Preview Coffee Co.
Template — review with counsel before publishing. These documents are a starting point that covers common SaaS / commerce requirements (Stripe Connect platform, GDPR/CCPA basics). Have a lawyer tailor them to your entity, jurisdiction, and product before going live.

Data Processing Agreement

Effective 2026-05-17

This Data Processing Agreement (“DPA”) supplements the Terms of Service between you (“Controller”) and Preview Coffee Co. (“Processor”) and applies where the Processor processes Personal Data on behalf of the Controller in connection with the Service.

1. Definitions

Capitalized terms have the meanings given in Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR. “Personal Data”, “Processing”, “Data Subject”, “Subprocessor”, “Personal Data Breach”, and “Supervisory Authority” have those statutory meanings.

2. Subject matter and duration

Subject matter: processing of Personal Data necessary to provide the Service. Duration: for the term of the Terms and any wind-down period. Nature: hosting, transmission, transformation, analysis, and display. Purpose: operating the storefront, processing orders, communicating with shoppers, providing AI-assisted authoring.

3. Categories of data

  • Shoppers: identifiers (name, email, phone), shipping/billing address, order history, browser/device info, IP.
  • Staff: name, email, role, audit-log entries.
  • Marketing contacts: email, consent state, opt-in source.

No special-category data is intended to be processed.

4. Processor obligations

  • Process only on documented instructions from Controller.
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Annex 1).
  • Assist Controller in responding to Data Subject requests within reasonable timeframes.
  • Assist with Data Protection Impact Assessments and consultations with Supervisory Authorities.
  • Notify Controller without undue delay (within 72 hours) of a Personal Data Breach.
  • Delete or return Personal Data on termination, subject to legal retention.
  • Make available the information necessary to demonstrate compliance.

5. Subprocessors

Controller authorizes the following Subprocessors:

  • Stripe, Inc. — payment processing (US).
  • Resend — transactional email (US).
  • Cloudflare / Vercel — hosting, CDN, edge compute (US/global).
  • Anthropic, PBC — AI inference for authoring (US).
  • Google LLC — AI inference for image generation (US/global).
  • Sentry — error monitoring (US/EU).

We will give Controller 30 days' notice before adding or replacing a Subprocessor. Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Controller may terminate the Service.

6. International transfers

Where Personal Data is transferred outside the EEA/UK to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum into this DPA.

7. Liability

The parties' liability under this DPA is subject to the limitations in the Terms.

Annex 1 — Technical and organizational measures

  • TLS 1.2+ for data in transit; AES-256 at rest for sensitive fields.
  • Role-based access control; least-privilege defaults; periodic access reviews.
  • Audit logging of admin-side mutations; centralized log retention.
  • Cardholder data processed under SAQ-A scope (hosted Stripe Elements).
  • Regular dependency vulnerability scanning and patching.
  • Backups encrypted and retained no longer than 90 days.
  • Incident response plan with 72-hour notification window.
  • Staff onboarding and annual security training.

Annex 2 — Subprocessor list

See §5.