Data Processing Agreement

Last updated: December 2024

This Data Processing Agreement ("DPA") governs the processing of personal data by Bookitsy on behalf of our customers in compliance with applicable data protection laws.

Introduction

This Data Processing Agreement supplements our Terms of Service and outlines how Bookitsy processes personal data on behalf of our customers. When you use Bookitsy to manage bookings and customer interactions, you act as the Data Controller, and we act as the Data Processor.

This agreement ensures compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Definitions

Data Controller

The customer (you) who determines the purposes and means of processing personal data through the Bookitsy platform.

Data Processor

Bookitsy, which processes personal data on behalf of the Data Controller in accordance with their instructions.

Personal Data

Any information relating to an identified or identifiable natural person processed through the Bookitsy platform.

Processing

Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Roles and Responsibilities
Data Controller (Customer)
  • • Determine the purposes and means of processing
  • • Provide clear instructions for data processing
  • • Ensure lawful basis for processing personal data
  • • Handle data subject requests and complaints
  • • Maintain privacy notices and consent records
  • • Notify Bookitsy of any processing restrictions
Data Processor (Bookitsy)
  • • Process data only on documented instructions
  • • Implement appropriate security measures
  • • Maintain confidentiality of processed data
  • • Assist with data subject requests
  • • Notify of any personal data breaches
  • • Delete or return data upon termination
Data Processing Details

Service Provision

Contract Performance

Providing booking and scheduling services to your customers

Data Types:
Customer contact informationAppointment dataService preferences

Platform Operations

Legitimate Interest

Maintaining and operating the Bookitsy platform

Data Types:
Usage analyticsPerformance metricsError logs

Customer Support

Contract Performance

Providing technical and customer support services

Data Types:
Support communicationsAccount informationIssue reports

Security & Fraud Prevention

Legitimate Interest

Protecting the platform and preventing fraudulent activities

Data Types:
Access logsSecurity eventsAuthentication data
Security Measures

Technical Safeguards

  • Data encryption in transit and at rest (AES-256)
  • Multi-factor authentication for administrative access
  • Regular security updates and patch management
  • Intrusion detection and prevention systems
  • Secure API endpoints with rate limiting

Access Controls

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews and deprovisioning
  • Audit logs for all data access
  • Strong password policies and rotation

Organizational Measures

  • Employee data protection training
  • Confidentiality agreements for all staff
  • Regular security awareness programs
  • Incident response procedures
  • Third-party security assessments
Data Subject Rights

We assist customers in responding to data subject requests within the required timeframes:

Right of Access

Provide access to personal data and processing information

Right to Rectification

Correct inaccurate or incomplete personal data

Right to Erasure

Delete personal data when legally required

Right to Portability

Provide data in a structured, machine-readable format

International Transfers

Bookitsy may transfer personal data to countries outside the European Economic Area (EEA) only when appropriate safeguards are in place:

  • • European Commission adequacy decisions
  • • Standard Contractual Clauses (SCCs)
  • • Binding Corporate Rules (BCRs) where applicable
  • • Explicit consent from data subjects
  • • Necessary transfers for contract performance

Current Infrastructure: Primary data processing occurs within the EEA. Any transfers to third countries are governed by appropriate transfer mechanisms.

Data Retention and Deletion

Active Accounts

Personal data is retained for the duration of the customer relationship and as required for service provision.

Account Termination

Upon termination, personal data is deleted within 90 days unless legal obligations require longer retention.

Legal Requirements

Some data may be retained longer to comply with legal, tax, or regulatory obligations.

Breach Notification Procedures

Incident Response Timeline

1
Detection & Assessment

Immediate identification and risk evaluation

2
Customer Notification

Within 72 hours of becoming aware of the breach

3
Remediation Support

Assistance with regulatory notifications and affected individuals

We provide detailed incident reports including the nature of the breach, affected data categories, potential consequences, and measures taken to address the breach.

Audit Rights and Compliance

Customers have the right to audit our data processing activities to ensure compliance with this DPA and applicable data protection laws.

Available Compliance Documentation:

  • • SOC 2 Type II certification reports
  • • ISO 27001 compliance documentation
  • • Regular penetration testing reports
  • • Data processing records and procedures
  • • Security policy and training documentation

On-site audits may be conducted with reasonable notice and at mutually agreed times, subject to confidentiality obligations.

Subprocessors and Third Parties

Bookitsy may engage subprocessors to assist in providing services. All subprocessors are bound by data protection obligations equivalent to those in this DPA.

Current Subprocessors Include:

  • • Cloud infrastructure providers (AWS, Google Cloud)
  • • Email service providers
  • • Analytics and monitoring services
  • • Customer support platforms

We will notify customers of any changes to our list of subprocessors and provide an opportunity to object to new appointments.

Liability and Indemnification

Each party's liability is limited to direct damages caused by their breach of this DPA. Neither party is liable for indirect, consequential, or punitive damages.

Customer Indemnification

Customers indemnify Bookitsy against claims arising from processing instructions that violate applicable data protection laws.

Bookitsy Indemnification

Bookitsy indemnifies customers against claims arising from our failure to comply with this DPA's data protection obligations.

Termination and Data Return

Upon termination of our services, we will assist with the secure return or deletion of personal data as instructed by the customer.

Data Export

Standard data export functionality available during active service period

Secure Deletion

Complete data deletion within 90 days unless legally required to retain

Certification

Written confirmation of data deletion or return upon request

Data Protection Contacts

Data Protection Officer

Email: dpo@bookitsy.com

Phone: +420 773039796

Legal Department

Email: legal@bookitsy.com

Phone: +420 773039796

Response Time: We respond to data protection inquiries within 2 business days and provide detailed responses within 10 business days.