Data Processing Agreement (DPA)

Last updated: September 23, 2025

Data Processing Agreement (DPA)

Last updated: September 23, 2025

Data Processing Agreement (DPA)

Last updated: September 23, 2025

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is made between:

  • Solt Studio KFT, a company incorporated in Hungary, registered at 2143 Kistarcsa, Tulipán street 8, company registration number [13-09-240823], EU VAT number [HU32826339], acting as Data Processor (“Supaframe”),

  • and the Customer (the “Controller”),

together the “Parties”.

1. Definitions

  • Applicable Data Protection Laws means all laws and regulations related to the processing of personal data applicable to you and Supaframe (e.g. EU GDPR, UK GDPR).

  • Personal Data means any information relating to an identified or identifiable natural person collected through the Supaframe service.

  • Processing means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, transfer, deletion.

  • Subprocessor means any third party appointed by Supaframe to process Personal Data on behalf of the Controller.

2. Role of the Parties

  • Supaframe acts as Data Processor for those Customers who are under GDPR jurisdiction.

  • The Customer acts as the Data Controller: you determine what data to collect, for what purpose, how long to store it.

3. Subject, Nature, Purpose and Scope of Processing

Supaframe will process Personal Data to provide, maintain, secure, and support the service, including but not limited to: hosting components, storing submissions/bookings, authentication, calendar integrations, user account management.

Processing will be done under Customer’s documented instructions (e.g. which integrations are enabled).

Where Customer enables Google Calendar integration, Supaframe processes booking details and the invitee’s email address for the purpose of creating calendar events in the Customer’s designated Google Calendar. If enabled, Supaframe also facilitates the creation of a Google Meet link associated with the event.

The scope includes the categories of data subject (e.g. your end users / site visitors) and categories of Personal Data you collect (e.g. name, email, form / booking responses, optional Google data if integrations used).

4. Subprocessors

  • Supaframe uses subprocessors to deliver parts of the service. Current subprocessors include:

    • Supabase (database, authentication)

    • Polar.sh (merchant of record / payments)

    • Google (authentication, calendar integration), where you enable such integrations

  • Supaframe ensures written agreements with each subprocessor that impose data protection obligations at least as protective as those in this DPA.

  • If any new subprocessor is added or a change occurs, Supaframe will provide notice. If Customer objects reasonably, Supaframe will work in good faith to find a solution.

5. International Transfers of Data

  • If Personal Data is transferred outside the EU/EEA/UK, Supaframe will use appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other legally acceptable mechanisms.

6. Security Measures

  • Supaframe maintains technical and organizational measures to protect Personal Data, proportionate to risk.

  • Measures include (but are not limited to): encryption in transit, secure storage via Supabase, access controls, authentication protections.

  • Any optional integrations (e.g. Google) rely on secure OAuth, etc., as is standard.

7. Data Subject Rights & Assistance

  • Supaframe will assist you in fulfilling obligations under GDPR: access, correction, deletion, objection, portability, etc.

  • If a Data Subject submits a request directly to Supaframe, Supaframe will notify Customer and follow Customer’s instructions (except where law requires otherwise).

8. Deletion & Return of Data

  • Upon termination or deletion of your account, Supaframe will permanently delete all Personal Data stored in our Supabase database, unless retention is required by law or handled by external providers (e.g. payment data retained by Polar).

  • No backup copies will be kept by Supaframe beyond what is necessary for operations and then removed / anonymized.

9. Audit & Compliance

  • Upon reasonable notice, Supaframe shall provide information reasonably necessary to demonstrate compliance with this DPA.

  • Customer may request evidence or documentation of technical / organizational safeguards.

10. Legal Basis & Controller Responsibilities

  • As Controller, you are responsible for ensuring that your collection of Personal Data is lawful and transparent, and that you have a legal basis (e.g. contract, consent, legitimate interest) for each type of processing.

  • You are also responsible for obtaining any required consents, especially for special categories of data or optional integrations.

11. Duration

  • This DPA is in effect as long as you use Supaframe services and for as long as Personal Data is processed under this agreement.

  • Termination of services or deletion of account triggers Section 8 (Deletion & Return).

12. Miscellaneous

  • This DPA forms part of the Terms and Conditions / Privacy Policy by reference.

  • In case of conflict between this DPA and other Supaframe documents, the DPA provisions regarding GDPR obligations prevail to the extent required by law.

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is made between:

  • Solt Studio KFT, a company incorporated in Hungary, registered at 2143 Kistarcsa, Tulipán street 8, company registration number [13-09-240823], EU VAT number [HU32826339], acting as Data Processor (“Supaframe”),

  • and the Customer (the “Controller”),

together the “Parties”.

1. Definitions

  • Applicable Data Protection Laws means all laws and regulations related to the processing of personal data applicable to you and Supaframe (e.g. EU GDPR, UK GDPR).

  • Personal Data means any information relating to an identified or identifiable natural person collected through the Supaframe service.

  • Processing means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, transfer, deletion.

  • Subprocessor means any third party appointed by Supaframe to process Personal Data on behalf of the Controller.

2. Role of the Parties

  • Supaframe acts as Data Processor for those Customers who are under GDPR jurisdiction.

  • The Customer acts as the Data Controller: you determine what data to collect, for what purpose, how long to store it.

3. Subject, Nature, Purpose and Scope of Processing

Supaframe will process Personal Data to provide, maintain, secure, and support the service, including but not limited to: hosting components, storing submissions/bookings, authentication, calendar integrations, user account management.

Processing will be done under Customer’s documented instructions (e.g. which integrations are enabled).

Where Customer enables Google Calendar integration, Supaframe processes booking details and the invitee’s email address for the purpose of creating calendar events in the Customer’s designated Google Calendar. If enabled, Supaframe also facilitates the creation of a Google Meet link associated with the event.

The scope includes the categories of data subject (e.g. your end users / site visitors) and categories of Personal Data you collect (e.g. name, email, form / booking responses, optional Google data if integrations used).

4. Subprocessors

  • Supaframe uses subprocessors to deliver parts of the service. Current subprocessors include:

    • Supabase (database, authentication)

    • Polar.sh (merchant of record / payments)

    • Google (authentication, calendar integration), where you enable such integrations

  • Supaframe ensures written agreements with each subprocessor that impose data protection obligations at least as protective as those in this DPA.

  • If any new subprocessor is added or a change occurs, Supaframe will provide notice. If Customer objects reasonably, Supaframe will work in good faith to find a solution.

5. International Transfers of Data

  • If Personal Data is transferred outside the EU/EEA/UK, Supaframe will use appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other legally acceptable mechanisms.

6. Security Measures

  • Supaframe maintains technical and organizational measures to protect Personal Data, proportionate to risk.

  • Measures include (but are not limited to): encryption in transit, secure storage via Supabase, access controls, authentication protections.

  • Any optional integrations (e.g. Google) rely on secure OAuth, etc., as is standard.

7. Data Subject Rights & Assistance

  • Supaframe will assist you in fulfilling obligations under GDPR: access, correction, deletion, objection, portability, etc.

  • If a Data Subject submits a request directly to Supaframe, Supaframe will notify Customer and follow Customer’s instructions (except where law requires otherwise).

8. Deletion & Return of Data

  • Upon termination or deletion of your account, Supaframe will permanently delete all Personal Data stored in our Supabase database, unless retention is required by law or handled by external providers (e.g. payment data retained by Polar).

  • No backup copies will be kept by Supaframe beyond what is necessary for operations and then removed / anonymized.

9. Audit & Compliance

  • Upon reasonable notice, Supaframe shall provide information reasonably necessary to demonstrate compliance with this DPA.

  • Customer may request evidence or documentation of technical / organizational safeguards.

10. Legal Basis & Controller Responsibilities

  • As Controller, you are responsible for ensuring that your collection of Personal Data is lawful and transparent, and that you have a legal basis (e.g. contract, consent, legitimate interest) for each type of processing.

  • You are also responsible for obtaining any required consents, especially for special categories of data or optional integrations.

11. Duration

  • This DPA is in effect as long as you use Supaframe services and for as long as Personal Data is processed under this agreement.

  • Termination of services or deletion of account triggers Section 8 (Deletion & Return).

12. Miscellaneous

  • This DPA forms part of the Terms and Conditions / Privacy Policy by reference.

  • In case of conflict between this DPA and other Supaframe documents, the DPA provisions regarding GDPR obligations prevail to the extent required by law.

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is made between:

  • Solt Studio KFT, a company incorporated in Hungary, registered at 2143 Kistarcsa, Tulipán street 8, company registration number [13-09-240823], EU VAT number [HU32826339], acting as Data Processor (“Supaframe”),

  • and the Customer (the “Controller”),

together the “Parties”.

1. Definitions

  • Applicable Data Protection Laws means all laws and regulations related to the processing of personal data applicable to you and Supaframe (e.g. EU GDPR, UK GDPR).

  • Personal Data means any information relating to an identified or identifiable natural person collected through the Supaframe service.

  • Processing means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, transfer, deletion.

  • Subprocessor means any third party appointed by Supaframe to process Personal Data on behalf of the Controller.

2. Role of the Parties

  • Supaframe acts as Data Processor for those Customers who are under GDPR jurisdiction.

  • The Customer acts as the Data Controller: you determine what data to collect, for what purpose, how long to store it.

3. Subject, Nature, Purpose and Scope of Processing

Supaframe will process Personal Data to provide, maintain, secure, and support the service, including but not limited to: hosting components, storing submissions/bookings, authentication, calendar integrations, user account management.

Processing will be done under Customer’s documented instructions (e.g. which integrations are enabled).

Where Customer enables Google Calendar integration, Supaframe processes booking details and the invitee’s email address for the purpose of creating calendar events in the Customer’s designated Google Calendar. If enabled, Supaframe also facilitates the creation of a Google Meet link associated with the event.

The scope includes the categories of data subject (e.g. your end users / site visitors) and categories of Personal Data you collect (e.g. name, email, form / booking responses, optional Google data if integrations used).

4. Subprocessors

  • Supaframe uses subprocessors to deliver parts of the service. Current subprocessors include:

    • Supabase (database, authentication)

    • Polar.sh (merchant of record / payments)

    • Google (authentication, calendar integration), where you enable such integrations

  • Supaframe ensures written agreements with each subprocessor that impose data protection obligations at least as protective as those in this DPA.

  • If any new subprocessor is added or a change occurs, Supaframe will provide notice. If Customer objects reasonably, Supaframe will work in good faith to find a solution.

5. International Transfers of Data

  • If Personal Data is transferred outside the EU/EEA/UK, Supaframe will use appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other legally acceptable mechanisms.

6. Security Measures

  • Supaframe maintains technical and organizational measures to protect Personal Data, proportionate to risk.

  • Measures include (but are not limited to): encryption in transit, secure storage via Supabase, access controls, authentication protections.

  • Any optional integrations (e.g. Google) rely on secure OAuth, etc., as is standard.

7. Data Subject Rights & Assistance

  • Supaframe will assist you in fulfilling obligations under GDPR: access, correction, deletion, objection, portability, etc.

  • If a Data Subject submits a request directly to Supaframe, Supaframe will notify Customer and follow Customer’s instructions (except where law requires otherwise).

8. Deletion & Return of Data

  • Upon termination or deletion of your account, Supaframe will permanently delete all Personal Data stored in our Supabase database, unless retention is required by law or handled by external providers (e.g. payment data retained by Polar).

  • No backup copies will be kept by Supaframe beyond what is necessary for operations and then removed / anonymized.

9. Audit & Compliance

  • Upon reasonable notice, Supaframe shall provide information reasonably necessary to demonstrate compliance with this DPA.

  • Customer may request evidence or documentation of technical / organizational safeguards.

10. Legal Basis & Controller Responsibilities

  • As Controller, you are responsible for ensuring that your collection of Personal Data is lawful and transparent, and that you have a legal basis (e.g. contract, consent, legitimate interest) for each type of processing.

  • You are also responsible for obtaining any required consents, especially for special categories of data or optional integrations.

11. Duration

  • This DPA is in effect as long as you use Supaframe services and for as long as Personal Data is processed under this agreement.

  • Termination of services or deletion of account triggers Section 8 (Deletion & Return).

12. Miscellaneous

  • This DPA forms part of the Terms and Conditions / Privacy Policy by reference.

  • In case of conflict between this DPA and other Supaframe documents, the DPA provisions regarding GDPR obligations prevail to the extent required by law.