Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ShadeFile ("Processor") and the Salon account owner ("Controller") for the processing of personal data related to salon team accounts.

1. Definitions

Personal Data means any information relating to an identified or identifiable natural person, including client names, contact details, allergy information, and service records stored within ShadeFile.

Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.

2. Scope and Purpose

The Processor processes Personal Data solely to provide the ShadeFile service to the Controller and their authorized team members (stylists and assistants). Processing includes storing client records, formula histories, photos, allergy data, and appointment notes.

3. Controller Obligations

• Ensure lawful basis for collecting client data (consent or legitimate interest)
• Inform clients that their data is stored digitally in ShadeFile
• Manage team member access and remove members who leave the salon
• Respond to data subject access requests from their clients

4. Processor Obligations

• Process data only on documented instructions from the Controller
• Ensure persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior written authorization
• Assist the Controller in responding to data subject requests
• Delete or return all Personal Data upon termination of service
• Make available all information necessary to demonstrate compliance

5. Security Measures

• Data encrypted in transit (TLS 1.3) and at rest
• Database hosted on Supabase with row-level security
• Photos stored in Cloudflare R2 with access controls
• Authentication via industry-standard protocols (OAuth 2.0, bcrypt hashing)
• Role-based access within salon teams (owner, stylist, assistant)
• Automatic session expiry and rate limiting

6. Sub-Processors

The following sub-processors are authorized:

• Supabase (database hosting) — United States
• Cloudflare (photo storage, CDN) — Global
• Vercel (application hosting) — United States
• Stripe (payment processing) — United States
• Resend (transactional email) — United States

7. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject rights including access, rectification, erasure, portability, and restriction of processing. Salon owners can export or delete any client data through the ShadeFile interface.

8. Data Breach Notification

The Processor will notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach affecting the Controller's data.

9. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by law.

10. Contact

For questions about this DPA, contact: support@shadefile.com