete or return Business Customer Data within 90 days, except where retention is required by law. Export tools are available in the dashboard throughout the term.

7. The Business's obligations

  • Have a lawful basis for the customer data it enters or collects through the platform, and provide its customers with the privacy information required by law.
  • Configure permissions, staff roles, and retention appropriately, and keep its own account credentials secure.
  • Not instruct Saaty to process data in violation of applicable data protection law.

8. Liability and precedence

Liability under this DPA is subject to the limitations of the Terms of Service, except where applicable data protection law does not permit such limitation. In case of conflict between this DPA and the Terms regarding the processing of Business Customer Data, this DPA prevails. Contact for this DPA: privacy@saaty.app.