Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

• Hamr Ltd, trading as Glass Book, a company registered in England and Wales (the “Processor”); and
• You, the salon, clinic or sole practitioner that has opened a Glass Book account and accepted our Terms of Service (the “Controller”).

This DPA forms part of and is incorporated into the Terms of Service and applies whenever the Processor processes personal data on behalf of the Controller.

The Processor processes personal data on behalf of the Controller in order to provide the Glass Bookplatform. This DPA applies for the duration of the Controller’s subscription and survives termination for as long as the Processor continues to hold any Controller personal data.

The Processor processes personal data to operate an online booking, payments, consent forms, reminders and reporting platform for salons and clinics. Processing activities include: storage; retrieval and display in the dashboard and on the booking page; transmission to the data subject by transactional email; transmission to sub-processors as listed below; backup; and deletion or anonymisation on request.

• The Controller’s staff and authorised users.
• The Controller’s clients (end customers booking treatments).

• Identification data (name, email address, phone number).
• Booking and appointment history.
• Special category data concerning health (Article 9 UK GDPR) collected via the Controller’s consent forms, where the Controller chooses to enable medical-form collection.
• Payment metadata (Stripe payment intent IDs only — no card numbers).
• Audit logs of administrative actions taken in the dashboard.

The Processor shall:

1. Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data, unless required to do so by law (Art. 28(3)(a)).
2. Ensure that persons authorised to process the personal data have committed themselves to confidentiality (Art. 28(3)(b)).
3. Take all measures required pursuant to Article 32 (security of processing). See Section 7 below for the technical and organisational measures in place.
4. Respect the conditions referred to in Article 28(2) and (4) for engaging another processor (sub-processors). See Section 8 below.
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, in so far as this is possible, in fulfilling the Controller’s obligation to respond to requests for exercising data subject rights under Chapter III of the UK GDPR (Art. 28(3)(e)). The Processor provides built-in dashboard tools for data export and erasure.
6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR taking into account the nature of processing and the information available to the Processor (Art. 28(3)(f)). In particular, the Processor will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting the Controller’s data.
7. At the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless UK or EU law requires storage of the personal data (Art. 28(3)(g)).
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR (Art. 28(3)(h)).

The Controller warrants that:

1. It has a lawful basis under UK GDPR Article 6 (and, where applicable, Article 9) for the processing it instructs the Processor to perform.
2. It has obtained any consents required from data subjects, including explicit consent for the processing of special category health data via medical and consent forms.
3. It will not provide the Processor with personal data that is unlawfully obtained, defamatory, infringing of intellectual property rights, or otherwise unlawful to process.
4. It will respond to data subject requests within the statutory time limits and will use the data export and erasure tools the Processor provides for that purpose.

The Processor maintains the following technical and organisational measures, aligned with ISO/IEC 27001:2022:

• Encryption— TLS 1.2+ in transit (HTTPS everywhere with HSTS preload). AES-256 at rest in the database and file storage.
• Access control— role-based access with least privilege defaults; row-level security in the database; multi-factor authentication for all administrators; explicit per-feature permissions for Controller staff.
• Network— segmented production environment; no direct database access from the public internet; private connections to sub-processors where supported.
• Application security— restrictive Content Security Policy, secure cookie flags, CSRF protection on state- changing endpoints, signed webhook verification, HMAC-token gated client-side actions, input length and type validation.
• Audit logging— every data-changing action by an administrator is recorded in an append-only audit log retained for 2 years.
• Backup— daily encrypted backups with point-in-time recovery; backups encrypted at rest with rotation aligned to the relevant retention period.
• Incident response— documented response process, on-call coverage, and 72-hour Controller notification SLA for personal data breaches.
• Personnel— written confidentiality undertakings; security training; background checks for personnel with production access.
• Vendor management— sub-processors are assessed for SOC 2 / ISO 27001 / ISAE 3402 attestations and bound by their own DPAs.

The Controller authorises the Processor to engage the sub-processors listed at glassbook.co.uk/subprocessors. The Processor will:

• Maintain a written contract with each sub-processor that imposes substantially the same data protection obligations as set out in this DPA.
• Notify the Controller in writing (via email to the account owner and the public sub-processor list) at least 30 days in advance of any intended addition or replacement of a sub-processor, giving the Controller the opportunity to object.
• Remain fully liable to the Controller for the performance of any sub-processor’s obligations.

The Processor primarily stores personal data in the United Kingdom (London). Where a sub-processor is located outside the United Kingdom, transfers are protected by the UK Addendum to the EU Standard Contractual Clauses (or an equivalent transfer mechanism recognised under UK law). The Processor will not transfer personal data to a third country without an appropriate safeguard in place.

The Processor will respond within a reasonable time to written audit questionnaires from the Controller. The Processor reserves the right to provide existing third-party attestations (such as SOC 2 reports from sub-processors and the Processor’s own ISO 27001 alignment statement) in lieu of an on-site audit, except where required by Supervisory Authority.

This DPA is subject to the limitation of liability provisions of the Terms of Service. It is governed by the laws of England and Wales and the courts of England and Wales have exclusive jurisdiction over any dispute arising from it.

For any question relating to this DPA, including breach notifications, data subject access requests forwarded to us or audit questions, please contact hello@glassbook.co.uk.