Last updated: May 15, 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Grafa Terms & Conditions between Grafa ("Processor") and the customer ("Controller") who uses Grafa to collect and manage personal data of their own clients ("Data Subjects"). It applies whenever the GDPR, UK GDPR, or comparable data protection law applies to that processing.

1. Roles & scope

Controller determines the purposes and means of processing personal data submitted through Grafa (e.g. client briefs, contact details, deposits). Processor processes that personal data only on Controller's documented instructions, which include the Terms, this DPA, and any settings configured in the Service.

2. Categories of data & subjects

  • Subjects: Controller's prospective and actual clients, and other individuals whose data Controller submits to the Service.
  • Data: identification and contact data, project briefs and attachments (including images), booking and appointment details, payment metadata, and any free-text fields the Controller chooses to collect.

3. Processor obligations

  • Process personal data only on documented instructions from Controller.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures, including encryption in transit, access controls, and least-privilege admin access.
  • Assist Controller in responding to Data Subject requests and in meeting its obligations under Articles 32–36 GDPR.
  • Notify Controller without undue delay after becoming aware of a personal data breach.

4. Sub-processors

Controller authorises Grafa to engage the following sub-processors to deliver the Service. We will give reasonable notice of any new sub-processor and allow Controller to object on reasonable grounds.

  • Supabase — database, authentication, file storage (EU region available).
  • Stripe — payment processing for deposits and subscriptions.
  • Cloudflare — content delivery and edge runtime.
  • Resend / Postmark — transactional email delivery.

5. International transfers

Where personal data is transferred outside the EEA or UK, the parties rely on the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum, incorporated by reference, together with appropriate supplementary measures.

6. Data subject rights

Grafa provides Controller with self-service tools in the dashboard to access, export, correct, and delete client records. Where Controller cannot resolve a Data Subject request through the Service, Grafa will provide reasonable assistance.

7. Return & deletion

On termination of the Service, Controller may export personal data for 30 days. After that period, Grafa will delete or anonymise personal data within 90 days, except where retention is required by law.

8. Audits

Grafa will make available, on reasonable written request, information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g. the current SOC 2 reports of our infrastructure providers).

9. Contact

Privacy and DPA questions: privacy@grafa.co.

See also our Privacy Policy and Terms.