1 Purpose
This register records the processors that handle personal data on behalf of The Copper Still, the safeguards in place (Article 28 contracts / Data Processing Agreements), the location of processing, and the international transfer basis (Chapter V) where data leaves the EEA.
2 Processor Register
| Processor | Purpose | Art 28 / DPA | Location & Transfer Basis | Due Diligence |
|---|---|---|---|---|
| Supabase | Reservations database & Edge Functions | DPA with SCCs retained | West EU (Paris), eu-west-3 โ EEA. No transfer required for data at rest. | Complete |
| Cloudflare | Website hosting & Turnstile anti-spam | DPA with SCCs retained | Global CDN, US-based. SCCs + published DPA. | Complete |
| Telegram | Reservation notifications to a restricted staff chat | No enterprise DPA available | Global (HQ Dubai, UAE). SCCs executed internally; EDPO acts as Article 27 representative (Brussels). Accepted with TEL-001 controls. | Accepted with controls |
| Microsoft 365 | Email, recruitment, staff & payroll records | Microsoft Products & Services DPA with SCCs | Global with contractual safeguards. | Complete |
| Mailchimp (Intuit) | Email marketing delivery | DPA retained | US. EU-US Data Privacy Framework certified; SCCs as fallback. | Complete |
| Payroll provider | Payroll processing | DPA to be executed on selection | To be confirmed โ Ireland/EEA-hosted preferred. | Outstanding |
3 Telegram โ Documented Position
Telegram FZ-LLC is headquartered in Dubai, UAE. It does not offer enterprise Data Processing Agreements. It relies on Standard Contractual Clauses executed internally across its corporate network, and the European Data Protection Office (EDPO) is its designated Article 27 representative in Brussels. The Copper Still accepts this position for operational reservation notifications only, subject to the controls in TEL-001 (restricted chat access, minimised content, quarterly review and deletion). This is recorded as an informed, documented risk acceptance by the data controller.
4 CCTV
CCTV footage is recorded and stored on a local recorder on-site. There is no cloud processor and no international transfer. The CCTV maintenance contractor does not have routine access to recordings; any access for maintenance is supervised and logged.
5 Ongoing Due Diligence
- Retain each processor's DPA / terms and transfer documentation.
- Re-check the transfer basis at annual review or when a provider changes terms.
- Complete payroll provider due diligence before engagement (ROPA-005 action).
Version History
| Version | Date | Description | Author |
|---|---|---|---|
| 1.0 | 6 July 2026 | Initial controlled version. | Data Controller Representative |
Approval
| Name | Role | Signature | Date |
|---|---|---|---|
| Business Owner |