Skip to content
Central

Data Processing Agreement

Last updated: 22 May 2026

1. Background and scope

This Data Processing Agreement (“DPA”) forms part of the agreement between Nutrapi Limited, trading as Central (the “Processor”), and the customer (the “Controller”) for use of the Central platform. It sets out how personal data is processed on the Controller’s behalf and applies whenever Central processes personal data subject to the GDPR.

2. Definitions

“Controller,” “Processor,” “Sub-processor,” “Personal Data,” “Processing,” and “Data Subject” have the meanings given to them in the GDPR. “Customer Personal Data” means personal data processed by Central on behalf of the Controller under the agreement.

3. Processing details

  • Nature: routing, storage, and management of customer communications.
  • Purpose: providing the Central platform to the Controller.
  • Duration: the term of the Controller’s subscription.
  • Data subjects: the Controller’s customers and contacts.
  • Data categories: contact details, message content, and related metadata.

4. Central obligations as Processor

Central shall process Customer Personal Data only on documented instructions from the Controller, ensure that persons authorised to process the data are bound by confidentiality, and assist the Controller in meeting its obligations under the GDPR.

5. Security measures

Central implements appropriate technical and organisational measures to protect Customer Personal Data, as further described in Schedule A.

6. Sub-processors

The Controller authorises Central to engage the sub-processors listed in Schedule B. Central will inform the Controller of any intended changes to its sub-processors and give the Controller the opportunity to object on reasonable grounds.

7. Data subject rights assistance

Central shall, taking into account the nature of the processing, assist the Controller by appropriate measures in responding to requests from data subjects exercising their rights under the GDPR.

8. Data breach notification

Central shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and shall provide information reasonably required to support the Controller’s own notification obligations.

9. Data deletion or return on termination

On termination of the agreement, Central shall, at the Controller’s choice, delete or return all Customer Personal Data, unless retention is required by applicable law.

10. International transfers

Where Customer Personal Data is transferred outside the European Economic Area, Central relies on Standard Contractual Clauses or another lawful transfer mechanism.

11. Audit rights

Central shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, subject to reasonable notice and confidentiality.

12. Liability and indemnity

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

13. Term and termination

This DPA remains in effect for as long as Central processes Customer Personal Data on behalf of the Controller.

14. Governing law

This DPA is governed by the laws of Ireland.

Schedule A — Technical and Organisational Measures

  • Encryption of data in transit and at rest.
  • Role-based access controls and the principle of least privilege.
  • Regular backups and tested restoration procedures.
  • Logging and monitoring of access to personal data.
  • Staff confidentiality obligations and security awareness.
  • Documented incident response procedures.

Schedule B — List of Sub-processors

  • Hostinger — website and application hosting.
  • 360dialog — Business Solution Provider for WhatsApp messaging.
  • Google Workspace — business email infrastructure.
  • SMS providers — standard text message delivery.

Questions about this DPA can be sent to legal@getcentral.io.