Data Processing Agreement
Last updated: 26 June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and WhenTap (operated as a sole proprietorship in the Netherlands) ("Processor", "we", "us") regarding the use of WhenTap ("Service").
1. Definitions
Terms used in this DPA have the meanings given in the EU General Data Protection Regulation (GDPR) 2016/679.
2. Subject and duration
| Item | Detail |
|---|---|
| Subject matter | Processing of Personal Data by Processor on behalf of Controller in connection with the Service. |
| Duration | For as long as the Service is provided to Controller, plus any post-termination retention period required by law. |
| Nature and purpose | Scheduling and booking management for Webflow sites: storing OAuth tokens, reading CMS content, computing availability, syncing calendars, and processing bookings on behalf of the Controller |
| Processing activities | Storing OAuth tokens, reading Webflow CMS content, syncing Google and Microsoft calendars, sending transactional email and SMS, and processing payments via Stripe |
| Categories of Data Subjects | Controller's authorized users, Controller's customers (if applicable). |
| Categories of Personal Data | Name and email of Controller; names, emails, timezones, and booking details of the Controller's end customers. |
3. Processor obligations
Processor agrees to:
- Process Personal Data only on documented instructions from Controller (including those in these Terms and this DPA).
- Ensure persons authorized to process Personal Data are bound by confidentiality.
- Implement appropriate technical and organizational measures (see Section 6).
- Assist Controller in responding to Data Subject requests.
- Notify Controller without undue delay (within 72 hours) of a Personal Data breach.
- Delete or return all Personal Data after the end of the provision of Services.
- Make available all information necessary to demonstrate compliance with GDPR Art. 28.
4. Sub-processors
Controller authorizes Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | EU (Germany or Finland) |
| Cloudflare, Inc. | DNS, email routing, edge cache | Global (data at rest in EU) |
| Resend, Inc. | Transactional email | EU region selected, with EU adequacy mechanism |
| Stripe Payments Europe Ltd. | Payment processing | EU (Ireland) |
| Webflow, Inc. | Source of data Processor processes on Controller's behalf | US, with EU adequacy mechanism |
| Webflow, Google, Microsoft, Stripe, Twilio, Resend, Hetzner | CMS sync, calendars, payments, email and SMS, hosting | EU / US |
Processor will notify Controller of any intended changes concerning the addition or replacement of sub-processors, giving Controller the opportunity to object within 30 days.
5. International transfers
Where Personal Data is transferred outside the EEA, Processor relies on:
- EU Commission adequacy decisions where applicable
- Standard Contractual Clauses (SCCs) for transfers to third countries
- Supplementary measures (encryption in transit and at rest) as recommended by EDPB guidance
6. Technical and organizational measures
Processor implements:
- AES-256-GCM encryption for stored OAuth tokens and other sensitive secrets
- HTTPS-only connections for all data in transit
- SSH key-based access to production infrastructure with multi-factor authentication
- Logical separation of customer data via row-level access controls
- Database backups encrypted at rest, retained 30 days
- Audit logging of administrative actions
- Annual review of access permissions
- Incident response plan with 72-hour breach notification commitment
7. Data Subject rights
Processor assists Controller in responding to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Controller can self-serve most requests via the Service:
- Data export: one-click JSON download from the Account dialog
- Account deletion: one-click from the Account dialog, processed within 30 days
For requests Controller cannot self-serve, email dpa@whentap.com.
8. Audits
Controller may, no more than once per 12 months and with 30 days written notice, audit Processor's compliance with this DPA. Processor will respond to reasonable written audit questionnaires (e.g., SIG-Lite) within 30 days.
9. Termination
This DPA terminates automatically when the Terms terminate or when Processor ceases processing Personal Data on Controller's behalf, whichever is later.
10. Governing law
Dutch law governs this DPA. Disputes are subject to the competent court in the Netherlands.
Contact
For DPA signature requests, sub-processor questions, and Article 17 deletion requests: dpa@whentap.com
For everything else: hello@whentap.com