Data Processing Agreement
Last updated: March 9, 20261. Subject of the Agreement
1.1. This document (hereinafter referred to as the "Agreement" or "DPA") defines the procedure for processing personal data of the User's Clients (hereinafter referred to as "Client Personal Data") within the use of the LALAPAM platform (hereinafter referred to as the "Platform").
1.2. The User (hereinafter referred to as the "Controller") instructs LALAPAM (hereinafter referred to as the "Processor") to process the personal data of their Clients in accordance with the terms of this Agreement.
1.3. Personal data processing is carried out exclusively within the functionality of the Platform and for the purposes defined by the Controller.
1.4. The legal basis for processing is Article 6, Part 3 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as FZ-152).
2. Definitions
- Controller (User) — an individual or legal entity (individual entrepreneur, self-employed person) using the LALAPAM Platform to serve their Clients and determining the purposes and means of processing their personal data.
- Processor (LALAPAM) — Individual Entrepreneur Denis N. Filipkin, providing the LALAPAM SaaS platform and processing Client personal data on behalf of the Controller.
- Client — an individual who books services, purchases goods, or makes reservations through the User's Platform.
- Client Personal Data — any information relating to a Client, provided by them during booking, purchase, or other interaction with the Platform.
3. Categories of Client Data
3.1. Under this Agreement, the Processor processes the following categories of Client personal data:
- First name, last name
- Phone number, email address
- Telegram ID, VK ID
- Order data (service names, dates, amounts)
- Booking form data (custom fields configured by the User)
- Photos and files attached to orders
- Interaction history with the Platform
4. Processor Obligations (LALAPAM)
4.1. The Processor undertakes to:
- Process Client data exclusively according to the Controller's documented instructions and for the purposes defined by this Agreement.
- Ensure the confidentiality of processed personal data.
- Implement technical and organizational measures to protect personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of sensitive data at rest
- Role-based access control
- Logging of data operations
- Regular data backups
- Notify the Controller of any security incident within 72 hours of discovery.
- Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure).
- Delete or return all Client personal data upon the Controller's request or upon termination of the agreement.
- Provide the Controller with information necessary to demonstrate compliance with the obligations under this Agreement.
- Not engage sub-processors without prior notification to the Controller.
5. Controller Obligations (User)
5.1. The Controller undertakes to:
- Obtain lawful consent from Clients for the processing of their personal data before using the Platform.
- Ensure a legal basis exists for the collection and processing of Client data in accordance with applicable legislation.
- Define the purposes and scope of Client data processing.
- Notify the Processor of any restrictions on data processing.
- Promptly inform the Processor of any data subject requests received (requests for deletion, access, rectification, etc.).
- Bear full responsibility for the lawfulness of Client data collection.
- Publish their own privacy policy for their Clients.
6. Sub-processors
6.1. The Processor engages the following sub-processors to perform specific Platform functions:
| Sub-processor | Purpose | Jurisdiction |
|---|---|---|
| Resend | Email notification delivery | USA |
| Telegram Bot API | Telegram notifications | UAE |
| VK | VK notifications | Russia |
| OpenAI | AI assistant | USA |
| FNS (My Tax) | Fiscal receipt generation | Russia |
| Web Push | Browser push notifications | Depends on provider |
6.2. The Controller will be notified of any changes to the list of sub-processors at least 30 days prior to the changes taking effect.
6.3. The Controller has the right to object to the engagement of a new sub-processor within the specified notification period.
7. Cross-border Data Transfer
7.1. Client personal data may be transferred to jurisdictions listed in the sub-processors table (Section 6) to perform the corresponding Platform functions.
7.2. Safeguards for cross-border transfers include: data encryption, data minimization, and contractual obligations of sub-processors to protect personal data.
8. Data Subject Rights
8.1. Upon receiving a request from a Client (for access, rectification, or erasure of personal data), the Processor shall:
- Notify the Controller of the received request within 48 hours.
- Assist the Controller in fulfilling the data subject's request.
- Complete the deletion of personal data within 30 days after receiving confirmation from the Controller.
9. Security Incidents
9.1. The Processor shall notify the Controller of any security incident affecting Client personal data within 72 hours of discovery.
9.2. The incident notification shall contain: a description of the incident, the categories and approximate volume of affected data, measures taken to remediate the incident, and recommendations for minimizing consequences.
9.3. The Processor shall take all reasonable measures to minimize the consequences of a security incident.
10. Term and Termination
10.1. This Agreement remains in effect for the entire duration of the Terms of Service between the Controller and the Processor.
10.2. Upon termination of the Terms of Service, the Processor shall delete all Client personal data within 30 days.
10.3. Upon the Controller's request, the Processor shall provide a return of data in a machine-readable format prior to deletion.
11. Liability
11.1. Each party shall be liable for any breach of its obligations under this Agreement in accordance with the applicable legislation of the Russian Federation.
11.2. The Processor shall not be liable for the unlawful collection of personal data by the Controller, nor for data processing that falls outside the scope of the Controller's documented instructions.
11.3. The Processor's liability is limited in accordance with the Terms of Service.
12. Governing Law
12.1. This Agreement is governed by the legislation of the Russian Federation.
12.2. Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" applies to the processing of personal data.
12.3. Disputes arising from this Agreement shall be resolved in the manner prescribed by the Terms of Service.
13. Contact Information
13.1. Processor:
- Name: Individual Entrepreneur Denis N. Filipkin
- TIN: 731201040405
- Address: 6 Kirova St., apt. 225, Ulyanovsk, 432048, Russian Federation
- Email: support@lalapam.ru