F9.contact

Data Processing Agreement

Version: 1.0 · Effective date: 2026-06-03

DRAFT — pending legal-counsel review. This Data Processing Agreement describes F9.contact's intended Art. 28 GDPR commitments. It has not yet been finalised by legal counsel and must not be relied upon as a definitive legal instrument. The version above is kept in sync with the version recorded at the point of acceptance during business registration.

1. Roles

This agreement is entered into between the business customer ("Controller") and F9.contact ("Processor"). The Controller determines the purposes and means of processing the personal data of its own clients and staff; the Processor processes that personal data only on the Controller's documented instructions, as set out in this agreement and the platform's configuration.

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller for the duration of the subscription and any post-termination retention period, solely to deliver the F9.contact service.

3. Nature and purpose of processing

Processing comprises the storage, organisation, retrieval, transmission and erasure of personal data through booking, client-records, scheduling, point-of-sale and compliance features.

4. Categories of data and data subjects

  • Data subjects: the Controller's clients, staff and workers.
  • Categories: contact details, appointment and transaction history, preferences, optional profile photos and, where the Controller uses clinical features, intake-questionnaire answers that may include special-category health data.

5. Controller and processor obligations

The Controller is responsible for the lawfulness of the data it enters and for having a valid lawful basis for processing. The Processor will process only on documented instructions, ensure persons authorised to process are bound by confidentiality, and assist the Controller in meeting its obligations under Articles 32 to 36.

6. Technical and organisational measures (Art. 32)

The Processor implements measures appropriate to the risk, including:

  • AES-256-GCM envelope encryption of personal data at rest, with a per-record Data Encryption Key wrapped by a Key Encryption Key.
  • A three-tier key hierarchy that isolates business-contact, staff and customer data under separate keys, so that the customer-data key is independent of the keys used for tenant-level data.
  • Keyed-hash lookup of searchable identifiers such as email, so plaintext identifiers are never stored.
  • Per-business data isolation, EU-sovereign hosting, append-only audit logging of access, and signed, time-limited URLs for media.

7. Sub-processing

The Processor may engage sub-processors for infrastructure, storage, email delivery and payment processing. Sub-processors are bound by equivalent data-protection obligations and selected for EU data residency where personal data is involved. The Processor maintains a current list of sub-processors and will inform the Controller of intended changes, giving the Controller the opportunity to object.

8. Assisting with data-subject rights

The platform provides self-service tooling that helps the Controller meet data-subject requests, including data portability (Art. 20) through asynchronous export archives and erasure (Art. 17) through cryptographic destruction of the relevant Data Encryption Key.

9. Personal-data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, and will provide the information the Controller needs to meet its own notification obligations.

10. Return and deletion

On termination, and subject to statutory retention obligations such as Croatian fiscal-record law, the Processor will delete personal data through the platform's retention process. Erasure is performed cryptographically: the relevant Data Encryption Key is destroyed, rendering personal data irrecoverable while legally required structural records are preserved without readable personal content.

11. Audits

The Processor will make available the information necessary to demonstrate compliance with this agreement and will contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and security safeguards.

12. Effect

This agreement forms part of the Terms of Service. In the event of conflict on data-protection matters, this agreement prevails.