Back to Home

Data Processing Agreement

Last reviewed: March 2026

This Data Processing Agreement ("DPA") is between your organisation ("you", "the controller") and TabWall ("we", "us", "the processor"). It describes how we handle personal data when providing our platform to your organisation.

This agreement is required by EU data protection law (GDPR Article 28). It makes sure your members' data is handled properly and transparently.

We have written this agreement in plain language so that everyone can understand it, regardless of their technical background.

Table of Contents

Definitions

Here are the key terms used in this agreement:

TermWhat It Means
ControllerYour organisation — the club or group that decides why and how personal data is processed
ProcessorTabWall — the platform that processes personal data on your behalf
Data SubjectAny person whose data is processed — your members, guests, and event participants
Personal DataAny information that identifies or could identify a person (name, email, consumption records, etc.)
Special Category DataSensitive data that needs extra protection — this includes biometric data like face embeddings
ProcessingAnything done with personal data: collecting, storing, using, sharing, or deleting it
SubprocessorA third-party service that we use to help provide TabWall (listed in Schedule 3)
Data BreachA security incident that leads to accidental or unlawful destruction, loss, alteration, or unauthorised access to personal data

For definitions of TabWall-specific terms (Organisation, Location, Event, Member, etc.), see our Terms of Service.

Scope of Processing

What This Agreement Covers

This DPA applies to all personal data that TabWall processes on behalf of your organisation through the platform. This includes:

  • Member registration and identification
  • Consumption tracking at events
  • Settlement and payment processing
  • Optional face recognition for hands-free check-in
  • Event management and reporting

The Parties

  • Controller (you): Your organisation (club, association, or event organiser) that uses TabWall
  • Processor (us): TabWall, the platform provider

Duration

This agreement applies for as long as your organisation uses TabWall. It ends when your organisation stops using the platform and all personal data has been returned or deleted (see Data Return and Deletion).

Nature and Purpose of Processing

TabWall processes personal data to provide a real-time consumption tracking service for your events. The detailed categories of data, data subjects, and purposes are listed in Schedule 1: Processing Details.

Processor Obligations

TabWall processes personal data only on your documented instructions. We will not use your members' data for our own purposes.

Specifically, we commit to the following:

  • We process data only as needed to provide the TabWall platform to your organisation
  • We do not sell, share, or use personal data for marketing, advertising, or profiling
  • We do not process data beyond what is necessary for the service
  • If EU or member state law requires us to process data beyond your instructions, we will inform you before doing so — unless the law prohibits us from telling you

Your documented instructions include:

  • This DPA and its schedules
  • Your use of the platform features (each feature you enable is an instruction to process the necessary data)
  • Any additional written instructions you provide to us

If we believe an instruction from you violates data protection law, we will inform you promptly.

Confidentiality

We ensure that everyone who handles your members' data is bound by confidentiality:

  • All TabWall staff and contractors who access personal data are under confidentiality obligations
  • Automated systems that process data are designed with access controls and security measures
  • We limit access to personal data to only those people and systems that need it to provide the service

Security Measures

We implement appropriate technical and organisational measures to protect personal data. These measures are proportionate to the risks involved.

Our current security measures are detailed in Schedule 2: Technical and Organisational Measures. Key measures include:

  • Encryption in transit — all data is encrypted using TLS 1.2 or higher
  • Face embedding separation — biometric data is stored separately from user identity information, linked only by an internal token
  • Access controls — role-based access ensures only authorised users can see and manage data
  • Database tenant isolation — each organisation's data is logically separated at the database level
  • Automated purge mechanisms — event-scoped guest data is automatically deleted when the event closes
  • Regular backups — data is backed up regularly to prevent loss

We review and update these measures as needed to maintain an appropriate level of security.

Sub-Processing

Current Subprocessors

We use a limited number of subprocessors to provide TabWall. These are listed in Schedule 3: Subprocessors.

By signing this DPA, you give us general written authorisation to engage subprocessors. This means we can add or change subprocessors, but we will always tell you first.

Changes to Subprocessors

When we plan to add or replace a subprocessor:

  1. We will inform you at least 30 days before the change takes effect
  2. You may object to the change within that period
  3. If you object and we cannot address your concerns, you may terminate this agreement

Subprocessor Obligations

We require all subprocessors to:

  • Sign a data processing agreement with equivalent protections to this DPA
  • Implement appropriate security measures
  • Process data only as necessary for their specific purpose

We remain fully responsible for the actions of our subprocessors. If a subprocessor fails to meet its obligations, we are liable to you as if we had failed ourselves.

Data Subject Rights

Your members and guests have rights under GDPR. As the controller, you are responsible for responding to their requests. We will help you do this.

Rights We Help You Fulfil

RightWhat It MeansHow TabWall Helps
Access (Art. 15)People can ask to see their dataWe provide data export tools for administrators
Correction (Art. 16)People can ask to fix incorrect dataAdministrators can update member information
Deletion (Art. 17)People can ask for their data to be deletedSelf-service face data deletion; admin deletion tools; automated event-scoped guest purge
Restriction (Art. 18)People can ask to limit how their data is usedWe can restrict processing on request
Portability (Art. 20)People can ask for their data in a standard formatWe provide data export in common formats
Objection (Art. 21)People can object to certain processingWe support consent withdrawal for biometric data

Our Commitments

  • We respond to your assistance requests without undue delay
  • We do not respond directly to data subject requests — we redirect them to you (the controller) unless you instruct us otherwise
  • We provide the technical means to fulfil data subject requests through the platform

For more details on data subject rights, see our Privacy Policy.

Data Breach Notification

What Happens If There Is a Data Breach

If we become aware of a personal data breach, we will:

  1. Notify you without undue delay after becoming aware of the breach — this helps you meet your own obligation to notify the supervisory authority within 72 hours if required (GDPR Article 33)
  2. Provide you with the following information (to the extent available):
    • A description of the breach, including the categories and approximate number of people affected
    • The likely consequences of the breach
    • The measures we have taken or plan to take to address the breach
    • A contact point for further information
  3. Cooperate with you in investigating and resolving the breach
  4. Document the breach and make the documentation available to you

What We Expect from You

  • Provide us with a reliable contact for breach notifications (email is sufficient)
  • Respond to our breach notifications promptly
  • Handle the notification to the supervisory authority and affected individuals as required by GDPR Articles 33 and 34

Biometric Data Handling

Face embeddings are biometric data — a special category of personal data under GDPR Article 9. This data requires extra protection and explicit consent.

How Biometric Data Works in TabWall

  • Face recognition is optional — manual fallback (name-tap) is always available
  • Face embeddings are mathematical representations of faces, not photographs
  • Embeddings are stored separately from personal identity data (name, email), linked only by an internal token
  • This separation means that even if someone accessed the embeddings, they could not easily connect them to a person's identity
  • Explicit consent must be obtained before any face embedding is created
  • TabWall provides the consent flow through its BiometricConsent system
  • Consent is recorded and can be verified at any time
  • Your organisation (as controller) is responsible for ensuring consent is properly obtained

Retention and Deletion

User TypeWhen Biometric Data Is Deleted
Event-Scoped GuestsAutomatically deleted when the event closes
Persistent GuestsDeleted when an administrator removes it, or when consent is withdrawn
Registered UsersDeleted when the user removes it themselves, or when consent is withdrawn
  • Consent withdrawal triggers immediate deletion of all face embeddings and photos for that person
  • There is no grace period — deletion happens right away

Cross-Border Data Transfers

Where Your Data Is Processed

All TabWall data is processed within the European Union / European Economic Area (EU/EEA):

  • Our infrastructure is hosted by Hetzner Cloud in Germany
  • Payment processing is handled by Stripe in the EU (Ireland)
  • The ML inference service for face recognition operates within the EU

Google Sheets Integration

If your organisation enables the optional Google Sheets sync, consumption data may be transferred to Google servers. Google Sheets data may be processed in the EU or the US. Where data is transferred to the US, this is covered by Standard Contractual Clauses (SCCs) and Google's data protection commitments.

Future Transfers

If we ever need to transfer data outside the EU/EEA in the future:

  • We will inform you in advance
  • We will ensure appropriate safeguards are in place (such as Standard Contractual Clauses)
  • You will have the opportunity to object

Audit and Transparency Rights

Your Right to Audit

You have the right to verify that we are complying with this agreement. This means:

  • We will make available to you all information necessary to demonstrate compliance with this DPA
  • You may conduct audits yourself or appoint an independent auditor to do so

How Audits Work

  • Provide us with at least 30 days' written notice before an audit
  • Audits take place during normal business hours
  • The auditor must agree to reasonable confidentiality obligations
  • You bear the costs of the audit (unless the audit reveals a material breach by us)
  • We will cooperate fully and provide access to relevant systems, records, and personnel

Transparency

We provide transparency through:

Compliance Assistance

We will assist you with your obligations under GDPR, specifically:

  • Security of processing (Article 32) — we implement and maintain the security measures described in Schedule 2
  • Data breach notification (Articles 33–34) — we notify you of breaches as described in Data Breach Notification
  • Data Protection Impact Assessment (Article 35) — if you need to conduct a DPIA for your use of TabWall, we will provide the necessary information about our processing activities and security measures
  • Prior consultation with supervisory authority (Article 36) — if you need to consult with a data protection authority about your use of TabWall, we will provide the necessary documentation and assistance

Data Return and Deletion

When This Agreement Ends

When your organisation stops using TabWall, we will:

  1. Return or delete all personal data within 30 days of the end of this agreement — you choose which
  2. Confirm deletion in writing once complete
  3. Delete all copies of the data from our systems, including backups (within the normal backup rotation cycle)

Exceptions

We may retain personal data beyond the 30-day period only if:

  • Retention is required by EU or member state law (for example, accounting records)
  • We will inform you of any such legal retention requirement and limit the processing to what is legally required

Ongoing Automated Deletion

Even during the agreement, certain data is automatically deleted:

  • Event-scoped guest biometric data — deleted when the event closes
  • One-time passwords — deleted immediately after use or after 10 minutes
  • Face photos — deleted after the event closes plus a configurable dispute window

Liability

Processor Liability

TabWall is liable for damages caused by processing that violates this DPA or GDPR, unless we can demonstrate that we are not responsible for the event giving rise to the damage.

Controller Liability

Your organisation is liable for damages caused by processing that violates GDPR, including any instructions given to us that violate data protection law.

Limitation

Liability under this DPA is subject to the limitations set out in our Terms of Service. Nothing in this agreement excludes or limits liability that cannot be excluded by law (such as gross negligence, intentional misconduct, or fraud).

Duration and Termination

Duration

This DPA takes effect when your organisation starts using TabWall and remains in force for as long as we process personal data on your behalf.

Termination

This DPA terminates when:

  • Your organisation stops using TabWall and all personal data has been returned or deleted
  • Either party terminates the agreement due to a material breach that has not been remedied within 30 days of written notice
  • You object to a new subprocessor and we cannot resolve the objection (see Sub-Processing)

Survival

The following sections survive termination: Confidentiality, Data Return and Deletion, Liability, and Governing Law.

Governing Law

This DPA is governed by the laws of Germany, consistent with our Terms of Service.

Disputes arising from this DPA follow the same resolution process described in the Terms of Service — first through good-faith communication, then through the courts at the platform operator's registered seat in Jever, Germany.

Contact

For questions about this Data Processing Agreement:

Schedule 1: Processing Details

Categories of Data Subjects

CategoryDescription
Registered UsersPeople who sign up with their email address
Persistent GuestsPeople added to an organisation by name and face, who attend multiple events
Event-Scoped GuestsPeople who join a single event only — their data is removed when the event closes

Categories of Personal Data

Data CategoryExamplesSpecial Category?
Identity dataName, email addressNo
Authentication dataOne-time passwords, session tokensNo
Biometric dataFace embeddings, face photosYes — GDPR Article 9
Consumption dataBeverage name, quantity, price, timestampNo
Payment dataCash transactions, settlement recordsNo
Membership dataOrganisation membership, roles, location accessNo
Subscription dataStripe subscription reference (no card details stored)No

Purposes of Processing

PurposeDescription
Member identificationIdentifying members at events (by name or face recognition)
Consumption trackingRecording what beverages are served at events in real time
SettlementCalculating what each person owes at the end of an event
Event managementCreating and managing events, beverage menus, and pricing
Payment processingHandling organisation subscription payments via Stripe
Data syncOptional export of consumption data to Google Sheets

Retention Periods

Data CategoryRetention Period
Event-scoped guest biometric dataAutomatically deleted when the event closes
Persistent guest biometric dataUntil admin deletion or consent withdrawal
Registered user biometric dataUntil user deletion or consent withdrawal
Face photosDeleted after event close plus configurable dispute window
One-time passwordsDeleted immediately after use or after 10 minutes
Consumption dataRetained for the legally required period for accounting
Account dataRetained while the account exists

Schedule 2: Technical and Organisational Measures

The following measures are currently in place to protect personal data:

Encryption

  • In transit: All data transmitted between users and TabWall is encrypted using TLS 1.2 or higher
  • At rest: Database and backup storage use encryption provided by the hosting infrastructure

Access Controls

  • Role-based access: Users can only access data appropriate to their role (global role, organisation role, and event role)
  • Authentication: Login is email-based with one-time passwords — no reusable passwords are stored
  • Session management: JWT tokens with server-side validation on every request

Data Separation

  • Tenant isolation: Each organisation's data is logically separated at the database level — organisations cannot see each other's data
  • Biometric data separation: Face embeddings are stored separately from user identity information (name, email), linked only by an internal token (NFR7)

Automated Deletion

  • Event-scoped guest purge: Biometric data for event-only guests is automatically deleted when the event closes
  • Consent withdrawal: Withdrawing biometric consent triggers immediate deletion of all face embeddings and photos
  • OTP cleanup: One-time passwords are deleted after use or expiry

Infrastructure

  • Hosting: Hetzner Cloud, Germany (EU) — K3s Kubernetes cluster
  • Backups: Regular automated backups with defined retention schedules
  • Monitoring: Infrastructure and application monitoring for availability and security

Incident Response

  • Data breach detection and notification procedures as described in Data Breach Notification
  • Incident documentation and lessons-learned process

Schedule 3: Subprocessors

The following subprocessors are currently engaged to provide TabWall:

SubprocessorPurposeData ProcessedData Residency
Hetzner CloudInfrastructure hosting (K3s cluster)All platform dataGermany, EU
StripePayment processingOrganisation billing data (name, email, payment method)EU (Ireland)
Google Sheets APIOptional consumption syncEvent consumption records (member name, beverage, timestamp)EU/US (with Standard Contractual Clauses)
ML Inference ServiceFace recognitionFace embeddings (biometric data)EU

Changes to this list will be communicated at least 30 days in advance. An up-to-date list is always available on our Subprocessor Disclosure page.

This Data Processing Agreement was last reviewed in March 2026. We recommend professional legal review before commercial launch.