Legal

Data Processing Agreement

Pursuant to Art. 28 GDPR / gem. Art. 28 DSGVO

Last updated: 27 February 2026

Parties and Conclusion

This Data Processing Agreement ("DPA") is concluded between the operator of Tiapla – René Rothe, Am Herrschaftsanger 5, 89343 Jettingen-Scheppach, Germany (hereinafter "Processor") – and each client who uses the Tiapla booking platform to process personal data of their own end users (hereinafter "Controller").

This DPA forms an integral part of the Tiapla Terms of Use. By using the Service, the Controller accepts this DPA. The DPA fulfils the requirements of Art. 28 GDPR.

Subject Matter, Duration, Nature and Purpose

Subject matter: Processing of personal data of the Controller's end users for the purpose of appointment booking.

Processing of personal data of the Controller's end users for the purpose of appointment booking.

Duration: For as long as the Controller uses the Tiapla Service. Processing ends upon deletion of the account or discontinuation of the Service.

For as long as the Controller uses the Tiapla Service. Processing ends upon deletion of the account or discontinuation of the Service.

Nature: Collection, storage, retrieval, and deletion of appointment data via the Tiapla platform and API.

Collection, storage, retrieval, and deletion of appointment data via the Tiapla platform and API.

Purpose: Provision of appointment booking functionality on behalf of the Controller.

Provision of appointment booking functionality on behalf of the Controller.

Types of Personal Data and Categories of Data Subjects

The following categories of data may be processed, depending on the fields configured by the Controller:

  • Name
  • Email address
  • Phone number
  • Appointment date and time
  • Notes and any additional fields configured by the Controller

Data subjects are the end users of the Controller who submit appointment booking requests through the Tiapla widget or booking page.

Obligations of the Processor

The Processor (Tiapla) undertakes to:

  • Process personal data only for the purpose of providing the Service and only as strictly necessary for that purpose.
  • Ensure that all persons authorised to process the data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures pursuant to Art. 32 GDPR (see Section 7).
  • Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, restriction) to the extent technically feasible within the platform.
  • Notify the Controller without undue delay if a personal data breach affecting the Controller's data becomes known.
  • Delete or return all personal data processed on behalf of the Controller upon termination of the service relationship, unless retention is required by applicable law.
  • Make available all information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR.
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (Art. 28(3)(h) GDPR). The parties shall agree on scope and timing in advance to minimise disruption.

Obligations of the Controller

The Controller is responsible for:

  • Ensuring a lawful legal basis for the processing of end-user data (e.g. Art. 6(1)(b) GDPR – performance of a contract).
  • Informing their end users about data processing in a compliant privacy notice on their own website.
  • Ensuring that only necessary and lawfully collected data is processed via the Service.
  • Issuing documented instructions to the Processor where required (use of the Service constitutes such instructions).

Sub-processors

The Processor uses the following sub-processors to deliver the Tiapla service. Where a sub-processor is located outside the EU/EEA, appropriate safeguards (EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR) are in place. The Controller hereby grants general authorisation for the use of such sub-processors.

Sub-processor Service Location DPA / AVV
Amazon Web Services EMEA SARL Cloud infrastructure (EC2, storage) EU – Frankfurt, Germany (eu-central-1) AWS DPA (PDF)
Google LLC Google Calendar API – optional, used only when a business connects their Google Calendar USA (transfers via EU Standard Contractual Clauses, Art. 46(2)(c) GDPR) Google DPA (SCCs)
Microsoft Ireland Operations Ltd Microsoft Graph / Outlook Calendar API – optional, used only when a business connects their Outlook calendar EU – Ireland Microsoft DPA
seven.io GmbH SMS gateway for appointment confirmations and reminders – optional, used only when a business enables SMS notifications EU – Germany seven.io DPA
STRATO AG Transactional email delivery – booking confirmations, reminders, GDPR verification emails, and system notifications EU – Berlin, Germany STRATO DPA

The Processor will inform the Controller of any intended changes regarding the addition or replacement of sub-processors by updating this page. The Controller may object to such changes within 14 days of notification.

Technical and Organisational Measures (Art. 32 GDPR)

The Processor implements the following measures to ensure an appropriate level of security:

  • HTTPS/TLS encryption for all data in transit.
  • Encrypted storage of data at rest on protected server infrastructure.
  • Access control: only authorised personnel have access to production data.
  • Authentication: accounts are protected by credentials and JWT-based session management.
  • Regular backups to prevent data loss.
  • Server infrastructure located in the EU/EEA; no transfer of data to third countries.

Return and Deletion of Data

Upon termination of the service relationship, or upon written request from the Controller, the Processor will delete all personal data processed on the Controller's behalf within a reasonable period, unless applicable law requires continued retention. The Controller may request confirmation of deletion.