Legal
GDPR & sub-processors
How TuinApp meets UK GDPR and EU GDPR. Sub-processor list, Data Processing Agreement, and how to reach our data-protection lead. Last updated 27 May 2026.
1. Our GDPR commitment
We treat UK GDPR and EU GDPR as the baseline standard for every part of TuinApp, not as a tick-box exercise. The platform is designed to support the principles in Article 5 (lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability) and the rights in Articles 12-23.
For data you submit to our marketing site, see the full Privacy notice. For data your organisation processes through the TuinApp SaaS platform once it goes live, the Data Processing Agreement (DPA) below applies and we act as your processor.
2. Roles
- Marketing site (this site). We are the controller of personal data you submit through forms, server logs, and cookies.
- TuinApp SaaS platform (going live in beta). Your organisation is the controller of the personal data you process through the platform (employees, candidates, customers). We are your processor, governed by the DPA.
- Carina AI. Same as above: your organisation determines the prompt, the data, and the purpose; Carina executes drafting or recommendation tasks under your instructions. The DPA covers Carina.
3. Data Processing Agreement (DPA)
Our DPA is incorporated into the Master Services Agreement that takes effect when you move from the free trial to a paid plan. It includes:
- UK GDPR Article 28 obligations (sub-processor controls, security, audits, breach notification, data return / deletion).
- UK Standard Contractual Clauses (SCCs) and the International Data Transfer Addendum where data leaves the UK.
- Sub-processor list (section 5 below) with the right to object to changes.
- Audit and inspection rights (annual SOC 2 report on Enterprise; written audit response otherwise).
- Breach-notification commitment: we notify the controller without undue delay and in any case within 72 hours of becoming aware of a personal-data breach affecting their data.
A signable DPA template is available on request from [email protected]. Enterprise customers receive a tailored DPA as part of their contract.
4. Data Protection Impact Assessments (DPIA)
If your intended use of TuinApp triggers an obligation to conduct a DPIA (for example, large-scale processing of employee data, monitoring of behaviour, or use of AI in hiring), we will help. We provide:
- A pre-completed DPIA pack for the platform's standard processing operations.
- Algorithmic transparency documentation for Carina, covering the data the AI uses, the safeguards, and the human-in-the-loop controls.
- EU AI Act and NYC Local Law 144 conformity evidence for any hiring AI feature you choose to enable.
- UK GDPR Article 22 compliance: no decisions with legal or similarly significant effects are taken solely by Carina; a human approves.
5. Sub-processor list
The third parties below process personal data on our behalf in the course of providing TuinApp. We keep this list current and notify customers (Enterprise contracts: 30 days' written notice; other plans: posted update here and via email opt-in) before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Contabo GmbH | Primary infrastructure hosting; VPS that runs the marketing site and (once live) the TuinApp SaaS application servers and databases. | Germany (EU) | Adequacy (EU). No additional safeguards required. |
| Cloudflare Inc. | DNS, CDN, DDoS protection, Web Application Firewall (WAF), bot management, TLS termination at the edge. | United Kingdom (primary) / United States (failover) | UK-US Data Privacy Framework certification; UK IDTA where applicable. |
| Sendinblue SAS (Brevo) | Transactional and notification email delivery (SMTP relay). Processes recipient email addresses, subject lines, and message bodies. | France (EU) | Adequacy (EU). No additional safeguards required. |
| NameSilo LLC | Domain registrar for our .com and .uk domains. Processes WHOIS-required registrant contact data. | United States | UK IDTA / EU SCCs; encrypted in transit. |
| aaPanel team (on Contabo VPS) | Server-management software running on infrastructure under our own control; provides mailbox forwarders and operational tools. | Software origin: international team; deployment: Contabo (Germany, EU) | Data does not leave our EU VPS; software vendor receives no personal data. |
Note: this list covers infrastructure used by the marketing site today. Additional sub-processors that come into scope when the TuinApp SaaS platform goes live (for example payment processor, identity provider for SSO, large-language-model providers for Carina) will be added with the corresponding transfer mechanism and an effective date.
6. International transfers
Personal data is processed in the European Union by default (Germany). Where transfers are made to the United Kingdom, both jurisdictions recognise each other as adequate. Where transfers are made to the United States, we rely on the UK-US Data Privacy Framework certification of the recipient, or on the UK International Data Transfer Agreement (IDTA) / EU Standard Contractual Clauses with supplementary measures (encryption in transit and at rest, contractual restrictions on government access).
7. Personal-data breach notification
If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and within 72 hours wherever possible, with a description of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed. We will support you in your own obligation to notify the ICO and affected data subjects where required.
8. Contact
Data-protection requests, DPA requests, sub-processor enquiries: [email protected]. Security incidents and vulnerability disclosure: [email protected]. You may also complain to the UK Information Commissioner's Office at ico.org.uk.
Last updated: 27 May 2026.