Data Processing Addendum (DPA)

1. Scope

This DPA applies when a customer uses PerfectlySat to process personal data subject to applicable data protection laws. This DPA supplements the Terms of Service.

2. Roles

For guest and event data submitted by the customer, the customer acts as the data controller (or business), and PerfectlySat acts as a data processor (or service provider) processing data only under documented customer instructions.

3. Processing Details

• Subject matter: event seating planning and collaboration
• Duration: for the term of service use, unless deleted earlier
• Categories of data: account data, event data, and guest data
• Data subjects: customer users and event guests
• Purpose: provide, secure, and support the Service

4. Security Measures

PerfectlySat implements appropriate technical and organizational safeguards including:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Row-level security policies ensuring data isolation between customers
• Industry-standard password hashing and cryptographically random tokens
• Access controls limiting personnel access to customer data on a need-to-know basis

All personnel with access to personal data are bound by confidentiality obligations.

5. Subprocessors

PerfectlySat may use subprocessors to provide infrastructure, billing, hosting, authentication, support, and email delivery. Stripe is identified in our Privacy Policy, and additional providers may be described there by service category rather than by name.

We will notify customers with an active signed DPA at least 30 days before authorizing a new subprocessor that processes personal data. If you object to a new subprocessor on reasonable data-protection grounds, you may notify us within that 30-day period and we will work in good faith to resolve the concern. Customers may also request a current subprocessor list by emailing hello@perfectlysat.com.

6. Data Breach Notification

If PerfectlySat becomes aware of a personal data breach affecting customer data, we will notify the affected customer without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects
• A contact point for further information

7. Data Subject Requests

If PerfectlySat receives a request from a data subject to exercise their rights (access, rectification, erasure, portability, restriction, or objection), we will promptly notify the customer and provide reasonable assistance to help the customer respond to the request, taking into account the nature of the processing.

8. Audit Rights

Upon reasonable written request (no more than once per year), PerfectlySat will make available to the customer information necessary to demonstrate compliance with this DPA. This may include written responses to audit questionnaires, summaries of security practices, or relevant certifications. On-site audits may be arranged by mutual agreement, at the customer's expense, with reasonable advance notice.

9. Data Deletion & Return

Upon termination of the Service or upon the customer's written request, PerfectlySat will delete or return all personal data processed on behalf of the customer, except where retention is required by applicable law. The customer may use available export features to retrieve their data before termination. Deleted data may persist in encrypted backups for a limited period, after which it is permanently removed.

10. International Transfers

Where required, international data transfers are protected through contractual and legal safeguards, including Standard Contractual Clauses or equivalent mechanisms approved by the relevant supervisory authority.

11. Requests & Signature

Customers needing a signed version of this DPA may request one by emailing hello@perfectlysat.com.