Data Processing Agreement (DPA)
Agreement on the processing of personal data pursuant to Art. 28 GDPR.
This DPA applies only when using TattooMate as a hosted SaaS solution.
1. Subject matter and duration
This data processing agreement governs the processing of personal data by the processor on behalf of the controller in the course of using TattooMate as a SaaS solution. The duration of processing depends on the term of the underlying contract.
2. Type and purpose of processing
Processing is carried out for the purpose of providing and using the TattooMate software. This includes in particular the storage, organization, display and processing of customer data, consents, health information, signatures, images and documents captured by the studio.
3. Categories of data subjects
Data subjects are in particular: - customers of the studio - legal guardians (for under-18 cases) - employees and artists of the studio
4. Types of personal data
The following data is processed in particular: - master data (e.g., name, date of birth) - contact data - health information - consents and signatures - image and document data (e.g., IDs, tattoo/touch-up images)
5. Responsibility
The controller is responsible for the lawfulness of data collection and processing. The processor processes the data exclusively on documented instructions of the controller.
6. Processor obligations
The processor undertakes to: - treat personal data confidentially - implement appropriate technical and organizational measures (TOMs) - assign processing only to authorized personnel - support the controller with data protection requests
7. Technical and organizational measures
Measures include in particular: - access restrictions and role/permission systems - encrypted connections (TLS) - separate instances per studio - protection against unauthorized access A detailed overview of TOMs can be provided upon request.
8. Sub-processors
Sub-processors (e.g., hosting or infrastructure providers) are used only if they are contractually obliged to comply with the GDPR. The controller will be informed about material changes.
9. Rights of data subjects
The processor supports the controller in safeguarding the rights of data subjects (e.g., access, deletion, rectification) as far as technically possible.
10. End of processing
After termination of the contract, personal data will be deleted or made available for return at the controller’s choice, unless there is a legal retention obligation.
11. Liability
The liability provisions of the main contract apply. Liability is governed by the legal provisions of the GDPR.
12. Final provisions
The law of the Federal Republic of Germany applies. If individual provisions of this DPA are invalid, the validity of the remaining provisions remains unaffected.