Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the GDPR or the Terms of Service.

• "Controller" means the customer subscribing to the BakeWind platform who determines the purposes and means of processing Personal Data
• "Processor" means Nicolás di Rago, operating as BakeWind, who processes Personal Data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service
• "Processing" means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, erasure, or destruction
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates
• "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data

2. Subject Matter & Duration

This DPA applies to all processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the BakeWind bakery management platform.

The duration of this DPA is tied to the Controller's subscription to the Service. This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller, including any post-termination data retention period as specified in the Terms of Service.

3. Nature & Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the BakeWind bakery management platform, including:

• Managing customer records (names, contact information, delivery addresses, order preferences)
• Processing and fulfilling bakery orders, including delivery logistics
• Managing staff and employee records within the Controller's organization
• Generating business analytics and operational reports
• Sending transactional communications (order confirmations, notifications, alerts)
• Maintaining account security and authentication
• Providing customer support services

4. Types of Personal Data

The following categories of Personal Data may be processed under this DPA:

• Identity data: names, email addresses, phone numbers
• Contact data: postal addresses, delivery addresses
• Account data: login credentials (hashed passwords), account preferences
• Transaction data: order history, payment references, delivery records
• Employment data: staff names, positions, department assignments, work schedules
• Usage data: login timestamps, feature usage patterns, session information
• Technical data: IP addresses, browser type, device information

5. Categories of Data Subjects

The Personal Data processed under this DPA relates to the following categories of Data Subjects:

• The Controller's bakery customers (individuals who place orders)
• The Controller's employees and staff members
• The Controller's business contacts and suppliers
• Users of the Controller's BakeWind account (managers, administrators)

6. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. Where the Processor is compelled by law to process Personal Data, it shall inform the Controller of the legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to: encryption for sensitive data at rest, TLS/HTTPS encryption for data in transit, strong password hashing, role-based access control, and regular security assessments. The current technical measures are described in the Service Level Agreement (Section 6) and may be updated as technology evolves, provided the overall level of security is not reduced.
• Not engage another processor (Sub-Processor) without prior general written authorization of the Controller, subject to the notification and objection procedure in Section 7
• Assist the Controller in ensuring compliance with obligations relating to the security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless EU or Member State law requires storage
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections
• Maintain a record of processing activities carried out on behalf of the Controller in accordance with Art. 30(2) GDPR

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other EU or Member State data protection provisions.

7. Sub-Processors

The Controller provides general authorization for the Processor to engage Sub-Processors. The Processor currently uses the following Sub-Processors:

• Hetzner Online GmbH (Falkenstein, Germany) — Infrastructure hosting and data storage
• Stripe, Inc. (United States / EU) — Payment processing and subscription billing
• Mailtrap / Railsware Products, Inc. (United States) — Transactional email delivery

The Processor shall notify the Controller by email at least 30 days in advance of any intended addition or replacement of Sub-Processors. The notification shall identify the new Sub-Processor, its location, and the processing activities involved.

The Controller may object to the new Sub-Processor by providing written notice within 30 days of receiving the notification. If the Controller objects, the Processor shall make reasonable efforts to make available an alternative Sub-Processor or configuration that avoids the use of the objected-to Sub-Processor. If no reasonable alternative is available, either party may terminate the affected portion of the Service upon 30 days' written notice, without penalty. If the Controller does not object within the 30-day period, the Controller is deemed to have accepted the new Sub-Processor.

The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-Processor by way of a written contract. Where a Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-Processor's obligations.

8. International Data Transfers

The primary processing of Personal Data takes place on servers located within the European Union (Hetzner, Falkenstein, Germany).

Where Personal Data is transferred to Sub-Processors located outside the EU/EEA, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR. The specific transfer mechanisms per Sub-Processor are:

• Hetzner Online GmbH — No international transfer. All data remains within the EU (Falkenstein, Germany).
• Stripe, Inc. — Stripe is certified under the EU-US Data Privacy Framework (DPF). Transfers are additionally covered by Standard Contractual Clauses (SCCs, Commission Implementing Decision 2021/914, Module 3: processor-to-sub-processor). Stripe processes payment data in both EU and US facilities.
• Mailtrap / Railsware Products, Inc. — Transfers are covered by Standard Contractual Clauses (SCCs, Module 3: processor-to-sub-processor). Transactional email content (recipient email, subject, body) is transferred to US-based infrastructure for delivery.

The Processor monitors regulatory developments regarding international data transfers and will implement additional supplementary measures if required by supervisory authority guidance or court decisions.

9. Data Subject Requests

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object.

If the Processor receives a request from a Data Subject directly, the Processor shall promptly forward the request to the Controller and shall not respond to the request without the Controller's prior written instructions, unless legally required to do so.

10. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Data Breach affecting Personal Data processed under this DPA.

The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach.

11. Data Return & Deletion

Upon termination or expiry of the Service agreement, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV)
• Delete all Personal Data and certify such deletion in writing

The Controller may export Personal Data through the Service dashboard at any time during the subscription and for 30 days following termination. After the 30-day retention period, all Personal Data shall be permanently deleted from the Processor's live systems within 90 days. Personal Data may persist in encrypted backups until those backups are rotated out under the Processor's standard backup retention cycle (7 daily, 4 weekly, and 12 monthly backups), up to a maximum of 12 months. Backups are encrypted and access-restricted, and data within them is not actively processed.

The Processor may retain Personal Data to the extent required by applicable EU or Member State law, in which case the Processor shall ensure the confidentiality of such data and shall process it only for the purposes required by law.

12. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance. As a first option, the Processor may satisfy audit requests by providing an up-to-date independent third-party security assessment, certification report, or compliance summary. If such documentation is insufficient to address the Controller's specific concerns, the Controller may request an on-site audit or inspection conducted by the Controller or an independent auditor mandated by the Controller.

On-site or remote audits are limited to one per twelve-month period, unless a Data Breach has occurred or a supervisory authority requests an audit. Where the Processor operates remotely, audits may be conducted via secure video conference and screen-sharing. Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor.

13. Amendments

The Processor may update this DPA to reflect changes in data protection law, regulatory guidance, or Sub-Processor arrangements. Material changes will be communicated to the Controller by email at least 30 days before taking effect. If the Controller does not agree with the proposed changes, the Controller may terminate the Service in accordance with the Terms of Service.

14. Governing Law & Contact

This DPA shall be governed by the laws of the Federal Republic of Germany. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

For questions regarding this DPA, please contact: