CrecheHQ | Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between CrecheHQ ("Processor") and the childcare provider ("Controller") for the provision of the CrecheHQ platform. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Act 2018.

1. Definitions

Terms not defined herein have the meaning given to them in the GDPR. "Personal Data" means any data processed by the Processor on behalf of the Controller through the CrecheHQ platform, including child records, staff data, parent/guardian contact details, attendance records, financial data, and chat messages.

2. Scope of Processing

The Processor processes Personal Data solely to:

Provide the CrecheHQ childcare management platform and its features (enrolment, attendance, invoicing, payments, chat, compliance tracking)
Perform automated content moderation on chat messages to detect inappropriate content, harassment, personal data sharing, and safeguarding concerns
Store and serve file attachments (documents, images) uploaded by authorised users
Send transactional communications (email notifications, WhatsApp alerts) on behalf of the Controller

3. Categories of Data Subjects

Children enrolled in the Controller's service
Parents and guardians
Staff members and auxiliary workers
Organisation owners and administrators

4. Types of Personal Data

Identity data: Names, dates of birth, PPS numbers (where provided for ECCE/NCS)
Contact data: Email addresses, phone numbers, postal addresses
Financial data: Bank details (encrypted at rest), payment records, invoice history
Attendance data: Check-in/out times, session records
Chat data: Message text, file attachments, moderation flags
Health data: Allergies and medical information (where provided by parents)
Staff credentials: Garda vetting status, qualifications, first aid certificates

5. Sub-processors

The Controller authorises the Processor to engage the following sub-processors. The Processor will notify the Controller of any changes to this list with at least 30 days' notice.

Sub-processor	Purpose	Location
Hetzner Online GmbH	Database hosting (PostgreSQL)	Germany
Cloudflare, Inc.	File storage (R2), DNS, CDN	EU
Stripe Payments Europe, Ltd.	Payment processing	Ireland
Anthropic, PBC	AI chat content moderation (message text only, no personal identifiers transmitted) — ONLY applicable if organisation enables AI moderation in Settings	United States*
Resend, Inc.	Transactional email delivery	Ireland (sending); United States
PostHog, Inc.	Product analytics (consent-gated)	Germany

*AI moderation is optional and disabled by default for new organisations. When enabled, only message text is sent for classification — no sender names, child names, or other personal identifiers are transmitted. We are evaluating EU-hosted inference endpoints (AWS Bedrock eu-west-1, GCP Vertex EU) to bring this processing within the EEA.

6. Security Measures

The Processor implements the following technical and organisational measures:

Encryption in transit (TLS 1.2+) for all data communications
Encryption at rest for sensitive fields (bank details, PPS numbers) using AES-256
Database access restricted via encrypted WireGuard tunnel (Tailscale) — no public database access
Role-based access control (RBAC) with 5-tier permission hierarchy
EXIF metadata stripping on all uploaded images (removes GPS location data)
Server-side HTML sanitisation (DOMPurify) on all user-submitted text
Rate limiting on all API endpoints (per-user and per-organisation)
Comprehensive audit logging of all data access and modifications
JWT-based session management with periodic revalidation

7. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by the GDPR. The Processor provides data export functionality and account deletion tools within the platform.

8. Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach affecting the Controller's data. The notification will include the nature of the breach, categories of data affected, approximate number of records, and measures taken or proposed to mitigate the breach.

9. Data Deletion & Retention

Upon termination of the agreement, the Processor will delete Controller Personal Data without undue delay in accordance with GDPR Article 17. The Controller may request a data export prior to termination. The following retention carve-outs apply:

Financial records: Invoice and payment data retained for 7 years as required by Irish Revenue obligations (Taxes Consolidation Act 1997)
Audit logs: Security and access logs retained for up to 12 months for fraud prevention and legal claims
Backup copies: Encrypted backups are rotated on a 30-day cycle and purged as part of standard backup rotation
Chat attachments: Attachments on deleted messages are permanently removed from storage after 30 days

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA upon reasonable notice. The Processor will make available all information necessary to demonstrate compliance, including access to audit logs and security documentation.

11. International Transfers

The Processor's primary infrastructure (database, file storage, analytics) is hosted within the EU. Certain sub-processors are located outside the EEA, as detailed in the sub-processor table above.

Where sub-processors are located outside the EEA, data transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission, or an adequacy decision where applicable.

12. Governing Law

This DPA is governed by the laws of the Republic of Ireland. The Irish Data Protection Commission is the competent supervisory authority.

13. Contact

For questions about this DPA, contact us at privacy@crechehq.ie.