Data Processing Agreement (DPA) Template

Subject Matter

This Data Processing Agreement ('Agreement') forms part of the Terms of Service between BookThem ('Processor') and the business owner using the service ('Controller'). The Agreement governs the Processor's processing of personal data on behalf of the Controller in connection with providing the appointment management SaaS platform.

Roles and Responsibilities

• Controller: The business owner who determines the purposes and means of processing personal data of its customers and staff.
• Processor: BookThem, which processes personal data on behalf of the Controller for providing the platform.
• Data Subjects: Individuals whose personal data are processed, including business owners, staff, and customers.

Nature and Purpose of Processing

• Hosting and maintaining the appointment booking platform
• Managing appointments, services, staff schedules, and availability
• Sending transactional notifications (e.g., confirmations, cancellations)
• Providing support, troubleshooting, analytics, security, and fraud prevention

Categories of Personal Data and Data Subjects

• Business owners: name, email, business details, staff and service configuration
• Customers: name, email, phone, appointment details, special requests
• Staff: name, email (if provided), assigned services and schedules
• Technical data: IP address, device and browser information, logs

Processor Obligations

• Process personal data only on documented instructions of the Controller
• Ensure confidentiality and train personnel in data protection
• Implement appropriate technical and organizational measures to protect personal data
• Assist the Controller with data subject requests and DPIAs as required
• Notify the Controller without undue delay after becoming aware of a personal data breach
• Delete or return personal data at termination, unless EU or Member State law requires storage
• Make available all information necessary to demonstrate compliance and allow audits, where applicable

Sub-processors

The Controller authorizes the Processor to engage sub-processors for the provision of the service, provided that the Processor imposes data protection obligations on such sub-processors substantially similar to those set out in this Agreement and remains fully responsible for their performance.

• Vercel Inc. - hosting and platform services
• Supabase Inc. - managed database and cloud storage
• GoDaddy LLC - email delivery services

Security Measures

• Encryption in transit and at rest where appropriate
• Access controls, authentication, and least-privilege principles
• Regular security updates, monitoring, and vulnerability management
• Backups, disaster recovery, and business continuity procedures
• Data segregation and secure development practices

Assistance with Data Subject Rights

Taking into account the nature of processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights under GDPR.

Liability

Each party's liability shall be as set out in the Terms of Service. The Processor shall be liable for the acts and omissions of its sub-processors to the same extent it would be liable if performing the services directly under this Agreement.

Term and Termination

• This Agreement remains in force for as long as the Processor processes personal data on behalf of the Controller.
• Upon termination of services, the Processor will delete or return all personal data, unless retention is required by law.
• Provisions that by their nature should survive termination shall remain in effect (e.g., confidentiality, liability).

Miscellaneous

• Governing law and jurisdiction follow the Terms of Service
• In case of conflict, this Agreement prevails over the Terms with respect to data protection
• Standard Contractual Clauses may apply to international transfers where required