Plain-English summary: When you collect waitlist applicants through Day56, you are the data controller and Day56 is your data processor — we handle that applicant data only on your instructions. This agreement (a GDPR Article 28 Data Processing Agreement) sets out how we protect it, who our sub-processors are, what happens in a breach, and how to get your data back or deleted. It forms part of your agreement with Day56.
This Data Processing Agreement ("DPA") supplements the agreement between Day56 and the breeder customer for use of the Day56 service ("Principal Agreement"). It governs Day56's processing of personal data — specifically, waitlist-applicant data — on the breeder's behalf. Day56 is the processor; the breeder is the controller. This DPA addresses GDPR Article 28(3) processor obligations, data protection across Day56's AWS infrastructure, breach notification, audit rights, and return or deletion of data on termination.
Day56 ("Processor"). Operator of the Day56 waitlist and lightweight CRM service at day56.com. Day56 is a solo founder-operator enterprise engaged by the breeder to process applicant personal data solely on the breeder's instructions and for the breeder's benefit.
The Breeder ("Controller"). A Day56 customer who holds an account and uses the service to collect, organize, and manage waitlist-applicant and customer data in connection with their ball-python breeding operation.
Data protection roles:
The Founder-Operator holds all data-protection roles (privacy/DPO-equivalent contact, incident commander, DSAR intake) and is reached for all purposes under this DPA at privacy@day56.com.
Terms not defined here carry the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and related data protection laws.
Subject-matter. Day56's processing of applicant data on the breeder's behalf in the course of providing the Day56 service.
Duration. For the term of the Principal Agreement, plus any period during which Day56 retains applicant data pending return or deletion under Section 9.
Nature and purpose. Collecting, storing, organizing, displaying, transmitting (including by email and API), analyzing, and otherwise handling applicant data so the breeder can:
Processing categories. Day56 engages in storage, retrieval, organization, transmission, analysis, and deletion of applicant data using automated and manual processes. Encryption, access control, and security monitoring are implemented to protect the data throughout its lifecycle.
Categories of applicant personal data (the data Day56 processes on the breeder's behalf):
Categories of data subjects: waitlist applicants; customers (past or prospective purchasers); site visitors (to public breeder pages, where analytics are enabled).
Special-category data (Art. 9 GDPR). Day56 does not require, collect, or request special-category data (race, ethnicity, religion, health, biometrics, sex life, etc.). The breeder agrees not to use Day56's free-text fields to submit special-category data unless separately agreed in writing and documented. If the breeder accidentally submits special-category data, Day56 will notify the breeder and (on request) assist in its removal.
Day56 processes applicant data only on the breeder's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law. Your use and configuration of the Day56 service, together with this DPA and the Principal Agreement, constitute your complete and final documented instructions.
If Day56 receives a legal order (e.g., from law enforcement or a regulator) requiring processing of applicant data beyond these instructions, Day56 will inform you of that legal requirement before complying, unless the law prohibits such notice. Day56 will inform you if, in its opinion, an instruction infringes data protection law.
Day56 (the Founder-Operator) ensures that any personnel authorized to process applicant data are bound by written confidentiality obligations; that no applicant personal data is shared internally except as necessary to provide the service (support, security incident response, or operational maintenance); that personnel are trained on data-protection principles and the sensitivity of applicant data; and that access to applicant data is limited to the minimum necessary. As a solo founder-operator enterprise, Day56 currently has a single authorized person (the Founder-Operator); these obligations bind that person and apply to any future personnel before they are granted access to applicant data.
Day56 implements and maintains appropriate security measures to protect applicant data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:
Infrastructure & encryption. Application data is stored in a managed AWS RDS MySQL 8 database with Multi-AZ automatic failover, deletion protection, and a final snapshot on deletion; database storage is encrypted at rest (AWS KMS), and database credentials are held in AWS Secrets Manager rather than in code. The application runs on an AWS EC2 instance (PHP 8.3 / Apache) with an encrypted root volume. TLS is enforced for all application and email transport, HSTS is sent, and mixed content is blocked. Inbound email reply routing uses signed, verified tokens (no plaintext breeder identifiers in email addresses). The upload bucket and infrastructure-state bucket are private (Block Public Access, no public-read policy) with server-side encryption and lifecycle policies.
Network & access control. Amazon CloudFront sits in front of the EC2 origin, and the application verifies a shared-secret origin-verification header so that only requests routed through CloudFront are served — direct hits to the origin host or IP return HTTP 403, preventing CDN/WAF bypass. An AWS WAF Web ACL is attached to CloudFront with AWS managed rule sets (Common, Known-Bad-Inputs, IP-Reputation) plus per-IP rate limiting. The database runs in private subnets with no public IP, reachable only from the application's security group. EC2 inbound traffic is restricted to HTTP/HTTPS from CloudFront and administrative SSH from designated IPs; keyless administrative access is also available via AWS Systems Manager. The EC2 instance assumes a least-privilege IAM role, and instance-metadata access is hardened (IMDSv2 enforced).
Authentication & session security. Passwords are hashed with bcrypt (cost factor 12) and never stored in plaintext; new and changed passwords are checked against the Pwned Passwords breach database using k-anonymity (only the first five characters of a hash are ever sent — the full hash and plaintext never leave the server). Sessions use HttpOnly, Secure, SameSite cookies; changing a password rotates an authentication token that instantly logs out all other sessions. Optional authenticator-app two-factor authentication (RFC 6238 TOTP) is available to all breeders, with TOTP secrets and backup codes encrypted at rest (libsodium).
Data access & isolation. Database queries are parameterized and scoped to the authenticated breeder account, so one breeder's applicant data is not accessible to another. All authenticated mutation endpoints require Origin-header verification (CSRF defense); logout is POST-only.
Input validation & defense. Request inputs are screened for suspicious SQL-injection patterns, which trigger rate-limited operator alerts and a rejected request. All database access uses parameterized prepared statements. Applicant-supplied HTML in the email/inbox view is sanitized before display, and applicant names and customer fields are HTML-escaped on output to prevent stored cross-site scripting. Application-level rate limiting and an IP ban list operate in addition to the edge WAF.
Logging, monitoring & incident response. Apache access logs and PHP error logs are shipped to AWS CloudWatch Logs (30-day retention). Uncaught exceptions and fatal errors are logged and trigger rate-limited operator alerts. An admin audit log records state-changing administrative actions (action, actor, target, metadata, IP, user-agent, timestamp). An uptime check runs every two minutes and alerts the operator if the service is down. Documented incident-response and disaster-recovery plans (with RPO/RTO targets) are maintained and available to the breeder in summary on request.
Resilience & recovery. Multi-AZ RDS provides automatic database failover across availability zones; automated database backups (7-day retention) support point-in-time recovery; infrastructure state is versioned in an encrypted remote store.
Third-party & vendor security. Sub-processors are engaged under terms imposing data-protection and security obligations (see Section 6). Email credentials are stored outside the web root. Day56 relies on AWS's certified, managed services, which inherit AWS's SOC 2 Type II and ISO 27001 certifications.
Evolving security posture. These measures may evolve to address new threats, regulatory guidance, or operational improvements. Day56 will not materially reduce the overall level of security during the term. Material reductions (e.g., encryption downgrade, removal of audit logging, reduced monitoring) will be communicated in advance, with an opportunity for the breeder to object or terminate.
The breeder provides general authorization for Day56 to engage sub-processors to process applicant data. Day56's current sub-processors are listed in Section 6. Day56 will impose on each sub-processor, by written contract, data-protection obligations no less protective than those in this DPA — in particular: processing on instructions only; confidentiality of staff; technical and organizational security; assistance with data-subject rights; breach notification to Day56; and return or deletion on termination. Day56 remains fully liable to the breeder for each sub-processor's performance of these obligations.
Taking into account the nature of the processing, Day56 will assist the breeder by appropriate technical and organizational measures to respond to requests from data subjects exercising their rights:
Day56 will respond to reasonable written requests from the breeder to confirm what applicant data is held, retrieve specific records, or assist in responding to data-subject requests, at no additional charge.
Day56 will assist the breeder, taking into account the nature of the processing and the information available to Day56, with security (Art. 32 — see Section 5.3), breach notification (Art. 33–34 — see Section 8), data protection impact assessments (Art. 35 — Day56 provides information about the processing to enable the breeder's DPIA, but is not liable for the breeder's failure to conduct one), and prior consultation with a supervisory authority (Art. 36 — the breeder initiates; Day56 provides reasonable support). The breeder is responsible for the security of breeder-account credentials and email access.
You (the breeder) expressly authorize Day56 to engage the following sub-processors to process applicant data. Each is engaged under terms imposing data-protection obligations consistent with Art. 28 (DPA, Data Processing Addendum, or Terms of Service, as applicable).
| Sub-processor | Service / Role | Location | Relevance to applicant data | Certifications / Notes |
|---|---|---|---|---|
| Amazon Web Services | Cloud infrastructure: EC2, RDS MySQL, S3, Secrets Manager, CloudWatch, CloudFront, WAF, KMS, IAM, Lambda, Route 53 | US (us-east-1) | Hosts all application, database, backup, and logging infrastructure. All applicant data is stored, encrypted, and processed in AWS. | SOC 2 Type II, ISO 27001; AWS DPA + SCCs |
| Hostinger | Outbound SMTP (mail relay) and inbound IMAP (reply ingestion) | US (mail servers) | Transmits applicant email content to applicants; receives and processes reply emails. Credentials stored outside the web root. | GDPR-compliant; DPA available |
| Amazon SES | Outbound email (configured for a future cutover from Hostinger) | US (us-east-1) | Will transmit applicant email content once the cutover completes. DKIM is verified; custom MAIL FROM and production access are still pending. | AWS-managed; covered under AWS DPA + SCCs |
| PayPal | Subscription billing and payment processing | US | Processes breeder subscription payments only — not used to process applicant data. | PCI DSS Level 1; DPA available |
| Google (Gemini API) | AI email drafting, rewrite, and reply assistance (Pro feature) | US | Processes draft text the breeder submits for AI assistance. No applicant data is sent by design; if the breeder pastes applicant details into a draft, that content is transmitted. Use is at the breeder's discretion. | Paid tier with no-training (verified); DPA available |
| Groq (GroqCloud) | Fallback AI for email drafting; primary AI for in-dashboard help chat | US | Processes draft text and help-chat queries the breeder submits. No applicant data is sent by design; if the breeder pastes applicant details, that content is transmitted. Use is at the breeder's discretion. | No-training (verified); governed by Groq Terms of Service |
| Discord | Operator monitoring, alerting, and logging webhooks | US | Receives operator-level event notifications (app errors, security alerts, uptime status). Carries operator/account telemetry only — not applicant PII by design. Not visible to applicants. | GDPR-compliant; Terms of Service available |
| HaveIBeenPwned | Breached-password check (authentication security) | US | Checks breeder account passwords using k-anonymity. Only the first five characters of a SHA-1 hash are transmitted; the full hash and plaintext never leave the server. No applicant data transferred. | k-anonymity model; no PII exposure |
Sub-processor obligations. Day56 will impose on each sub-processor, by written contract, the following: processing on instructions only; confidentiality; appropriate security (Art. 32); reasonable assistance with data-subject requests; prompt breach notification to Day56; return or deletion of personal data on termination; and reasonable cooperation with audits. Day56 remains fully liable to the breeder for each sub-processor's failure to perform these obligations and will take corrective action or terminate the sub-processor relationship as needed.
Current status (honest disclosure): Day56 relies on the published DPAs, SCCs, and Terms of Service of the sub-processors above. Formal countersigned DPAs/SCCs with every sub-processor are not all signed and filed yet; completing this is on the roadmap (Section 10).
Sub-processor changes and objection. Day56 will give written notice to the breeder's registered contact email at least 30 days before adding or replacing a sub-processor that will process applicant data, identifying the vendor, the service, and any material change to the processing. If the breeder has a reasonable data-protection objection, they may object in writing to privacy@day56.com within the notice period; Day56 will reasonably attempt to address it (tighter terms, restricted data categories, or a technical workaround). If Day56 cannot reasonably accommodate the objection, the breeder may terminate the Principal Agreement (or the specific feature that uses the sub-processor) without penalty, provided notice is given before the change takes effect. A self-service, real-time sub-processor list is on the product roadmap.
The Day56 service is hosted in the United States (AWS us-east-1), and the sub-processors in Section 6 are US-based. This means applicant data leaves the European Economic Area (EEA) and UK when stored in or transmitted through Day56.
Legal basis for transfer. Where applicant data of EEA or UK data subjects is transferred to the United States or processed by US sub-processors, such transfers are made on the basis of: (1) EU Standard Contractual Clauses (SCCs) under Day56's agreements with AWS and other US-based sub-processors (Module Two, controller-to-processor, or equivalent), together with supplementary measures; (2) the UK International Data Transfer Addendum (IDTA) or UK Addendum where applicable; and (3) the breeder's authorization, as part of the breeder's documented instructions, by accepting the Principal Agreement and this DPA. Day56 will ensure each sub-processor arrangement includes an appropriate transfer mechanism before applicant data is transferred (completing the filing of executed SCCs with all sub-processors is on the roadmap — see Section 10).
Supplementary measures (Schrems II). In recognition of Schrems II (Case C-311/18) and EDPB Recommendations 01/2020, Day56 implements encryption at rest (AWS KMS) and in transit (TLS), access restrictions (per-breeder isolation, least-privilege IAM, minimal access), limited retention (deletion on request or termination — no indefinite retention), transparency around government-access requests (Section 5.1), and ongoing monitoring of case law and regulatory guidance.
Adequacy and opt-out. If a breeder has concerns about US transfers, they may: restrict the use of AI-assisted features (Gemini, Groq) to avoid those optional sub-processor transfers; avoid uploading or referencing special-category data in free-text fields; or request that applicant data not be transferred outside the EEA/UK — in which case, because the service is US-hosted, Day56 will discontinue service or delete the data, as the breeder prefers.
Day56 will notify the breeder without undue delay and, in any case, within 72 hours of becoming aware of a personal-data breach affecting applicant data held by Day56. The notification will describe, to the extent known and as it becomes available: the nature of the breach; the categories of data subjects affected; the approximate number of data subjects and records affected; the likely consequences; the measures taken or proposed; and a contact point (privacy@day56.com).
Assistance. Day56 will reasonably assist the breeder in determining whether notification to a supervisory authority or to applicants is required (GDPR Art. 33–34 and other applicable law), in drafting notifications (suggested language or templates), and in cooperating with any regulator request, subject to legal constraints.
Indicative timeline. T+0: breach detected or suspected. T+0–24h: Day56 investigates, gathers facts, and contacts the breeder if immediate action is required (e.g., to disable a compromised account). T+24–72h: Day56 notifies the breeder in writing with preliminary details. T+72h onward: Day56 provides updates and coordinates on disclosure to authorities and affected parties.
Confidentiality. Notice of a breach is not an admission of fault, negligence, or liability. The breeder agrees to handle breach notices confidentially (other than as required by law or as necessary to protect affected individuals), except as required to comply with the breeder's own legal notification obligations.
On termination or expiry of the Principal Agreement, the breeder may request that Day56 delete or return all applicant data, and Day56 will comply within 30 days of the request.
Deletion. Day56 permanently deletes applicant data from the production database. Existing automated database backups (7-day retention with point-in-time recovery) are allowed to expire on the standard cycle or are deleted sooner at the breeder's request; the maximum lag for backup expiry is 7 days after primary deletion. On request, Day56 will provide written certification of deletion (excluding the limited residue described below).
Return. If the breeder requests a return of data instead, Day56 exports all applicant data in a standard format (JSON or CSV) and provides it via secure download link; the breeder is then responsible for the storage and security of the returned data.
Exceptions. Day56 may retain applicant data after termination where law, regulation, or a court order requires it; as operational/backup residue (anonymized aggregate statistics and system logs — e.g., CloudWatch Logs, 30-day retention — that do not identify individual applicants); or to investigate, remediate, and prevent recurrence of a suspected breach. In all cases, Day56 minimizes retention to the time necessary and will not use retained data for any other purpose.
The breeder is encouraged to export their data via Day56's self-service export before account termination, ensuring they hold a complete independent copy.
The breeder has the right to conduct or commission reasonable audits of Day56's compliance with this DPA. Day56 will provide documentation reasonably necessary to demonstrate compliance with Art. 28 GDPR, including this DPA, the sub-processor list and change notifications, Day56's governance documentation (privacy policy, security-measures summary, incident-response and disaster-recovery summaries), a controls inventory, aggregated admin audit-log summaries (without sensitive applicant data), breach-notification history, and uptime/availability records.
Method. Day56 primarily satisfies audit requests through written responses and documentation review rather than on-site inspections. Reasonable written questionnaires (SOC 2-style, ISO 27001-style, or GDPR Art. 28 checklists) are welcome and answered within 15 business days. A breeder-requested third-party audit is supported subject to: at least 30 days' advance notice; a clearly defined scope limited to Day56's Art. 28 obligations; a confidentiality agreement signed by the auditor; no more than once per calendar year (unless triggered by a security incident or required by a supervisory authority); and the breeder bearing the cost.
Monitoring. Day56 maintains an admin audit log, uptime monitoring (checks every two minutes), error tracking, WAF and rate-limit metrics, and periodic review of security-relevant events.
Roadmap (honest disclosure of items not yet complete). The following are accurately disclosed as not yet implemented and are not claimed as current controls: SOC 2 Type II certification (in progress); formal executed DPAs/SCCs countersigned and filed with every sub-processor; cross-region disaster recovery, DR drill-testing, and a documented golden AMI (a single-region, Multi-AZ DR plan with RPO/RTO is in place today); off-box backup of uploaded files (database and infrastructure state are already backed up); a CI/CD pipeline with automated security testing (SAST/DAST); mandatory two-factor authentication (optional TOTP 2FA is available today); a self-service real-time sub-processor list; and a custom MAIL FROM / SPF alignment plus production access for Amazon SES (email currently sent via Hostinger).
Processing of applicant data through Day56 may be subject to a DPIA under GDPR Art. 35 if, for example, the breeder uses automated decision-making or extensive profiling of applicants, collects special-category data, or conducts large-scale monitoring of applicants. Day56 is not obligated to conduct the DPIA on the breeder's behalf, but will provide information about its processing, security, and controls (via this DPA and the governance pack) to enable the breeder to complete one. The breeder is responsible for assessing whether a DPIA is required and, if so, for conducting it.
GDPR / UK GDPR. This DPA is designed to comply with the processor-relevant provisions of the GDPR and UK GDPR — in particular Art. 5 (principles; the breeder establishes the lawful basis and provides privacy notices to applicants), Art. 6 (lawfulness), Art. 28 (processor obligations), Art. 32 (security — Section 5.3), Art. 33–34 (breach notification — Section 8), and Art. 44–50 (transfers — Section 7).
CCPA/CPRA (California). Where applicants are California residents, Day56 acts as a "service provider": it processes applicant data only to provide the service to the breeder; it will not sell or share applicant data and will not retain, use, or disclose it except to perform the service or as permitted by law; it will assist the breeder in responding to consumer requests (know, delete, correct, opt-out, portability); and it flows down equivalent service-provider/contractor restrictions to sub-processors.
PIPEDA (Canada). Where applicants are Canadian residents, Day56 processes applicant data only on the breeder's instructions, protects it with appropriate safeguards, assists with access and correction requests, and notifies the breeder of any breach of security safeguards involving applicant data.
Other laws. To the extent any other data-protection law applies (e.g., LGPD in Brazil, PDPA in Singapore), Day56 will comply with equivalent processor obligations, security standards, and data-subject rights. The breeder is responsible for understanding which laws apply and communicating any special requirements to Day56.
Day56 is liable to the breeder for breach of this DPA or failure to comply with its GDPR Art. 28 processor obligations — including failing to process applicant data only on the breeder's instructions, failing to implement appropriate security measures, unauthorized disclosure, failure to notify the breeder of a breach, failure to assist with data-subject requests or regulatory inquiries, or engaging a sub-processor without proper authority or obligations.
The limitation-of-liability provisions of the Principal Agreement apply to this DPA and govern the parties' aggregate liability, except that nothing here limits or excludes either party's liability where such limitation is not permitted by applicable data protection law (for example, statutory liability to data subjects under GDPR Art. 82). Day56 remains liable to the breeder for each sub-processor's failure to perform its data-protection obligations to the same extent Day56 would be liable for its own performance, subject to those limitations. Applicants and other data subjects are not third-party beneficiaries of this DPA; data-subject rights are exercised through applicable data protection law, not this contract.
This DPA takes effect on the effective date stated above or on the breeder's acceptance of the Day56 Principal Agreement, whichever is later, and remains in force for the entire term of the Principal Agreement. The following survive termination: confidentiality (5.2); deletion or return of applicant data (9); breach notification (8) for breaches occurring during the term even if discovered afterward; liability (13); governing law (16); and this survival clause (14).
Day56 may amend this DPA to reflect changes to applicable law or regulatory guidance, to update the sub-processor list (per Section 6), or to correct errors or clarify ambiguities. Day56 will provide written notice of material amendments (changes to security, liability, data transfers, or processor obligations) at least 30 days in advance; if the breeder objects on data-protection grounds and Day56 does not withdraw the change, the breeder may terminate the Principal Agreement for cause without penalty. Minor amendments (e.g., correcting a sub-processor's address) may be made with shorter notice.
This DPA is governed by and construed in accordance with the laws of the State of California, United States, excluding its conflicts-of-law principles. To the extent any provision conflicts with the mandatory requirements of the GDPR, UK GDPR, CCPA/CPRA, PIPEDA, or other applicable data protection law, those mandatory requirements prevail: for EEA/UK breeders or applicants, the mandatory provisions of the GDPR or UK GDPR prevail over conflicting California law; for California residents, the mandatory provisions of the CCPA/CPRA prevail.
Subject to that carve-out, any legal action arising out of or relating to this DPA shall be brought in the state or federal courts located in California, and the parties consent to that jurisdiction and venue. If the Principal Agreement contains an arbitration clause, that clause also applies to disputes arising under this DPA.
All notices, objections, requests, and inquiries related to this DPA should be directed to the Founder-Operator at privacy@day56.com. This single address serves as the privacy/DPO-equivalent contact, incident-notification point, and DSAR/audit intake for this DPA. Day56 will respond to DPA-related inquiries within 10 business days; time-sensitive matters (e.g., breach notifications, emergency deletion requests) are prioritized.
This DPA is anchored to the following standards and frameworks:
This DPA forms part of the Day56 Terms of Service. By creating and using a Day56 account, the breeder acknowledges and agrees to:
A breeder who requires a countersigned copy of this DPA for their own records may request one at privacy@day56.com.