Trust & Legal
Security and retention practices, our data processing agreement for providers, and—where applicable—the KVKK addendum for Türkiye.
Security & Data Retention Policy
Last Updated: March 25, 2026
1. Our Security Philosophy
We take the "Fort Knox" approach to your data. We use world-class hosting, heavy encryption, and strict rules about who can see your information.
The purpose of this policy is to outline how Suitespace protects Provider and Customer data, ensuring we meet global standards like GDPR, KVKK, and PIPEDA.
2. How We Protect Your Data
We use the same security tech as top banks. Your data is encrypted whether it's sitting on our servers or traveling across the internet.
Infrastructure
Hosted on Amazon Web Services (AWS) in SOC 1, 2, and 3 certified data centers. This includes 24/7 physical security and network firewalls.
Encryption
All data is encrypted in transit (using TLS 1.2+) and at rest (using AES-256).
Access Control
We follow the "Principle of Least Privilege." Only essential Suitespace personnel can access systems, and they must use Multi-Factor Authentication (MFA).
Backups
We perform daily automated backups. These are stored in geographically redundant locations to ensure your data is safe even in a disaster.
3. Data Retention: How Long We Keep Info
We don't keep your data forever. We keep it as long as your account is active, and then for a specific "buffer" period afterward to satisfy tax laws and help with disputes.
Retention by category:
| Data Category | Retention Period | Reason |
|---|---|---|
| Provider Account Data | Life of account + 12 months | Operational continuity |
| Customer Booking Data | 12 months after account closure | Dispute resolution |
| Financial/Tax Records | 5 years | Legal & tax compliance |
| Technical & Security Logs | 6 to 12 months | Security auditing |
| System Backups | 30-day rolling cycle | Disaster recovery |
4. Incident Response & Breaches
If something goes wrong, we won't hide it. We will notify you immediately so you can take action.
In the event of a confirmed data breach, Suitespace will notify affected Providers without undue delay. We will provide details on what happened, what data was involved, and what we are doing to fix it. Providers are responsible for notifying their own Customers and local regulators where required by law.
5. Deletion and Export
Your data belongs to you. You can ask us to export it or delete it at any time.
Provider Requests
If you delete a Customer's data, it is removed from our active databases immediately. It may remain in our encrypted backups for up to 30 days until the next overwrite cycle.
Compliance
We assist Providers in fulfilling "Right to be Forgotten" requests from their Customers.
6. Where Your Data Lives
Our main "brain" is located in Northern Virginia, USA (AWS us-east-1). By using Suitespace, you agree to this international transfer of data.
To ensure global compliance, we use Standard Contractual Clauses (SCCs) and strict encryption for all cross-border data transfers.
7. Your Security Responsibilities
We provide the lock, but you have to turn the key. Use a strong password and don't share your login.
Security is a partnership. Providers must: Use unique, complex passwords. Enable Two-Factor Authentication (2FA) on their Suitespace and Stripe accounts. Notify us immediately at security@suitespace.app if they suspect an account compromise.
8. Subdomains, usernames, and identifiers
We may restrict or reclaim a subdomain, username, or other identifier if it could confuse users, pose security risks, or conflict with reserved or official-looking names. We can act with or without prior notice when needed to protect the Service and its users.
We reserve the right to restrict, suspend, or reclaim any subdomain, username, or identifier that, in our sole discretion, may cause confusion, impersonation, security risks, system conflicts, or otherwise interfere with the operation or integrity of the Service. This includes names that are reserved, system-related, misleading, or that could reasonably be mistaken for official functionality or personnel. We may take such action with or without prior notice, particularly where necessary to protect users, the platform, or third parties.
Suitespace Data Processing Agreement (DPA)
Last Updated: March 25, 2026
1. The Core Roles (Definitions)
You (the Provider) are the "Boss" of the data—you decide why it's collected. We (Suitespace) are the "Helper"—we only touch the data to make the app work for you.
Controller
The Provider (You). You determine the purpose of the data.
Processor
Suitespace Inc. We act on your instructions.
Sub-Processor
Third parties we use to help us (like AWS or Stripe).
Data Subject
Your Customer (the end-user booking the service).
2. Purpose and Scope of Processing
We only use your customers' info to run your booking site, send them reminders, and keep your account secure. We don't sell this info or use it for our own marketing.
Suitespace processes Customer data strictly to: Provide the booking and scheduling platform. Manage notifications and automated reminders. Host your provider website and booking pages. Ensure platform security and prevent fraud.
3. Types of Data Handled
We handle names, emails, and phone numbers. We do not handle credit card numbers—that's strictly Stripe's job.
We process: Names, contact details, booking times, and any custom notes you or your customers enter. Financial data is handled externally by Stripe Standard; Suitespace does not store or process raw cardholder data.
4. Provider Obligations (Your Job)
You must make sure it's legal for you to collect this data in the first place. You are responsible for telling your customers how you use their info.
As the Controller, you agree to: Comply with GDPR, KVKK, PIPEDA, or your local laws. Provide a clear Privacy Policy to your Customers. Get valid consent from Customers where required. Respond to your Customers if they ask to see or delete their data.
5. Suitespace Obligations (Our Job)
We only do what you tell us to do with the data. We keep it secret, keep it safe, and tell you immediately if there's a security breach.
As the Processor, Suitespace agrees to: Process data only on your documented instructions. Ensure our team keeps all data confidential. Notify you "without undue delay" if we confirm a data breach. Help you fulfill Customer data requests (Access, Deletion, Export).
6. Approved Sub-Processors
We use a few expert partners to keep the lights on. By using Suitespace, you're giving us the thumbs-up to use them.
We use the following key partners:
AWS (Amazon Web Services)
Cloud hosting and data storage.
Stripe
Payment processing infrastructure.
Amazon SES (AWS)
Email delivery via Amazon SES.
7. International Data Transfers
Our main servers are in the USA. We use "Standard Contractual Clauses" to make sure the data is protected even when it leaves your home country.
Data is processed in AWS us-east-1 (N. Virginia, USA). We implement high-level encryption and strict access controls to ensure these transfers meet global privacy standards.
8. Data Security Measures
We use encryption (TLS and AES-256), firewalls, and 24/7 monitoring to keep hackers out.
We maintain industry-standard technical measures, including: Encryption of data "at rest" and "in transit." Multi-factor authentication (MFA) for our internal systems. Daily backups and disaster recovery protocols.
9. Retention and Deletion
When you leave, we don't hold onto your customers' info forever. We keep it for 12 months in case of disputes, then it's gone.
Upon termination of your account:
Booking Data
Retained for 12 months, then deleted/anonymized.
Financial Records
Retained for 5 years for legal/tax audits.
10. Disputes and Governing Law
This agreement is governed by the laws of Ontario, Canada.
Any legal disputes related to data processing shall be resolved exclusively in the courts of Toronto, Ontario.