Data Processing Agreement (DPA)

As of: March 2026 | Version 1.0

This Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is entered into between Unicorn Factory Media GmbH, In der Kolling 146, 66450 Bexbach, Germany ("Data Processor") and the studio operator using the Bookicorn platform ("Controller").

§ 1 Subject and Duration

The Data Processor provides the SaaS platform "Bookicorn" for managing course bookings, customer data, and payment transactions. Processing occurs for the duration of the usage agreement (T&Cs). This DPA ends with the main contract.

§ 2 Nature, Purpose and Scope

The Data Processor processes the following data categories on behalf of the Controller:

  • Master data: Name, email, phone of the studio's end customers
  • Booking data: booked courses, appointments, cancellations, booking history
  • Payment data: transaction IDs, payment status (no full card data)
  • Access data: encrypted passwords, session tokens
  • Communication data: emails, chat messages
  • Technical data: IP addresses, browser information

Data subjects: end customers of the studio, trainers, studio operators.

§ 3 Obligations of the Data Processor

The Data Processor undertakes to:

  • Process data only on documented instructions of the Controller
  • Ensure confidentiality obligations for all involved persons
  • Implement appropriate technical and organizational measures (TOMs) per Art. 32 GDPR
  • Support the Controller in fulfilling data subject rights
  • Notify data breaches immediately per Art. 33 GDPR
  • Delete all data after contract end (except legal retention obligations)

Processing specifically includes: storage and management of end customer data in the database, processing of booking and payment transactions, sending email notifications on behalf of the studio, provision of the chat system for communication, generation of invoices and payout reports, technical support and troubleshooting.

Access to the Controller's personal data is restricted to those employees and agents of the Data Processor who require such access to fulfill their contractual obligations. A list of authorized persons shall be provided upon request.

§ 4 Obligations of the Controller

The Controller is solely responsible for: the lawfulness of processing end customer data, compliance with data protection law towards end customers, all content, courses, prices, and service delivery.

§ 5 Controller's Right to Issue Instructions

The Data Processor processes personal data exclusively on documented instructions of the Controller pursuant to Art. 28 para. 3 lit. a GDPR. Verbal instructions must be confirmed in writing (text form via email is sufficient) without delay. If the Data Processor considers an instruction to be unlawful, it shall notify the Controller immediately and is entitled to suspend implementation of the instruction until clarified.

§ 6 Technical and Organizational Measures (TOMs)

  • Encryption: TLS/HTTPS for all transfers
  • Access control: Row Level Security (RLS), role-based permissions
  • EU data storage: Database server AWS eu-central-1 Frankfurt
  • Backup: Automatic daily backups
  • Password protection: Passwords stored exclusively as bcrypt hash
  • Monitoring: Real-time monitoring of security-relevant events
  • Pseudonymization: Where technically feasible, personal data is processed in pseudonymized form
  • Input control: Logging of all data access and modifications via audit logs
  • Processing control: Processing only in accordance with documented instructions of the Controller
  • Availability control: Redundant data storage, automatic failover mechanisms
  • Separation requirement: Logical separation of data from different studios (multi-tenant architecture with Row Level Security)

§ 7 Sub-processors

The Controller consents to the use of the following sub-processors. Changes will be communicated at least 30 days in advance. Where sub-processors are located in third countries outside the EEA, data transfers are based on Standard Contractual Clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR or an equivalent adequacy decision by the EU Commission.

CompanyLocationPurpose
Supabase Inc.San Francisco, USA (data on AWS EU-Central-1, Frankfurt)Database, authentication, real-time sync
Vercel Inc.340 Pine Street, San Francisco, CA 94104, USAHosting, CDN, serverless functions
Stripe Payments Europe, Ltd.1 Grand Canal Street Lower, Dublin 2, IrelandPayment processing, subscriptions
All-Inkl.COM Neue Medien MünnichHauptstraße 68, 02742 Friedersdorf, GermanyEmail sending (SMTP)
Amazon Web Services (AWS)Amazon Web Services EMEA SARL, LuxembourgCloud infrastructure (via Supabase), EU-Central-1 Frankfurt
Slack Technologies LLC500 Howard Street, San Francisco, CA 94105, USAInternal team communication and support handling

§ 8 Data Subject Rights

The Data Processor supports the Controller in fulfilling requests for access, rectification, erasure, restriction, data portability, and objection pursuant to Art. 15–22 GDPR. Contact: hey@bookicorn.net. After contract end: data deletion within 30 days; data export available on request beforehand.

§ 9 Controller's Right to Audit

The Controller has the right to verify the Data Processor's compliance with this DPA and the GDPR. Audits may be conducted through document requests, questionnaires, or – with prior reasonable notice – on-site inspections. The Data Processor shall provide all information necessary to demonstrate compliance with this agreement and shall enable and support audits pursuant to Art. 28 para. 3 lit. h GDPR.

§ 10 Reporting of Data Breaches

Upon becoming aware of a personal data breach, the Data Processor shall notify the Controller without undue delay, and where feasible, no later than 72 hours after becoming aware of the breach. The notification shall include: the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. Where information cannot be provided simultaneously, it may be provided in phases.

§ 11 Confidentiality

The Data Processor shall ensure that all persons authorized to process personal data have committed themselves to confidentiality and have access only to the data necessary for their respective tasks (need-to-know principle). This obligation continues beyond the end of the contractual relationship.

§ 12 Liability

Each party shall be liable to data subjects for damages caused by non-GDPR-compliant processing in accordance with Art. 82 GDPR. As between the parties, liability shall be apportioned according to each party's responsibility for the damage. The Data Processor shall only be liable where it has failed to comply with its explicit obligations under this DPA or the GDPR. The Data Processor's liability is limited to the annual contract value of usage fees, to the extent permitted by law.

§ 13 Final Provisions

  • Form: Amendments to this DPA require text form (email is sufficient).
  • Severability: If any provision of this DPA is or becomes invalid, this shall not affect the validity of the remaining provisions. The parties shall replace the invalid provision with a valid regulation that most closely reflects the economic purpose of the invalid provision.
  • Governing Law: This DPA is governed by the laws of the Federal Republic of Germany. Jurisdiction is, to the extent permitted by law, Bexbach, Germany.
  • Order of Precedence: In the event of conflict between this DPA and the main contract (T&Cs), this DPA shall prevail in matters of data protection.

§ 14 Contact

Unicorn Factory Media GmbH
In der Kolling 146, 66450 Bexbach, Germany
hey@bookicorn.net