Last updated: July 3, 2026
This Data Processing Agreement ("DPA") applies only where SettlyGo processes personal data on behalf of a business customer, partner, or other controller under a separate agreement. For ordinary customer and helper marketplace use, SettlyGo generally processes personal data as described in the Privacy Policy.
Where this DPA applies, the business customer, partner, or other controller is the "Controller" and SettlyGo acts as "Processor" for the covered processing. The DPA supports GDPR Article 28 and similar regulations.
This DPA remains in effect for the term of the separate agreement or until all personal data processed on the Controller's behalf under that agreement has been deleted or returned according to the Data Retention Schedule.
SettlyGo processes the following categories of personal data:
SettlyGo engages carefully vetted subprocessors. The current list includes:
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing & refund automation | EU & US | DPA + SCCs |
| Airtable | Operational database + CRM | EU & US | DPA + SCCs |
| Vercel | Hosting & edge network | EU & US | DPA + SCCs |
| Resend | Transactional email delivery | EU & US | DPA execution in progress |
| Sentry | Error monitoring & diagnostics | EU (data region) | DPA + SCCs |
Controllers can subscribe to subprocessor change alerts by emailing hello@settlygo.app.
SettlyGo implements layered safeguards, including:
Additional technical and organizational details are documented in our security runbooks and can be shared under NDA upon request.
SettlyGo will notify the Controller without undue delay if we receive a data subject request directly. We provide tooling to export, correct, or delete data so Controllers can fulfill obligations under Articles 12–23 GDPR within statutory deadlines.
Data may be transferred outside the EEA when subprocessors operate globally. SettlyGo relies on Standard Contractual Clauses and implements supplementary safeguards (encryption, limited access, monitoring) to keep transfers lawful.
In the event of a security incident affecting Controller data, SettlyGo will notify the Controller without undue delay, share known details, mitigation steps, and cooperate fully with regulatory notifications required under GDPR Articles 33–34.
At termination or upon written request, SettlyGo will delete personal data within the timeframes documented in the Data Retention Schedule. When deletion is not possible due to legal obligations (e.g., accounting rules), we will continue to protect the data and restrict processing to the required purpose only.
Controllers may request summaries of penetration tests, policies, and subprocessors. If additional audits are required, SettlyGo will cooperate within reasonable limits and may charge fees to cover the cost of supporting onsite reviews.
Email privacy@settlygo.app for DPA requests, countersigned copies, or to appoint a data protection representative.