Legal · B2B addendum
Data Protection Addendum
Effective: 03 October 2025
This Data Protection Addendum ("DPA") forms part of the Regentis™ services agreement between Majesty-Coaching ("Processor") and the contracting party ("Customer", or "Controller"). It governs the processing of Customer Personal Data by the Processor under the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss FADP, and equivalent laws (collectively, "Data Protection Laws").
1. Definitions
"Customer Personal Data" means any personal data that the Processor processes on behalf of the Customer in connection with the Services. "Sub-processor" means any third party engaged by the Processor to process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the EU Commission's Standard Contractual Clauses (Decision 2021/914) for transfers to third countries.
2. Roles & scope
The Customer is the Controller and the Processor processes Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, except where required to do otherwise by EU or Member State law.
3. Subject matter, duration, nature, purpose
- Subject matter: processing of Customer Personal Data necessary to deliver the Regentis™ programme.
- Duration: for the term of the services agreement plus the deletion period in § 11.
- Nature and purpose: coaching delivery, written diagnostics, sheets/SOPs implementation, async support, scheduling, and payment processing.
- Categories of data subjects: the Customer (founder/operator), and individuals voluntarily named by the Customer in delivery materials (e.g. team members, clients).
- Categories of personal data: identity, contact, business operating data (revenue, pipeline, delivery metrics), strategy-call recordings if explicitly authorised, payment metadata.
4. Processor obligations
The Processor will:
- Process Customer Personal Data only on documented instructions from the Customer;
- Ensure that personnel authorised to process the data are bound by confidentiality;
- Implement the technical and organisational measures described in § 7 below;
- Engage Sub-processors only as permitted in § 5;
- Assist the Customer, taking into account the nature of the processing, in fulfilling its obligations to respond to data-subject requests;
- Assist the Customer in ensuring compliance with security, breach notification, and DPIA obligations under Art. 32–36 GDPR;
- At the Customer's choice, delete or return Customer Personal Data after the end of the services (see § 11);
- Make available all information necessary to demonstrate compliance and allow audits per § 9.
5. Sub-processors
The Customer hereby provides general written authorisation for the Processor to engage the Sub-processors listed below. The Processor will inform the Customer of any intended additions or replacements with at least 30 days' notice, providing the opportunity to object.
| Sub-processor | Function | Region |
|---|---|---|
| Vercel Inc. | Site hosting / edge delivery | US (EU edges; SCCs) |
| Cal.com, Inc. | Strategy-call scheduling | EU / US (SCCs) |
| Kit (ConvertKit, LLC) | Email + lead-magnet automation | US (SCCs) |
| Stripe Payments Europe, Ltd. | Payment processing | EU (Ireland) |
| PostHog Inc. | Product analytics (EU region) | EU |
| Google Ireland Ltd. | Google Analytics 4 | EU / US (SCCs) |
| Resend, Inc. | Transactional email (planned) | US (SCCs) |
6. International transfers
Where Customer Personal Data is transferred outside the EU/EEA, the Processor relies on the EU-US Data Privacy Framework (where the recipient is certified) or on Standard Contractual Clauses (Modules 2 and 3, as applicable) with supplementary measures sufficient to provide an essentially equivalent level of protection following the Schrems II ruling.
7. Security measures (Art. 32 GDPR)
The Processor implements appropriate technical and organisational measures, including:
- TLS 1.2+ encryption in transit on every endpoint;
- At-rest encryption for stored Customer Personal Data with vendor-managed keys;
- Access control: principle of least privilege; MFA on every operational account; access reviewed at least annually;
- Pseudonymisation of analytics events (no email or full IP collected by analytics processors);
- Logging and monitoring of access to systems containing Customer Personal Data;
- Backup and recovery testing;
- Incident response procedure with the 72-hour notification obligation under Art. 33 GDPR;
- Vendor security review prior to engaging any new Sub-processor;
- Annual review of these measures.
8. Personal data breach notification
The Processor will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, where available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
9. Audits
The Processor will make available to the Customer, on reasonable request and no more than once per twelve-month period, all information necessary to demonstrate compliance with this DPA and Art. 28 GDPR. Where the Customer reasonably requests an audit beyond this, the parties will agree on scope and timing in good faith. The cost of any on-site audit is borne by the Customer unless the audit reveals a material breach by the Processor.
10. Assistance with data-subject requests
Taking into account the nature of the processing, the Processor will assist the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests from data subjects exercising rights under Chapter III GDPR.
11. Deletion or return of Customer Personal Data
Upon termination of the services agreement, the Processor will, at the Customer's choice, delete or return all Customer Personal Data, including all copies, within 90 days, except where retention is required by EU or Member State law (e.g. § 147 AO for tax records). The Processor will certify deletion in writing on request.
12. Liability
Each party's liability under this DPA is subject to the liability provisions of the underlying services agreement (see Terms & Conditions § 9), without limiting either party's liability under Art. 82 GDPR.
13. Order of precedence
In the event of a conflict between this DPA and the services agreement, this DPA prevails with regard to the processing of Customer Personal Data.
14. Governing law & venue
This DPA is governed by the laws of the Federal Republic of Germany. Disputes are subject to the venue rules of the underlying services agreement.
15. Term & termination
This DPA becomes effective on the effective date of the services agreement and remains in force until completion of the deletion / return obligations in § 11.