Data Processing Agreement
Last updated: May 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller", "Studio") and Belle ("Processor") for the use of the Belle platform, pursuant to Article 28 of the GDPR.
1. Scope of Processing
Subject matter: Provision of appointment management, client communication, and booking services.
Duration: For the term of the Studio's subscription, plus the 30-day deletion grace period.
Nature and purpose: Storage, retrieval, and processing of personal data for appointment booking, automated notifications, and studio management.
Categories of data subjects: Studio clients (individuals booking appointments), studio staff.
Types of personal data: Name, phone number, email address, appointment history, birthday (optional).
2. Processor Obligations (Art. 28(3))
2.1 Documented Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by law.
2.2 Confidentiality
The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.3 Security Measures (Art. 32)
The Processor implements appropriate technical and organizational measures including:
- Argon2id password hashing (64 MB memory cost)
- TLS 1.3 for all data in transit
- Row-level security isolating each studio's data at the database level
- JWT authentication with short-lived tokens and rotating refresh tokens
- Strict Content Security Policy and rate limiting
- Audit logging of all data modifications
2.4 Sub-processors
The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes and provide the opportunity to object. Current sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Railway | Hosting, PostgreSQL, Redis | EU | EU data residency |
| Cloudflare | CDN, DNS, R2 object storage | Global | Standard Contractual Clauses |
| Resend | Transactional email delivery | US | Standard Contractual Clauses |
| Twilio | SMS and WhatsApp delivery | US | Standard Contractual Clauses |
Each sub-processor is bound by data protection obligations equivalent to those in this DPA.
2.5 Data Subject Rights
The Processor assists the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing:
- Client data export (JSON format) from the dashboard
- Client anonymization (when erasure is requested but records must be retained)
- Full tenant data export for studio owners
2.6 Security and Breach Assistance
The Processor assists the Controller with obligations under Articles 32-36, including breach notification. The Processor notifies the Controller without undue delay after becoming aware of a personal data breach.
2.7 Deletion and Return
Upon termination of the service, the Processor deletes all personal data within 30 days (the deletion grace period), unless retention is required by law. The Controller may export all data before initiating deletion.
2.8 Audit
The Processor makes available to the Controller all information necessary to demonstrate compliance with Article 28 and allows for audits conducted by the Controller or an authorized auditor. The Processor shall immediately inform the Controller if an instruction infringes GDPR.
3. Controller Obligations
- Ensure a valid legal basis exists for all processing
- Obtain necessary consents from data subjects where required
- Provide processing instructions that comply with GDPR
- Inform the Processor of any data protection impact assessment requirements
4. Governing Law
This DPA is governed by the laws of Portugal and the GDPR. The competent supervisory authority is the CNPD (Comissao Nacional de Protecao de Dados).