Data Processing Agreement - Childcare Waitlist

This Data Processing Agreement ("DPA") forms part of the agreement between Childcare Waitlist ("Processor") and the creche using the Service ("Controller"), collectively "the Parties". This DPA is entered into to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Act 2018.

1. Definitions & Roles

Controller: The creche, which determines the purposes and means of processing personal data of its waitlist applicants.
Processor: Childcare Waitlist, which processes personal data on behalf of the Controller through the platform.
Data Subjects: Parents/guardians and children whose personal data is processed through the Service.

2. Scope of Processing

Data Processed

Parent/guardian: name, email, phone, address, Eircode
Child: name, date of birth (or expected due date), desired start date
Application: status, notes, priority, join date, status history

Purpose of Processing

To operate the waitlist management platform: receiving applications, storing applicant data, enabling the Controller to view and manage applications, sending status notification emails on behalf of the Controller, and generating CSV exports.

Duration

Processing continues for the duration of the Controller's use of the Service and for a reasonable period thereafter to allow data export and account closure.

3. Processor Obligations

Childcare Waitlist shall:

Process personal data only on documented instructions from the Controller (i.e., through the platform's features)
Ensure that persons authorised to process the data have committed to confidentiality
Implement appropriate technical and organisational security measures (see Section 5)
Not engage another processor without prior written consent of the Controller (see Section 4)
Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, etc.)
Assist the Controller in ensuring compliance with breach notification obligations
Delete or return all personal data to the Controller at the end of the service, at the Controller's choice
Make available all information necessary to demonstrate compliance with this DPA

4. Sub-Processors

The Controller authorises the use of the following sub-processors:

Sub-Processor	Purpose	Location
Supabase Inc.	Database hosting & authentication	EU (Frankfurt)
Cloudflare Inc.	Web hosting & CDN	Global (EU-inclusive, SCCs in place)
Brevo (Sendinblue)	Transactional email delivery	EU (France)
OpenStreetMap Foundation	Address geocoding	EU

The Processor will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Each sub-processor is bound by a data processing agreement providing at least the same level of protection as this DPA.

5. Security Measures

The Processor implements the following technical and organisational measures:

All data transmitted over HTTPS (TLS encryption in transit)
Database encryption at rest (Supabase managed)
Row Level Security (RLS) — each user can only access their own data
Password hashing via Supabase Auth (bcrypt)
HttpOnly, SameSite, Secure authentication cookies
Session expiry after 1 hour of inactivity
Audit logging of waitlist status changes
Email delivery logging for compliance verification

6. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. The notification shall include:

A description of the nature of the breach
The categories and approximate number of Data Subjects affected
The likely consequences of the breach
Measures taken or proposed to address the breach

This is to enable the Controller to meet its obligation to notify the Data Protection Commission within 72 hours where required under GDPR Article 33.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection). The Processor provides the following capabilities:

CSV export of all waitlist data for a creche
Account deletion cascading through all related records
Profile editing for data rectification

8. Data Return & Deletion

Upon termination of the Service, the Processor shall, at the Controller's choice:

Provide a complete export of all Controller data in CSV format, and/or
Delete all Controller data within 30 days of the request

The Processor may retain anonymised, aggregated data that cannot be linked back to any individual for service improvement purposes.

9. Governing Law

This DPA is governed by the laws of Ireland and the provisions of GDPR. Any disputes shall be subject to the exclusive jurisdiction of the Irish courts.

10. Contact

For questions about this DPA or to exercise any rights, contact: hello@childcarewaitlist.ie