Data Processing Agreement (DPA)

Last updated: 30 May 2026. Placeholder for beta; executed DPA available on request for enterprise customers.

1. Parties

The Customer (data controller) engages Verlox Ltd, trading as TuinApp (data processor), to process personal data on the Customer's instructions via the TuinApp platform.

2. Subject matter and duration

Processing covers workforce, client, and operational personal data stored in the Customer's tenant for the term of the subscription and any retention period stated in the privacy policy.

3. Processor obligations

• Process only on documented instructions from the Customer
• Ensure confidentiality of personnel with access
• Implement appropriate technical and organisational measures (encryption at rest for PII fields, tenant isolation, audit logging)
• Assist with data subject requests and DPIAs where reasonable
• Notify the Customer without undue delay of personal data breaches

4. Sub-processors

We use vetted sub-processors including cloud hosting (EU/UK regions), Stripe (billing), Resend (email), and AI providers where Carina features are enabled. An up-to-date list is available on request.

5. International transfers

Where transfers outside the UK occur, we rely on UK IDTA or EU SCCs as appropriate.

6. Request a signed copy

Email [email protected] for a countersigned DPA.