This Data Processing Agreement ("DPA") forms part of the PawDash Terms of Service and applies whenever you, the customer, process personal data of third parties (such as your clients - the dog owners) using PawDash.
Capitalised terms have the meaning given in UK GDPR. The "Customer" is you. "PawDash" is the data processor.
You are the Controller of personal data you enter into PawDash. We are the Processor acting on your documented instructions.
Data subjects: your clients (dog owners), your staff.
Personal data: names, addresses, phone numbers, email addresses, dog details (vet info, behavioural notes, medical notes), schedule entries, payment records. Special-category data is generally not processed; if you record sensitive information (e.g. medical conditions) you do so on your own legal basis.
You authorise the following subprocessors:
We will give you 30 days' notice before adding or replacing a subprocessor.
We will notify you within 72 hours of becoming aware of a personal data breach affecting your tenant, with the information needed to fulfil your own ICO notification obligations.
If a data subject contacts us directly with an access, correction, or deletion request, we will redirect them to you. You can fulfil access and export requests using the export function in PawDash.
On request (no more than once per 12 months) we will share our latest information security summary and answer reasonable questions about our processing. On-site audits are not available given the size of our operation.
Where data leaves the UK or EEA, transfers are made under the UK International Data Transfer Addendum and EU Standard Contractual Clauses where applicable.
On termination of your subscription you may export all your data within 30 days. After that we delete it from primary systems within 7 days and from backups within 90 days.