Back to dashboard

Processor Register

The Copper Still ยท GDPR privacy accountability pack (demonstration)

Document ReferencePROC-001
Document TitleProcessor Register
Version1.0
StatusApproved
OwnerData Controller
Approved ByBusiness Owner
Effective Date6 July 2026
Review FrequencyAnnual
Next Review6 July 2027
ClassificationInternal
Related DocumentsROPA Dashboard, TEL-001, PN-001

1 Purpose

This register records the processors that handle personal data on behalf of The Copper Still, the safeguards in place (Article 28 contracts / Data Processing Agreements), the location of processing, and the international transfer basis (Chapter V) where data leaves the EEA.

2 Processor Register

ProcessorPurposeArt 28 / DPALocation & Transfer BasisDue Diligence
SupabaseReservations database & Edge FunctionsDPA with SCCs retainedWest EU (Paris), eu-west-3 โ€” EEA. No transfer required for data at rest.Complete
CloudflareWebsite hosting & Turnstile anti-spamDPA with SCCs retainedGlobal CDN, US-based. SCCs + published DPA.Complete
TelegramReservation notifications to a restricted staff chatNo enterprise DPA availableGlobal (HQ Dubai, UAE). SCCs executed internally; EDPO acts as Article 27 representative (Brussels). Accepted with TEL-001 controls.Accepted with controls
Microsoft 365Email, recruitment, staff & payroll recordsMicrosoft Products & Services DPA with SCCsGlobal with contractual safeguards.Complete
Mailchimp (Intuit)Email marketing deliveryDPA retainedUS. EU-US Data Privacy Framework certified; SCCs as fallback.Complete
Payroll providerPayroll processingDPA to be executed on selectionTo be confirmed โ€” Ireland/EEA-hosted preferred.Outstanding

3 Telegram โ€” Documented Position

Telegram FZ-LLC is headquartered in Dubai, UAE. It does not offer enterprise Data Processing Agreements. It relies on Standard Contractual Clauses executed internally across its corporate network, and the European Data Protection Office (EDPO) is its designated Article 27 representative in Brussels. The Copper Still accepts this position for operational reservation notifications only, subject to the controls in TEL-001 (restricted chat access, minimised content, quarterly review and deletion). This is recorded as an informed, documented risk acceptance by the data controller.

4 CCTV

CCTV footage is recorded and stored on a local recorder on-site. There is no cloud processor and no international transfer. The CCTV maintenance contractor does not have routine access to recordings; any access for maintenance is supervised and logged.

5 Ongoing Due Diligence

  • Retain each processor's DPA / terms and transfer documentation.
  • Re-check the transfer basis at annual review or when a provider changes terms.
  • Complete payroll provider due diligence before engagement (ROPA-005 action).

Version History

VersionDateDescriptionAuthor
1.06 July 2026Initial controlled version.Data Controller Representative

Approval

NameRoleSignatureDate
Business Owner