<-- Back to home

Data Processing Agreement

Last updated: 9 May 2026

This Data Processing Agreement ("DPA") forms part of the PawDash Terms of Service and applies whenever you, the customer, process personal data of third parties (such as your clients - the dog owners) using PawDash.

Capitalised terms have the meaning given in UK GDPR. The "Customer" is you. "PawDash" is the data processor.

1. Roles

You are the Controller of personal data you enter into PawDash. We are the Processor acting on your documented instructions.

2. Subject matter and duration

  • Subject matter: provision of the PawDash software service.
  • Duration: for the term of your subscription, plus 30 days for export.
  • Nature and purpose: storage, processing, and display of business data needed to operate a dog walking, daycare, and boarding business.

3. Categories of data subjects and personal data

Data subjects: your clients (dog owners), your staff.

Personal data: names, addresses, phone numbers, email addresses, dog details (vet info, behavioural notes, medical notes), schedule entries, payment records. Special-category data is generally not processed; if you record sensitive information (e.g. medical conditions) you do so on your own legal basis.

4. Subprocessors

You authorise the following subprocessors:

  • Supabase Inc. - database and authentication (EU Frankfurt region).
  • Vercel Inc. - hosting, serverless functions, edge network (EU and US).
  • GoCardless Ltd - Direct Debit billing (UK).
  • Google LLC - identity verification (only when you choose Google sign-in).

We will give you 30 days' notice before adding or replacing a subprocessor.

5. Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase).
  • Tenant isolation via Postgres Row Level Security.
  • Passwords stored as bcrypt hashes; we never see plaintext.
  • Service-role keys held only server-side as Vercel environment variables.
  • Regular dependency security updates.

6. Personal data breach

We will notify you within 72 hours of becoming aware of a personal data breach affecting your tenant, with the information needed to fulfil your own ICO notification obligations.

7. Data subject requests

If a data subject contacts us directly with an access, correction, or deletion request, we will redirect them to you. You can fulfil access and export requests using the export function in PawDash.

8. Audit

On request (no more than once per 12 months) we will share our latest information security summary and answer reasonable questions about our processing. On-site audits are not available given the size of our operation.

9. International transfers

Where data leaves the UK or EEA, transfers are made under the UK International Data Transfer Addendum and EU Standard Contractual Clauses where applicable.

10. Termination

On termination of your subscription you may export all your data within 30 days. After that we delete it from primary systems within 7 days and from backups within 90 days.