Skip to main content
Get Started

Data Processing Agreement

Document version: 1.0
Effective date: Monday, June 30, 2025
Last updated: Monday, June 30, 2025

Thank you for choosing Canterly. This Data Processing Agreement (“DPA”) explains how personal data is handled when you use our platform and supplements, and forms part of, the Canterly Terms of Service (“Main Agreement”). In this DPA, you—acting for yourself, your users and any Affiliates (as defined in the Main Agreement)—are the “Subscriber” and, unless stated otherwise, the Data Controller; Canterly Pte. Ltd. (“Canterly,” “we,” “us,” or “our”) is the Data Processor.

This DPA sets out the terms under which Personal Data is processed under applicable Data Protection Laws. It applies only when:

  • You or your authorised users (as Data Controller) upload, submit, or otherwise make Personal Data available to the Canterly platform; and
  • Canterly processes that Personal Data on your behalf as a Data Processor, under the relevant laws.

This DPA does not apply to data for which Canterly acts independently as a Data Controller—such as your business account details, billing records, or anonymised product analytics—as outlined in the Canterly Privacy Policy.

1. Definitions

  • Terms such as “Data Controller”, “Data Processor” (or “Data Intermediary”), “Data Subject”, “Processing”, “Personal Data” or “Personal Information”, “Sensitive Personal Data” or “Sensitive Personal Information” shall have the meanings given under applicable Data Protection Laws.
  • Data Protection Law”, “Data Protection Laws”, “Law“ or “Laws” means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the GDPR, UK GDPR, and the Singapore PDPA.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, or otherwise defined based on local Data Protection Law.
  • Capitalised terms not defined herein shall have the meanings given in the Canterly Terms of Service or the Canterly Privacy Policy.

2. Scope and roles

This DPA applies to the extent that Canterly processes Personal Data on behalf of the Subscriber in connection with the provision of its Services (as defined in the Main Agreement), where the Subscriber acts as the Data Controller (or equivalent under applicable law) and Canterly acts as the Data Processor.

Canterly provides a configurable platform designed to enable Subscribers to collect, manage, and use Personal Data relating to their End Users (e.g., riders, clients, horse owners). By using the platform and its features, the Subscriber issues documented instructions to Canterly to process Personal Data as necessary to deliver the subscribed Services. Canterly processes such data solely on the Subscriber’s behalf and in accordance with this DPA, the Main Agreement, and applicable law, and instructions, including those inherent in the Subscriber’s use, configuration, and integration of the Services.

3. Canterly's obligations

As the Data Processor (or equivalent under applicable law), Canterly is solely responsible for:

  1. Processing on instructions of the Subscriber: Canterly will process Personal Data on documented instructions from the Subscriber, including through the configuration and use of the Services, unless otherwise required by applicable law. Where such legal obligations exist, Canterly will inform the Subscriber before processing, unless prohibited from doing so. For clarity, by using and configuring the Canterly platform, the Subscriber instructs Canterly to process Personal Data as necessary to deliver the subscribed Services. These instructions include the handling of data entered or generated via standard workflows, integrations, and automated features.
  2. Support-related access: As part of the Services, Canterly personnel may access the Subscriber’s instance and associated Personal Data solely to provide onboarding, technical support, configuration, training, or troubleshooting assistance. Such access is limited to authorised personnel under confidentiality obligations, and only to the minimum data necessary to perform the requested or expected support activity. All support-related access is governed by the Main Agreement, Canterly Privacy Policy, this DPA, and applicable Data Protection Laws.
  3. Authorised personnel: Ensure personnel authorised to process the Personal Data are under confidentiality obligations. 
  4. Security measures: Implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, following Article 32 of the GDPR and equivalent provisions under other applicable laws. security measures regularly to align with industry standards appropriate to our size, risk profile, and the nature of the data we process.
  5. Assistance with Data Subject Rights: Provide reasonable assistance to the Subscriber, at its request, to respond to Data Subject rights requests (e.g., access, rectification, erasure, restriction, objection, data portability), taking into account the nature of the processing.
  6. Personal data breach notification: Notify the Subscriber without undue delay upon becoming aware of a Personal Data Breach affecting End User data, including relevant details to support the Subscriber’s obligations to notify authorities or individuals where required.
  7. Assistance with data protection impact assessments and consultations: Provide reasonable assistance to the Subscriber in conducting privacy risk impact assessments or impact assessments for personal-data processing, and prior consultations with relevant authorities, if required by law.
  8. Data return or deletion upon termination: Upon termination or expiration of the Main Agreement, delete or return all Personal Data processed on behalf of the Subscriber, at the Subscriber’s choice, unless retention is required by applicable law. Canterly may retain anonymised or aggregated data, provided it cannot reasonably be used to identify any Data Subject.
  9. International data transfers: Where Personal Data is transferred across borders, Canterly shall implement appropriate and approved contractual safeguards for international data transfers and supplementary technical and organisational measures such as encryption and access controls under applicable Data Protection Laws.
  10. When acting as a controller, consent and notices: Where Canterly collects Personal Data directly from End Users—such as through platform-hosted forms, onboarding workflows, or consent-based features—Canterly will act as an independent Data Controller for that data. In such cases, Canterly shall provide appropriate privacy notices and obtain any necessary consents following applicable Data Protection Laws.

Canterly may engage trusted Subprocessors to support the provision and operation of the Services. A current list of Subprocessors, including their service types and data transfer locations, is maintained in the Canterly Privacy Policy or equivalent registry linked within the Privacy Policy, where available. 

When assessing and engaging Subprocessors, Canterly shall:

  • Engage only Subprocessors bound by written agreements imposing equivalent data protection obligations as set out in this DPA;
  • Ensure that each Subprocessor implements appropriate technical and organisational measures to safeguard Personal Data;
  • Where applicable, ensure lawful international data transfer mechanisms are in place;
  • Provide reasonable advance notice of any intended additions or replacements of Subprocessors;
  • Allow the Subscriber to raise reasonable data protection concerns about subprocessors and work in good faith to address them.

4. Subscriber’s obligations

As the Data Controller (or equivalent under applicable law), the Subscriber is solely responsible for:

  1. Lawful instructions: Ensuring that all processing instructions issued to Canterly comply with applicable Data Protection Laws and do not require Canterly to violate any legal or regulatory obligation.
  2. Legal basis for processing: Ensuring there’s a clear and appropriate reason to collect and use End User data—such as for scheduling lessons or matching riders with suitable horses—and that it’s relevant to the services provided. This includes taking extra care when handling sensitive information like health details or data about minors.
  3. Consent and notices: The Subscriber is responsible for obtaining any required consent from End Users (or their legal guardians, where applicable) only where the Subscriber collects Personal Data independently (e.g. through forms or verbally) or manually uploads or saves it via the Services, including:
    (a) Informed consent, where the individual is clearly informed what data is collected, for what purpose, and with whom it will be shared;
    (b) Parental or guardian consent, when required for minors under local law (e.g., under age 13 under COPPA, or under age 16 under GDPR unless local rules differ);
    (c) Implied consent, only where permitted by law and where the End User’s actions indicate agreement (e.g., submitting a form to request a lesson); and
    (d) Explicit consent, where sensitive data is involved (e.g., medical notes), unless a different lawful basis applies or the processing is necessary and proportionate for the intended service.
    Where Canterly collects Personal Data directly, Canterly is responsible for applicable notices and consents (see Section 3).
  4. Accuracy and Minimisation: Ensuring that Personal Data collected via the Canterly platform is accurate, relevant, and limited to what is necessary for the intended purposes.
  5. Data Subject Rights: Responding to and fulfilling data subject requests (e.g., requests from End Users to access, correct, delete or object to records or use of data) following applicable law. Canterly will provide reasonable assistance where needed.
  6. User access and authorisation: Restricting access to Personal Data to authorised personnel only, and ensuring that all such personnel are appropriately trained and subject to confidentiality obligations.
  7. Incident notification: Promptly notifying Canterly of any suspected or actual data breaches or unauthorised access affecting the Subscriber’s use of the Services.
  8. Compliance with local law: Complying with any additional data protection requirements specific to the Subscriber’s jurisdiction, including registration, record-keeping, or local data residency rules.

5. Audits and inspections

Canterly will provide documentation reasonably necessary to demonstrate its compliance with this DPA, including descriptions of its data protection and security practices.

If such documentation does not reasonably satisfy the Subscriber’s legal obligations under applicable Data Protection Laws, the Subscriber may request an audit. To ensure audits are proportionate and minimally disruptive, the following conditions apply: 

  • A maximum of one audit in any 12 months;
  • At least 30 days’ written notice;
  • Prior written agreement on the scope, timing, and auditor;
  • Reasonable confidentiality and access controls imposed by Canterly;
  • No disruption to Canterly’s operations or compromise of other customer data; and
  • All audit-related costs, including Canterly’s time, shall be borne by the Subscriber.

If the Subscriber reasonably determines that these conditions cannot be met and legal obligations remain unmet, it may suspend or terminate the affected portion of the Services per the Main Agreement.

6. Data Subject Requests

If Canterly receives a Data Subject request related to End User Personal Data, it will refer the request to the relevant Subscriber (as Data Controller), unless otherwise required by law. Canterly will provide reasonable support in responding to rights requests, where technically feasible.

For more information on how Canterly handles Data Subject rights—including requests related to Subscriber-admin data and directly collected End User data—please refer to the Canterly Privacy Policy.

7. Limitations of liability

This DPA does not expand either party’s liability beyond what is agreed in the Main Agreement, including any disclaimers or exclusions therein.

8. Term or Termination

This DPA will remain in effect for the duration of the Main Agreement or applicable Order Form and shall continue thereafter for as long as Canterly processes Personal Data on behalf of the Subscriber.

Certain obligations under this DPA will survive termination of the Main Agreement or applicable Order Form to the extent necessary to comply with applicable laws, including those related to data return or deletion, breach notification, and confidentiality.

Canterly will retain relevant Personal Data only as long as necessary to comply with legal, regulatory, or tax obligations, or to resolve disputes. For more details on data handling and retention, refer to the Canterly Privacy Policy

9. Governing law

Unless otherwise required under applicable Data Protection Laws, this DPA shall be governed by the same law as the Main Agreement or 

10. Contact us

If you have any questions, concerns, or requests related to this DPA or how we handle data, please contact us at privacy@canterly.com.

© 2025 Canterly Pte. Ltd. All rights reserved.