Last updated:
Plain-language summary. When your customers book a locker through LockMe, you (the operator) are the controller of their personal data and LockMe is your processor. This DPA sets out how we process that data on your behalf, the security we apply, the subprocessors we use, and what happens if something goes wrong. It auto-applies to every paid LockMe contract; you do not need to sign a separate copy.
Note. This page is a working draft pending review by external counsel before launch. If you need a wet-signed copy on company paper for procurement, email legal@lock-me.com and we'll send one.
1. Roles
- Controller: the operator entity (you).
- Processor: LockMe S.L.
- Data subjects: the end customers who book and use lockers in your stores.
- Personal data: name, email, phone (where collected), booking details, payment metadata, locker access tokens.
2. Subject matter and duration
LockMe processes personal data on the operator's behalf for the duration of the LockMe service contract and for up to 90 days after termination for backup retention.
3. Nature and purpose of processing
To provide the services described in the operator's order form: storefront, dashboard, payments orchestration, customer communications and post-stay review prompts.
4. LockMe's obligations as processor
LockMe will:
- Process personal data only on the operator's documented instructions, except where required by law.
- Ensure that personnel authorised to process personal data are bound by confidentiality.
- Take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or access (see Annex II).
- Assist the operator in responding to data subject requests and in complying with Articles 32–36 GDPR.
- Notify the operator without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach.
- On termination, return or delete personal data per the operator's choice (subject to legal retention obligations).
- Make available all information necessary to demonstrate compliance and allow audits, subject to reasonable confidentiality and scheduling.
5. Subprocessors
The operator authorises LockMe to engage subprocessors. The current list (Annex III) is published below and the operator will be notified at least 30 days before any addition or replacement of a subprocessor. The operator may object on reasonable data-protection grounds; if the parties cannot agree on a remedy, the operator may terminate the affected service for material breach.
6. International transfers
Where personal data is transferred outside the EEA, LockMe will rely on a valid transfer mechanism (Standard Contractual Clauses or an adequacy decision) and apply supplementary measures where required by case law (most relevantly Schrems II).
7. Liability
The liability provisions of the main service agreement apply to this DPA as if set out in full here.
Annex I — Description of processing
| Field | Detail |
|---|---|
| Categories of data subjects | End customers of operator stores |
| Categories of personal data | Identifiers (name, email, phone), booking metadata, payment metadata (no full PAN), locker access tokens, optional review text |
| Sensitive data | None processed |
| Frequency | Continuous |
| Nature of processing | Storage, transmission, computation for storefront, dashboard, customer communications |
| Purpose | Delivery of the LockMe service |
| Duration | Term of the LockMe contract + 90-day backup retention |
Annex II — Technical and organisational measures
A non-exhaustive list:
- All data encrypted in transit (TLS 1.2+) and at rest.
- Production access via SSO with hardware-key MFA; least-privilege RBAC; full audit log.
- Quarterly penetration tests; in-house security review on every release.
- Backups encrypted, stored in a separate EU region, restored quarterly to verify integrity.
- Vendor security reviews on every subprocessor; annual SOC 2-aligned internal audit.
- Documented incident response plan; on-call rotation 24/7 for paid plans.
Annex III — Subprocessors (current list)
| Subprocessor | Role | Location |
|---|---|---|
| Google Cloud Platform | Hosting (compute, storage, databases) | EU (europe-west4, Netherlands) |
| Stripe Payments Europe Ltd. | Payment processing | EU + US under SCCs |
| Postmark | Transactional email | EU (Frankfurt) |
| Twilio | SMS for booking confirmations | EU/global under SCCs |
| Sentry | Error and performance monitoring | EU (Frankfurt) |
| Plausible Insights | Cookieless website analytics | EU (Germany) |
This list is maintained at https://lock-me.com/legal/dpa and supersedes any list previously circulated by email.
Contact
DPO and privacy contact: privacy@lock-me.com.
Questions about this document? Email legal@lock-me.com. This page is provided for transparency; it does not replace bespoke legal advice for your operation.