Data Processing Agreement

Last updated: May 14, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ATM Group ("Processor", "Crown") and the customer entity using the Crown platform ("Controller"). It governs Crown's processing of Personal Data on behalf of the Controller in accordance with the EU/UK GDPR.

1. Roles

The Controller is the studio (barbershop, salon, or tattoo studio) that collects client data through Crown. Crown acts solely as Processor and processes Personal Data only on documented instructions from the Controller.

2. Subject matter & duration

Crown processes Personal Data for the duration of the Controller's subscription and only for the purpose of providing the Crown platform: bookings, CRM, payments, messaging, reviews, and analytics.

3. Categories of data & data subjects

• Data subjects: Controller's clients, staff, and admins.
• Categories: name, email, phone, appointment history, service notes, payment metadata, photographs (where uploaded), device tokens for notifications.

4. Sub-processors

Crown engages the following sub-processors:

• Supabase — managed Postgres, auth, storage (EU region).
• Cloudflare Workers / Vercel — application hosting.
• Stripe — payment processing.
• Twilio — SMS delivery.
• Resend — transactional email.
• Apple / Google — push notification delivery.

Crown will notify Controllers of any addition or replacement of a sub-processor with at least 30 days' notice and provide a reasonable objection mechanism.

5. International transfers

Where data leaves the UK/EEA, transfers rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), incorporated by reference into this DPA.

6. Security measures

• Encryption in transit (TLS 1.2+) and at rest.
• Row-Level Security on all tenant data.
• Role-based access control with least-privilege principles.
• Audit logging for privileged operations.
• Regular dependency and security scanning.

7. Data subject requests

Crown will assist the Controller in responding to data subject requests (access, rectification, erasure, portability) through self-service tools in the admin dashboard and, where necessary, through direct support.

8. Breach notification

Crown will notify the Controller without undue delay, and in any case within 72 hours, of becoming aware of a Personal Data breach affecting Controller data.

9. Return & deletion

On termination, Crown will allow the Controller to export all Personal Data and will delete remaining data within 30 days, except where retention is required by law.

10. Audit

Crown will make available all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, on reasonable notice.

11. Contact

For DPA questions, requests, or to receive a counter-signed copy, contact chrollo.csllc@gmail.com.

This DPA is offered on a take-it-or-leave-it basis as part of the Crown subscription. Enterprise customers may request a counter-signed paper copy.