FarontoBeta
â–¾

Data Processing Agreement

Article 28 GDPR addendum between you (the coach as controller) and Tairi B.V. (Faronto, as processor).

Effective: May 21, 2026 · Last updated: May 24, 2026

This Data Processing Agreement (the "DPA") forms part of the Terms of Use between Tairi B.V. ("Processor", "Faronto") and the customer of Faronto ("Controller", "Coach") and applies whenever the Processor processes personal data of Coachees on behalf of the Controller in connection with the Service.

This DPA gives effect to Article 28 of Regulation (EU) 2016/679 (the "GDPR"). Where this DPA conflicts with the Terms of Use, this DPA prevails for matters concerning the processing of personal data.

By accepting the Terms of Use, the Controller is also deemed to have accepted this DPA. No separate signature is required.

1. Definitions

Capitalised terms not defined in this DPA have the meaning given in the Terms of Use or the GDPR. In particular:

  • Personal Data: any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller under the Terms of Use.
  • Data Subject: a natural person to whom Personal Data relates, in particular a Coachee.
  • Sub-processor: a third party engaged by the Processor that processes Personal Data on the Processor's behalf.
  • Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2. Subject matter, duration and nature of processing

  1. Subject matter. The Processor processes Personal Data to provide the Service to the Controller, as set out in the Terms of Use.
  2. Duration. Processing continues for as long as the Controller uses the Service, plus any post-termination retention period agreed below.
  3. Nature and purpose. Processing consists of the operations described in Annex 1 and is carried out solely to provide the Service.
  4. Categories of Data Subjects and Personal Data. See Annex 1.

3. Roles and instructions

  1. The Controller is the controller of Personal Data and the Processor is the processor, as those terms are defined in the GDPR.
  2. The Processor will process Personal Data only on the documented instructions of the Controller, including with regard to transfers to third countries, unless required to do otherwise by Union or Member State law to which the Processor is subject. In that case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
  3. The Controller's instructions are set out in the Terms of Use, this DPA, the Documentation and the configuration choices the Controller makes inside the Service. The Controller may give additional reasonable written instructions consistent with the Service.
  4. If the Processor believes an instruction infringes the GDPR or other applicable data protection law, it will inform the Controller without delay.
  5. The Controller is responsible for ensuring it has a valid legal basis for the processing it instructs the Processor to perform, including, where applicable, obtaining explicit consent under Article 9(2)(a) GDPR for special category data.

4. Confidentiality

The Processor will ensure that any person authorised to process Personal Data is bound by an obligation of confidentiality, whether by contract or by statutory duty.

5. Security of processing

  1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of natural persons, the Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
  2. The current measures are described in Annex 3. The Processor may update them from time to time, provided the level of security is not materially reduced.

6. Sub-processors

  1. The Controller hereby grants the Processor general authorisation to engage Sub-processors. The current list of authorised Sub-processors is set out in Annex 2.
  2. Where the Processor engages a new Sub-processor or replaces an existing one, it will inform the Controller at least 30 days in advance, by email or by in-product notice. The Controller may object on reasonable grounds related to data protection.
  3. If the Controller objects within 30 days of being informed, the parties will discuss in good faith. If the parties cannot agree on a solution, the Controller may, as its sole remedy, terminate the affected portion of the Service for convenience by giving written notice. Termination of the affected portion does not entitle the Controller to a refund of Fees already paid for periods before termination.
  4. The Processor will impose on each Sub-processor data protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees of appropriate technical and organisational measures.
  5. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations under its contract with the Processor.

7. Assistance with Data Subject rights

  1. Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests from Data Subjects to exercise their rights under Chapter III of the GDPR.
  2. If the Processor receives a request from a Data Subject, it will not respond to the request directly except as legally required, and will refer the Data Subject to the Controller without undue delay.

8. Assistance with the Controller's other obligations

Taking into account the nature of the processing and the information available to the Processor, the Processor will assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation).

9. Personal Data Breach notification

  1. The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data.
  2. The notification will, where possible, include: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.
  3. Where the Processor cannot provide all the information at the same time, it may provide it in phases without further undue delay.
  4. The Processor's notification or assistance under this clause is not, and will not be construed as, an acknowledgement of fault or liability.

10. Audits

  1. The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
  2. The Processor's primary form of audit cooperation is the provision of: (a) up-to-date third-party security certifications and audit reports (where available); (b) responses to security questionnaires; and (c) the description of measures in Annex 3.
  3. Where the materials in clause 10.2 are not sufficient to demonstrate compliance, the Controller may, at its own cost and on at least 30 days' prior written notice, audit the Processor's processing activities through an independent auditor reasonably acceptable to both parties. Audits will: (a) be limited to information directly relevant to the Processor's compliance with this DPA; (b) take place during normal business hours; (c) not occur more than once in any 12-month period, except where required by a supervisory authority or following a material Personal Data Breach; and (d) be subject to confidentiality obligations.
  4. The auditor must not access data of other customers, source code, or trade secrets unless strictly necessary and subject to appropriate safeguards.

11. International transfers

  1. Where Personal Data is processed. The Processor processes Personal Data primarily within the European Economic Area. Sub-processors located outside the EEA are listed in Annex 2. The Processor will not transfer Personal Data outside the EEA unless an appropriate transfer mechanism under Chapter V GDPR is in place.
  2. Onward transfers by the Processor. Where the Processor or a Sub-processor processes Personal Data in a country outside the EEA that has not received an adequacy decision from the European Commission, the Processor relies on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 3 (processor-to-processor), including any supplementary measures required following the Schrems II judgment. The Controller grants the Processor a docking right to add Sub-processors as parties to those clauses on the Controller's behalf, to the extent necessary. Where the Processor makes Personal Data available to a Controller established outside the EEA, the parties agree that the transfer (if any restricted transfer occurs in that direction) is governed by the jurisdiction-specific provisions of §§11.3–11.6, in lieu of Module 4 of the EU SCCs.
  3. UK Controllers. Where the Controller is established in the United Kingdom or the Personal Data is otherwise subject to the UK GDPR: (a) references to the GDPR in this DPA are deemed to include the UK GDPR where applicable; (b) the UK Addendum to the EU Standard Contractual Clauses (issued by the Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018) is incorporated by reference and applies to any onward transfer from the United Kingdom that would constitute a restricted transfer under UK law; (c) the UK ICO is the competent supervisory authority for matters governed by UK GDPR.
  4. Swiss Controllers. Where the Controller is established in Switzerland or the Personal Data is otherwise subject to the Swiss Federal Act on Data Protection (FADP), the Swiss FDPIC's amendments to the EU SCCs are incorporated by reference, and references to GDPR in this DPA are deemed to include the FADP. The Swiss FDPIC is the competent supervisory authority.
  5. US Controllers. Where the Controller is established in the United States or processes Personal Data subject to US state privacy laws (including CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA and successor or equivalent laws), the Processor acts as a "service provider" or "processor" under those laws: the Processor will not (a) sell or share Personal Data; (b) retain, use or disclose Personal Data outside the direct business relationship; (c) combine Personal Data with personal information received from other sources except as permitted by applicable law. The Processor will cooperate with the Controller's compliance obligations under those laws on reasonable request.
  6. Other non-EEA Controllers. Where the Controller is established in a country not addressed above, the parties will cooperate in good faith to put in place any jurisdiction-specific contractual mechanism reasonably required by the Controller's applicable data protection law.
  7. Transfer Impact Assessments. The Processor maintains Transfer Impact Assessments for material transfers to Sub-processors located outside the EEA and will provide a summary on reasonable request, subject to confidentiality.

12. Return or deletion of Personal Data

  1. On termination of the Service or at the Controller's choice, the Processor will, within 30 days, delete or return all Personal Data to the Controller and delete existing copies, except to the extent that Union or Member State law requires storage.
  2. The Processor will provide a self-service export mechanism within the Service to allow the Controller to retrieve Personal Data before deletion.
  3. The Processor's standard backup retention is a rolling 30-day window. Personal Data in backups will be overwritten in the ordinary course and remains subject to this DPA until overwritten.
  4. On the Controller's written request following completion of the actions in clause 12.1, the Processor will provide written confirmation that Personal Data has been deleted or returned in accordance with this Section 12.

13. Liability

Liability of the parties under this DPA is subject to the limitations of liability set out in the Terms of Use. Nothing in the Terms of Use limits a party's liability under Article 82 GDPR towards a Data Subject.

14. Term and termination

This DPA enters into force on the effective date of the Terms of Use and remains in force as long as the Processor processes Personal Data on behalf of the Controller. Clauses that by their nature should survive (including 4, 7, 10, 11, 12 and 13) will survive termination.

15. Miscellaneous

  1. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force.
  2. This DPA is governed by Dutch law, and disputes are subject to the exclusive jurisdiction of the competent court of Amsterdam, in line with the Terms of Use.
  3. In case of discrepancy between language versions of this DPA, the English version prevails.

Annex 1: Details of processing

A. Subject matter and duration

The subject matter is the processing of Personal Data of Coachees by the Processor in order to provide the Service to the Controller. Duration: for the term of the Terms of Use, plus the deletion period set out in clause 12.

B. Nature and purpose

The Processor performs the following operations on Personal Data: storage, retrieval, organisation, structuring, transmission, hosting, backup, deletion, and (where the Controller enables AI features) submission of limited content to the AI Sub-processor for processing and return of generated text.

C. Categories of Personal Data

  • Identity and contact data: full name, email address, phone number (optional), business title (optional).
  • Coaching content: coach notes, private notes, session transcripts, AI-generated prep briefings and summaries, client pre-session input, action items, goals, progress notes, tags.
  • Session data: scheduled session times, durations, meeting links and IDs, time zones, calendar event IDs, location type, outcome ratings, feedback comments.
  • Resource assignments and worksheet responses: which library resources (articles, guides, worksheets) the Controller shares with the Coachee, the Coachee's responses to assigned worksheets, and related view, download and submission timestamps.
  • Communications: nudges, invoice reminders and other messages sent to the Coachee on the Controller's behalf.
  • Account data (where Coachee uses the client portal): authentication tokens, last visit timestamps.
  • Billing data (where the Controller invoices Coachees through Stripe Connect): invoice line items, totals, due dates, status, Stripe invoice identifiers.
  • Technical data: IP address, user-agent and log data generated when a Coachee uses the client portal.

D. Special categories of data

Coaching content may include data concerning health, mental health and wellbeing, where the Controller chooses to record such information. The Controller is responsible for the lawfulness of processing such data, including, where applicable, obtaining explicit consent under Article 9(2)(a) GDPR.

E. Categories of Data Subjects

  • Coachees of the Controller.
  • Authorised Users of the Controller (where applicable).

Annex 2: Sub-processors

The following Sub-processors are authorised by the Controller as of the effective date of this DPA. The list reflects the entities the Processor uses to deliver the Service. An updated list is also published in the Privacy Policy at faronto.com/privacy.

Sub-processorServiceLocation of processingTransfer mechanism
Vercel Inc.Application hosting, edge deliveryEU region (with edge cache)EU SCCs / EU-US Data Privacy Framework
Neon Inc.Managed PostgreSQL databaseFrankfurt, EUEU SCCs
Cloudflare, Inc. (R2)Object storage for files and attachmentsEU jurisdictionEU SCCs
Resend (Resend.com Inc.)Transactional email deliveryUnited StatesEU SCCs / EU-US Data Privacy Framework
OpenAI Ireland Ltd / OpenAI L.L.C.AI prep briefings, session summaries and nudge draftsUnited StatesEU SCCs; OpenAI does not train on API data
Stripe Payments Europe Ltd / Stripe, Inc.Stripe Connect: invoicing of Coachees by the ControllerIreland / United StatesEU SCCs / EU-US Data Privacy Framework
Google LLCCalendar synchronisation (when connected)United StatesEU SCCs / EU-US Data Privacy Framework
Microsoft CorporationSign-in and calendar synchronisation (when connected)United States / EUEU SCCs / EU-US Data Privacy Framework
Zoom Communications, Inc.Video meeting integration (when connected)United StatesEU SCCs / EU-US Data Privacy Framework
PostHog EUProduct analytics, activation measurement, session replay and attribution analysisEuropean Union (Frankfurt instance)EU processing under PostHog data processing terms
Upstash, Inc.Background job queue (QStash) and rate-limiting store (Redis)European Union (AWS eu-central-1, Frankfurt)EU SCCs / EU-US Data Privacy Framework
Functional Software, Inc. (Sentry)Application error and performance monitoringUnited StatesEU SCCs / EU-US Data Privacy Framework

Mechanisms shown apply to EU SCCs-based transfers. For UK Controllers, the EU SCCs are extended by the UK Addendum (§11.3). For Swiss Controllers, the FDPIC-amended SCCs apply (§11.4). For US Controllers, the Processor's service-provider obligations under applicable US state privacy laws apply (§11.5).

Note on Paddle. Paddle (Paddle.com Market Limited) processes coach billing data (name, email, payment method) as a merchant of record for the Processor's own Service plans. That is a direct controller-to-controller relationship between the Coach and Paddle. Paddle is not a Sub-processor under this DPA. The Coach's relationship with Paddle is set out in the Processor's Privacy Policy at faronto.com/privacy.

Annex 3: Technical and organisational security measures

A. Measures to ensure confidentiality

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of data at rest in the database and object storage.
  • AES-256-GCM encryption of high-sensitivity stored secrets, in particular third-party OAuth tokens.
  • Passwordless authentication - no passwords stored. Sign-in via short-lived (15-minute) one-time magic-link tokens or Google OAuth. Magic-link tokens are stored only as SHA-256 hashes at rest, never in plaintext.
  • HTTP security response headers on all responses: HTTP Strict Transport Security, Content-Security-Policy, X-Frame-Options, Referrer-Policy and Permissions-Policy.
  • Rate limiting on the public authentication and upload endpoints to bound credential-stuffing, enumeration and abuse.
  • Role-based access control with the principle of least privilege; multi-factor authentication for production access.
  • Confidentiality obligations on all personnel with access to Personal Data.
  • Segmentation of customer data so that the Controller can only access its own Personal Data.

B. Measures to ensure integrity

  • Audit logs of administrative actions.
  • Code review and automated testing of changes to the Service.
  • Dependency scanning and timely security patching.
  • Idempotency safeguards on critical operations to prevent silent corruption (e.g., webhook deduplication).

C. Measures to ensure availability and resilience

  • Hosting on resilient EU infrastructure with automated failover.
  • Daily database backups with at least a 30-day retention window.
  • Documented incident response procedures.

D. Measures to restore availability and access

  • Tested restore procedures from backups.
  • Runbooks for the most common incident classes.

E. Measures for ongoing evaluation

  • Regular review of access rights, security settings and Sub-processor agreements.
  • Continuous monitoring of error rates, security events and product analytics signals.
  • Session replay, where enabled, is configured to mask sensitive fields and exclude coaching content, goals, notes, AI prompts and outputs, payment details, authentication secrets and private free-text fields.
  • Periodic vendor reviews and contract updates.

F. Pseudonymisation and minimisation

  • Personal Data is sent to the AI Sub-processor only when strictly necessary, with the minimum context required for the requested output.
  • The Processor does not add email addresses, phone numbers or billing data as structured fields in requests to the AI Sub-processor; free-text content supplied by the Controller, such as session transcripts and notes, is transmitted as written.
  • Production access uses individual accounts; shared credentials are not permitted.
↑ Back to top