Data Processing Agreement pursuant to Art. 28 GDPR
This is a courtesy translation. The German version is the legally binding document.
between
the Customer (veterinary practice/veterinary clinic)
— hereinafter referred to as the "Controller" —
and
Petla UG (haftungsbeschränkt)
Brühler Str. 183, 50968 Köln
— hereinafter referred to as the "Processor" —
§ 1 Subject Matter and Duration of Processing
(1) The Processor provides the Controller with the following services, depending on the scope of services subscribed to:
a) Online appointment booking and practice management:
- Online appointment booking system (booking widget on the Controller's website)
- Practice dashboard for appointment and patient management
- Digital new client registration form
- Email notification system (appointment confirmations, cancellations, rescheduling)
b) Video consultation (video.petla.app) — if subscribed to by the Controller:
- Conducting video consultations between veterinarian and pet owner
- Online appointment booking with integrated payment processing
- SMS and voice call notifications to the veterinarian
- Upload of medical documents by the pet owner
- Documentation of consultation summaries by the veterinarian
The Controller may use one or both service areas. The respective sub-processors engaged are set out in § 6 para. 2.
(2) Processing commences upon conclusion of the service agreement and ends upon its termination. After termination, the provisions of § 10 shall apply.
§ 2 Nature and Purpose of Processing
Processing is carried out exclusively for the purpose of:
- Receiving and managing appointment bookings
- Managing client and animal master data (pet owners and animals)
- Sending appointment confirmations, reminders, and cancellation notifications via email
- Providing digital forms for client registration
- Storing and providing file attachments uploaded by the pet owner as part of the booking
- Calculating travel times and routes for mobile veterinary visits
- If subscribed to: conducting video consultations and associated payment processing
§ 3 Types of Personal Data
The following categories of personal data are processed:
a) Pet owner master data:
- Salutation (Mr/Ms/Other), first name, last name
- Email address, phone number
- Date of birth
- Address (street, postal code, city)
- Geolocation data (latitude/longitude — only for home visits)
b) Animal data:
- Name, species, breed, sex, date of birth
- Neutering/spaying status
- Weight, colour, country of origin
- Microchip number, EU pet passport number
- Housing type (outdoor/indoor cat)
c) Health information provided by the pet owner:
- Pre-existing conditions, medications, allergies, surgeries (information provided by the pet owner in the new client form)
- Reasons for consultation/symptoms
- Free-text notes
- Uploaded files (findings, photos — JPEG, PNG, PDF, max. 3 files of 5 MB each)
Note: This refers to preliminary information provided by the pet owner, not treatment documentation created by the veterinarian.
d) Insurance data (if provided by the pet owner in the new client form):
- Insurance type, insurer, policy number
- Policyholder, tariff, insurance start date
e) Appointment-related data:
- Date, time, duration of the appointment
- Appointment type, assigned calendar
- Home visit address including geocoordinates
- Estimated travel times
f) Consent data:
- Terms and conditions acceptance (timestamp)
- Marketing consent (yes/no)
- Confirmation text and timestamp upon form submission
- IP address upon form confirmation
g) Additionally when using the video consultation service:
- Audio and video streams (real-time transmission, no recording by the Processor)
- Participant metadata (join/leave times, call duration)
- Consultation summaries created by the veterinarian
- Technical connection quality assessments
- Pet owner feedback
- Stripe customer ID and payment status (no storage of full credit card data — processing exclusively by Stripe as a PCI-DSS-certified payment service provider)
§ 4 Categories of Data Subjects
- Pet owners/clients of the Controller
- Prospective new clients (persons who book an appointment or complete a new client form)
§ 5 Obligations of the Processor
(1) The Processor shall process personal data solely on the basis of documented instructions from the Controller, unless required to do so by Union or Member State law.
(2) The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(3) The Processor shall assist the Controller in complying with the obligations set out in Art. 32–36 GDPR (security, data protection impact assessment, notification of data breaches).
(4) The Processor shall assist the Controller in fulfilling data subject rights (Art. 15–22 GDPR), in particular by:
- Providing a deletion function for client data in the dashboard
- Exporting client data upon request
- Correcting master data via the dashboard
(5) The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes data protection law.
§ 6 Sub-Processing
(1) The Controller grants the Processor general authorisation to engage further processors. The Processor shall inform the Controller of any intended changes with a notice period of 14 days prior to engagement. The Controller may object to such changes.
(2) Depending on the scope of services subscribed to, the following sub-processors are engaged:
A. Core sub-processors (all services)
| Sub-processor | Purpose | Data processed | Location / Legal basis |
|---|---|---|---|
| DigitalOcean, LLC | Hosting (App Platform), managed PostgreSQL database (incl. automatic daily backups), Object Storage (Spaces) | All client, animal, and booking data | Frankfurt (EU); USA — EU Standard Contractual Clauses |
| Resend, Inc. | Sending transactional emails (appointment confirmations, cancellations, reminders) | Email address, name, appointment details | USA — EU Standard Contractual Clauses |
| Wildbit, LLC (Postmark) | Fallback email delivery | Email address, name, appointment details | USA — EU Standard Contractual Clauses |
| Google Ireland Ltd (Maps Platform) | Geocoding, route calculation, address autocomplete (for home visits) | Address, geocoordinates | Ireland (EU); data processing potentially also USA — EU-US Data Privacy Framework |
| Upstash, Inc. | Rate limiting (Redis) | IP addresses, request metadata | EU (Frankfurt) |
| Functional Software, Inc. (Sentry) | Error monitoring and performance monitoring | IP addresses, technical error data; in the event of errors, potentially personal data from the application context | EU (de.sentry.io) |
| Axiom, Inc. | Logging and observability | Technical log data; in individual cases, potentially personal data | USA — EU Standard Contractual Clauses |
| Vercel, Inc. | Hosting of the booking page (landing page) and automated deployment | IP addresses, request data, form data in transit | USA — EU Standard Contractual Clauses |
| Usercentrics GmbH | Cookie consent management on the booking page | Consent data, IP address, device/browser data | Munich, Germany (EU) |
B. Additionally when using online appointment booking
| Sub-processor | Purpose | Data processed | Location / Legal basis |
|---|---|---|---|
| Supabase, Inc. | PostgreSQL database (landing page) | Booking data, form data | EU (aws-eu-central-1) |
| Google Ireland Ltd (Analytics) | Web analytics for the booking page | IP address (anonymised), usage behaviour, device/browser data | Ireland (EU); USA — EU-US Data Privacy Framework |
| PostHog, Inc. | Product analytics for the booking page | IP address, usage behaviour, page views | EU (eu.posthog.com) |
C. Additionally when using the video consultation service (video.petla.app)
| Sub-processor | Purpose | Data processed | Location / Legal basis |
|---|---|---|---|
| Daily, Inc. (Daily.co) | WebRTC video platform for consultations | Participant metadata (join/leave times, duration), audio/video streams (not recorded) | USA — EU Standard Contractual Clauses |
| Stripe, Inc. | Payment processing for video consultations | Name, email, payment data, billing address | Ireland (EU); USA — EU-US Data Privacy Framework |
| Twilio, Inc. | SMS and voice call notifications to the veterinarian | Phone number, appointment details | USA — EU Standard Contractual Clauses |
| Vercel, Inc. (Blob Storage) | File storage (documents uploaded by the pet owner) | File contents (findings, photos) | USA — EU Standard Contractual Clauses |
| Supabase, Inc. | PostgreSQL database (video consultation) | Appointment, client, animal, and payment data | EU (aws-eu-central-1) |
(3) The Processor shall ensure that each sub-processor is subject to at least the same data protection obligations as set out in this Agreement.
§ 7 Third-Country Transfers
(1) Personal data shall only be transferred to third countries if the requirements of Art. 44–49 GDPR are met.
(2) Where sub-processors are based in the USA, the transfer is based on the EU-US Data Privacy Framework (where the provider is certified) or EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR).
§ 8 Technical and Organisational Measures (TOMs)
The Processor shall implement, in particular, the following measures:
Physical access control:
- Server infrastructure hosted by DigitalOcean in certified data centres (SOC 2 Type II, ISO 27001)
- No physical server access by the Processor
System access control:
- Authentication via email/password with session management
- Role-based access control (practice level, calendar level, admin)
- API key authentication for internal interfaces
- Access to the production database is restricted to management
Data access control:
- Tenant isolation: each practice can only access its own data (clinicId-based filtering at database level)
- Calendar-restricted access is available
- Data confirmed by the pet owner via form is immutable in the dashboard
Input control:
- All write operations require authenticated sessions
- Database timestamps (createdAt, updatedAt) for all records
- Form submissions logged with IP address and confirmation timestamp
Transport encryption:
- TLS/HTTPS for all data transmissions
- CSRF token protection (httpOnly cookies) for all form-related endpoints
- HMAC-SHA256 signatures for webhook communication between systems
- Encrypted database connections (SSL)
Availability control:
- Automatic daily database backups (DigitalOcean Managed Backups)
- Rate limiting on public endpoints (IP-based)
- Honeypot fields for bot detection on digital forms
Separation control:
- Strict tenant isolation via clinicId at database level
- Separate staging and production environments
Confidentiality:
- All employees of the Processor are bound by confidentiality obligations
§ 9 Notification of Data Breaches
(1) The Processor shall notify the Controller of any breach of personal data protection without undue delay, and no later than 24 hours after becoming aware of it.
(2) The notification shall include at least:
- Nature of the breach
- Categories of data affected and approximate number of data subjects concerned
- Likely consequences
- Measures taken and proposed
§ 10 Deletion and Return of Data
(1) The Processor shall store and delete personal data exclusively in accordance with documented instructions from the Controller. The determination of retention periods is the responsibility of the Controller.
(2) The Controller may delete client data at any time using the deletion function in the dashboard. Deletion is cascading:
- Deletion of a client automatically deletes all associated animals and form submissions
- Booking data is retained in anonymised form (client association is removed)
- Uploaded files are deleted together with the associated booking
(3) After termination of the agreement, the Processor shall delete all personal data of the Controller within 90 days. Upon request, the data shall be exported and handed over in a commonly used format (CSV, JSON) prior to deletion.
(4) Note: The platform serves the purpose of appointment booking and client master data management, not veterinary treatment documentation. The Controller is solely responsible for meeting its professional and tax-related retention obligations in its own systems.
§ 11 Audit and Inspection Rights
(1) The Controller shall have the right to verify compliance with this Agreement by means of inspections or audits, including through appointed third parties.
(2) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
§ 12 Final Provisions
(1) Amendments and additions to this Agreement must be made in writing.
(2) Should any provision of this Agreement be or become invalid, the validity of the remaining provisions shall not be affected.
(3) The law of the Federal Republic of Germany shall apply.
(4) This Agreement is concluded electronically by accepting the Terms and Conditions of Petla.
Version: 1.0
As of: March 2026