Data Processing Agreement (DPA)

Last updated: July 3, 2026

1. Parties & Scope

This Data Processing Agreement ("DPA") applies only where SettlyGo processes personal data on behalf of a business customer, partner, or other controller under a separate agreement. For ordinary customer and helper marketplace use, SettlyGo generally processes personal data as described in the Privacy Policy.

Where this DPA applies, the business customer, partner, or other controller is the "Controller" and SettlyGo acts as "Processor" for the covered processing. The DPA supports GDPR Article 28 and similar regulations.

2. Duration

This DPA remains in effect for the term of the separate agreement or until all personal data processed on the Controller's behalf under that agreement has been deleted or returned according to the Data Retention Schedule.

3. Subject Matter & Purpose

  • Processing data covered by the applicable business or partner agreement.
  • Coordinating agreed operational workflows, support, payments, refunds, verification steps, or dispute workflows.
  • Providing dashboards, analytics, and operational tooling to Controllers.

4. Categories of Data & Subjects

SettlyGo processes the following categories of personal data:

  • Customer, client, or partner contact data: profile information, booking metadata, communications, ratings.
  • Helper or service-provider data where covered by the separate agreement: profile fields, onboarding status, payout info.
  • Operational data: audit logs, device/browser info, messages exchanged through the platform.

5. Obligations of the Controller

  • Provide personal data only when it has a lawful basis under GDPR.
  • Inform data subjects about SettlyGo’s role using our Privacy Policy.
  • Configure access controls for their team members with the principle of least privilege.
  • Promptly notify SettlyGo about any inaccuracies or unlawful instructions.

6. Obligations of SettlyGo (Processor)

  • Process personal data solely based on documented Controller instructions.
  • Ensure confidentiality through employee training and access reviews.
  • Maintain technical and organizational measures described in the Security documentation.
  • Assist Controllers with data subject requests, DPIAs, and incident investigations.
  • Log processing activities for auditability per Article 30.

7. Subprocessors

SettlyGo engages carefully vetted subprocessors. The current list includes:

SubprocessorPurposeLocationSafeguards
StripePayment processing & refund automationEU & USDPA + SCCs
AirtableOperational database + CRMEU & USDPA + SCCs
VercelHosting & edge networkEU & USDPA + SCCs
ResendTransactional email deliveryEU & USDPA execution in progress
SentryError monitoring & diagnosticsEU (data region)DPA + SCCs

Controllers can subscribe to subprocessor change alerts by emailing hello@settlygo.app.

8. Security Measures

SettlyGo implements layered safeguards, including:

  • Transport Layer Security (TLS 1.2+) for all network traffic.
  • Role-based access controls with session-based authentication.
  • Audit logs for bookings, payout events, and admin actions.
  • Encrypted secrets management and environment hardening.
  • Automated vulnerability scanning and dependency monitoring.

Additional technical and organizational details are documented in our security runbooks and can be shared under NDA upon request.

9. Data Subject Rights Assistance

SettlyGo will notify the Controller without undue delay if we receive a data subject request directly. We provide tooling to export, correct, or delete data so Controllers can fulfill obligations under Articles 12–23 GDPR within statutory deadlines.

10. International Transfers

Data may be transferred outside the EEA when subprocessors operate globally. SettlyGo relies on Standard Contractual Clauses and implements supplementary safeguards (encryption, limited access, monitoring) to keep transfers lawful.

11. Incident Notification

In the event of a security incident affecting Controller data, SettlyGo will notify the Controller without undue delay, share known details, mitigation steps, and cooperate fully with regulatory notifications required under GDPR Articles 33–34.

12. Data Return or Deletion

At termination or upon written request, SettlyGo will delete personal data within the timeframes documented in the Data Retention Schedule. When deletion is not possible due to legal obligations (e.g., accounting rules), we will continue to protect the data and restrict processing to the required purpose only.

13. Audit Rights

Controllers may request summaries of penetration tests, policies, and subprocessors. If additional audits are required, SettlyGo will cooperate within reasonable limits and may charge fees to cover the cost of supporting onsite reviews.

14. Contact

Email privacy@settlygo.app for DPA requests, countersigned copies, or to appoint a data protection representative.

← Back to Home
Data Processing Agreement | SettlyGo