Data Processing Agreement

Last updated · May 2026

This Data Processing Agreement (the “DPA”) forms part of the Studio Master Services Agreement between Pelagio Inc. (“Pelagio”, processor) and the Studio (controller) for any processing of personal data of End Users of the Studio.

1. Roles and applicability

For personal data of End Users (a Studio’s customers) submitted to the Service, the Studio is the controller and Pelagio is the processor. For Studio account-holder data, Pelagio is the controller and processes such data under its Privacy Policy. This DPA applies to processing subject to the EU General Data Protection Regulation, the UK GDPR, the Swiss FADP, the CCPA/CPRA, and analogous laws.

2. Processing details — Annex I (subject matter and duration)

  • Subject matter: provision of the Service to the Studio, including class booking, payment acceptance, communications, and analytics.
  • Duration: for the term of the MSA and the retention periods set out in Pelagio’s Privacy Policy.
  • Nature of the processing: hosting, transmission, structuring, deletion, and other operations necessary to provide the Service.
  • Purpose: to enable the Studio to manage its business, accept payments, and communicate with End Users.
  • Categories of data subjects: the Studio’s End Users and staff.
  • Categories of personal data: identifiers (name, email, phone), commercial information (bookings, packages), payment identifiers (tokenized via Finix), and communications metadata.
  • Sensitive data: none intentionally processed; Studios must not upload sensitive special-category data.
  • Frequency: continuous, in real time, for the life of the account.

3. Pelagio obligations

  • Process personal data only on documented instructions from the Studio, including those set out in the MSA and this DPA.
  • Ensure personnel authorized to process personal data are under appropriate confidentiality obligations.
  • Implement and maintain the technical and organizational measures set out in Annex II.
  • Engage sub-processors only under written agreements imposing data-protection obligations no less protective than this DPA, and notify the Studio at least 30 days before adding or replacing sub-processors.
  • Assist the Studio with data-subject requests, security and breach obligations, and impact assessments where reasonably required.
  • Delete or return personal data after the end of the MSA in accordance with the Privacy Policy retention schedule.
  • Make available information necessary to demonstrate compliance and allow for and contribute to audits as set out below.

4. Sub-processors — Annex III

Pelagio’s current sub-processors are listed on the public Subprocessors page. The Studio is deemed to have authorized them on signature of this DPA. Pelagio will give at least 30 days’ notice of any addition or replacement on the same page; the Studio may object on reasonable data-protection grounds and, if the parties cannot agree, terminate the affected portion of the MSA without penalty for the unused portion of the term.

5. International transfers

Where personal data is transferred from the EU/EEA, the UK, or Switzerland to a country not recognized as providing an adequate level of protection, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module Two (controller-to-processor), along with the UK International Data Transfer Addendum and Swiss equivalents where applicable. Onward transfers to sub-processors are covered by Module Three (processor-to-processor) where required.

6. Technical and organizational measures — Annex II

  • Encryption of personal data in transit (TLS 1.2+) and at rest.
  • Role-based access control and least-privilege principles for production data.
  • Multi-factor authentication for all employee access to administrative systems.
  • Audit logging of access to personal data with retention sufficient for incident investigation.
  • Secure development practices, including code review, dependency scanning, and vulnerability remediation.
  • Regular backups and tested restoration procedures.
  • Documented incident-response plan with 72-hour breach-notification target where required by law.
  • Personnel onboarding, training, and offboarding with revocation of access.
  • Vendor risk review for all sub-processors before onboarding.

7. Personal data breach

Pelagio will notify the Studio without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting the Studio’s End User data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

8. Audits

On at least 30 days’ prior written notice, no more than once per year, the Studio (or an independent auditor it appoints, subject to a confidentiality agreement) may audit Pelagio’s compliance with this DPA. To minimize disruption, Pelagio may satisfy audit requests by making available documentation of its security measures and, where and when available, an independent third-party security report (such as SOC 2) covering the requested scope.

9. Liability

Each party’s liability under this DPA is subject to the limitation-of-liability provisions in the MSA. Nothing in this DPA limits either party’s liability where it cannot be limited by applicable law.

10. Order of precedence

In the event of conflict between the MSA and this DPA on a data-protection matter, this DPA controls. In the event of conflict between this DPA and the EU Standard Contractual Clauses, the SCCs control.

11. Contact

Pelagio Inc., privacy@pelagioapp.com.

We use cookies and similar technologies to run this site and, with your consent, to measure how it is used and to support marketing. You can choose which categories to allow. Privacy Policy