Data Processing Addendum

This DPA explains how Enplace processes personal data on behalf of workspace customers under GDPR requirements.

1. Controller vs Processor

Workspace customers (Restaurant Owners/Groups) act as data controllers for their team data. Enplace acts as a data processor.

2. Sub-processors

Enplace utilizes specialized sub-processors to provide infrastructure and platform services. All sub-processors are bound by data protection agreements that ensure at least the same level of data protection as this DPA.

• Supabase: Database and Storage infrastructure.
• Vercel: Web application hosting and Edge Network.
• Clerk: Authentication and Identity Management.
• Stripe: Payment processing and billing infrastructure.
• PostHog: Product analytics and usage tracking.
• Sentry: Error monitoring and performance tracking.

3. Technical and Organizational Measures

We implement measures including:

• Row Level Security (RLS) for strict tenant isolation.
• Encryption of data in transit (TLS) and at rest (AES-256).
• Audit logging for sensitive events.
• Regular access reviews and least-privilege principles.

4. Data Deletion

Upon termination, Enplace deletes or returns personal data according to customer instructions, subject to statutory retention requirements for financial and security records.

5. Contact

DPA requests can be sent to legal@enplace.net.