SettlyGo - Your Local Friend in Germany

1. Parties & Scope

This Data Processing Agreement ("DPA") supplements the SettlyGo Terms of Service and governs the processing of personal data when customers, helpers, or partners (each the "Controller") use SettlyGo ("Processor") to handle onboarding, bookings, payments, and communications. The DPA ensures compliance with GDPR Article 28 and similar regulations.

2. Duration

This DPA remains in effect for as long as the Controller maintains an account or until all personal data processed on the Controller's behalf has been deleted or returned according to the Data Retention Schedule.

3. Subject Matter & Purpose

Collecting booking details, helper profile data, and communication history.
Coordinating payments, refunds, verification steps, and dispute workflows.
Providing dashboards, analytics, and operational tooling to Controllers.

4. Categories of Data & Subjects

SettlyGo processes the following categories of personal data:

Customer data: profile information, booking metadata, communications, ratings.
Helper data: profile fields, identification documents, onboarding status, payout info.
Operational data: audit logs, device/browser info, messages exchanged through the platform.

5. Obligations of the Controller

Provide personal data only when it has a lawful basis under GDPR.
Inform data subjects about SettlyGo’s role using our Privacy Policy.
Configure access controls for their team members with the principle of least privilege.
Promptly notify SettlyGo about any inaccuracies or unlawful instructions.

6. Obligations of SettlyGo (Processor)

Process personal data solely based on documented Controller instructions.
Ensure confidentiality through employee training and access reviews.
Maintain technical and organizational measures described in the Security documentation.
Assist Controllers with data subject requests, DPIAs, and incident investigations.
Log processing activities for auditability per Article 30.

7. Subprocessors

SettlyGo engages carefully vetted subprocessors. The current list includes:

Subprocessor	Purpose	Location	Safeguards
Stripe	Payment processing & refund automation	EU & US	DPA + SCCs
Airtable	Operational database + CRM	EU & US	DPA + SCCs
Vercel	Hosting & edge network	EU & US	DPA + SCCs
Resend	Transactional email delivery	EU & US	DPA pending (tracked in SECURITY.md)

Controllers can subscribe to subprocessor change alerts by emailing hello@settlygo.app.

8. Security Measures

SettlyGo implements layered safeguards, including:

Transport Layer Security (TLS 1.2+) for all network traffic.
Role-based access controls with session-based authentication.
Audit logs for bookings, payout events, and admin actions.
Encrypted secrets management and environment hardening.
Automated vulnerability scanning and dependency monitoring.

Additional technical and organizational details are documented in our security runbooks and can be shared under NDA upon request.

9. Data Subject Rights Assistance

SettlyGo will notify the Controller without undue delay if we receive a data subject request directly. We provide tooling to export, correct, or delete data so Controllers can fulfill obligations under Articles 12–23 GDPR within statutory deadlines.

10. International Transfers

Data may be transferred outside the EEA when subprocessors operate globally. SettlyGo relies on Standard Contractual Clauses and implements supplementary safeguards (encryption, limited access, monitoring) to keep transfers lawful.

11. Incident Notification

In the event of a security incident affecting Controller data, SettlyGo will notify the Controller without undue delay, share known details, mitigation steps, and cooperate fully with regulatory notifications required under GDPR Articles 33–34.

12. Data Return or Deletion

At termination or upon written request, SettlyGo will delete personal data within the timeframes documented in the Data Retention Schedule. When deletion is not possible due to legal obligations (e.g., accounting rules), we will continue to protect the data and restrict processing to the required purpose only.

13. Audit Rights

Controllers may request summaries of penetration tests, policies, and subprocessors. If additional audits are required, SettlyGo will cooperate within reasonable limits and may charge fees to cover the cost of supporting onsite reviews.

14. Contact

Email privacy@settlygo.app for DPA requests, countersigned copies, or to appoint a data protection representative.

Data Processing Agreement (DPA)