Data Processing Agreement (DPA) — Tosvi
Version 1.0 · Effective date: 2026-06-20
This Data Processing Agreement ("DPA") forms part of the agreement between the Studio and Tosvi for use of the Service, and reflects the parties' obligations under Article 28 of the GDPR and Moldovan Law 133/2011.
Acceptance. Because the Service is self-service, this DPA is accepted electronically by an authorised representative of the Studio during onboarding (by ticking the acceptance box), which has the same effect as signature. Tosvi records the acceptance (account, accepting user, document version, language, and timestamp) as evidence. A wet-signature version (below) is available on request for studios that require one.
Parties
- Controller ("the Studio"): the car-detailing studio that holds the account. Its legal name, fiscal code, registered address, and authorised contact are provided during onboarding and recorded together with its acceptance of this DPA.
- Processor ("Tosvi"):
Petru Virtos, Antreprenor Independent Cod fiscal: 1026023032469 Chișinău, Republic of Moldova Contact: [email protected]
Processing details at a glance
| Roles | Studio = controller; Tosvi = processor (sub-processor where the Studio is itself a processor for its own controller) |
| Categories of personal data | Staff: name, email, role. Customers: name, phone, email, notes; vehicle plate, VIN, year, colour; quote/work history; inspection photos, customer signature, damage notes, approver name/timestamp. Widget (if enabled): lead name + phone; truncated, irreversibly hashed visitor IP (rate-limit only) |
| Categories of data subjects | Studio staff users; the Studio's customers; (if widget enabled) website visitors who submit the form |
| Special categories (Art. 9) | None intended. The Studio must not enter special-category data without a separate written agreement |
| Frequency | Continuous, for the duration of the Studio's use of the Service |
| Nature of processing | Storage, retrieval, display, rectification, deletion, export, and document generation |
| Purpose | Providing the Service on the Studio's instructions |
| Retention | Duration of the Service; deletion or return on request/closure (see clause 6.7) |
| Sub-processors | As set out in Annex 1 |
1. Subject matter and roles
The Studio is the controller of the personal data it enters into the Service about its customers and staff. Tosvi is the processor, processing that data solely to provide the Service and only on the Studio's documented instructions (these terms, the Service's configuration, and any further written instruction).
2. Duration
This DPA applies for as long as Tosvi processes personal data on the Studio's behalf, i.e. for the duration of the Studio's use of the Service.
3. Nature and purpose of processing
To provide a SaaS platform for managing clients, vehicles, quotes, scheduling, pre-work vehicle inspections, generated documents, and (if enabled) an embeddable price-calculator widget and lead capture.
4. Types of personal data
- Studio staff: name, email, role.
- Studio customers: name, phone, email, notes; vehicle plate, VIN, year, colour;
quote/work history; pre-work inspection photos, customer signature, damage notes, approver name and timestamp.
- Widget (if enabled): visitor-submitted lead name and phone; a truncated,
irreversibly hashed visitor IP used only for rate limiting.
5. Categories of data subjects
The Studio's staff users; the Studio's customers; (if the widget is enabled) visitors to the Studio's website who submit the contact form.
6. Processor obligations
Tosvi shall:
- Process only on documented instructions from the Studio, including for
international transfers, unless required by law (in which case Tosvi will inform the Studio, unless legally prohibited).
- Confidentiality — ensure persons authorised to process the data are bound
by confidentiality.
- Security — implement appropriate technical and organisational measures
(Annex 2), as required by Article 32 GDPR.
- Sub-processors — engage only the sub-processors listed in Annex 1; impose
equivalent data-protection obligations on them; remain liable for their performance; and give the Studio at least 30 days' notice of any intended change, during which the Studio may object.
- Assist the Studio — taking into account the nature of processing, assist
with responding to data-subject requests (the Service provides per-account and per-client export and erasure), and with the Studio's obligations on security, breach notification, and data-protection impact assessments.
- Personal-data breach — notify the Studio without undue delay and, where
feasible, within 48 hours after becoming aware of a breach affecting the Studio's data, with the information the Studio needs to meet its own notification duties.
- Deletion or return — at the Studio's choice, delete or return all
personal data at the end of the provision of services, and delete existing copies unless legally required to retain them.
- Audits — make available information necessary to demonstrate compliance
with Article 28. Where an on-site audit is required, it shall be on reasonable prior notice, no more than once per year (save where a regulator or a material breach requires otherwise), during business hours, subject to confidentiality, and conducted so as not to disrupt the Service; documentation provided by Tosvi shall be used to satisfy audit needs wherever it reasonably can.
- Restrictions — Tosvi shall not: (a) sell the Studio's personal data or
make it available to a third party for valuable consideration; (b) share it for cross-context behavioural advertising; (c) retain, use, or disclose it for any purpose other than providing the Service or as permitted by applicable law; (d) use it outside the direct business relationship with the Studio; or (e) combine it with personal data from other sources, except as necessary to provide the Service or as permitted by applicable law.
7. International transfers
Where Tosvi or a sub-processor transfers personal data outside the EU/EEA or Moldova, the transfer is made under Standard Contractual Clauses or an equivalent lawful safeguard.
8. Controller obligations and representations
The Studio warrants and represents that:
- it has a lawful basis to collect and process the personal data it enters, and
has provided its data subjects with the privacy information the law requires;
- its instructions to Tosvi comply with applicable law;
- it will relay to Tosvi, without undue delay, any data-subject request or
regulator communication that requires Tosvi's assistance;
- it is responsible for determining whether the GDPR applies to its processing
(e.g. because it is established in the EU/EEA or processes EU/EEA residents' data) and for informing Tosvi where it does, so the parties can put in place any additional GDPR measures required (including, where applicable, an EU representative under Article 27 GDPR).
9. Liability and governing law
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of the Republic of Moldova and, where applicable, the GDPR.
Annex 1 — Sub-processors
| Sub-processor | Role | Location / transfer safeguard |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt, Germany) |
| Cloudflare, Inc. | DNS, CDN, hosting, email routing, Turnstile bot protection | US entity, global edge; SCCs / DPF |
| MailerSend, Inc. | Transactional email delivery | EU data centres; US entity; EU-U.S. Data Privacy Framework |
Annex 2 — Technical and organisational measures
- Encryption in transit (TLS) and at rest.
- Tenant isolation enforced by database row-level security; one studio cannot
access another's data.
- Inspection media held in a private storage bucket, served only via short-lived
signed URLs.
- Authentication hardening: bot protection (Turnstile), leaked-password
screening, email confirmation.
- Input validation on all inbound data; secrets stored as environment variables,
never in source code.
- Append-only audit log of account actions (no customer PII).
- Production access restricted to the operator.
- Personal-data breach notification to the controller without undue delay.
Signatures
The Studio accepts this DPA electronically during onboarding, recorded as evidence (see "Acceptance" above); a wet-signature copy is available on request at [email protected].