Data Processing Addendum (DPA – GDPR)

Last Updated: December 12, 2025

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the agreement(s) between the Customer and BookKei governing the use of BookKei’s services (the “Agreement”). This DPA applies to the extent that BookKei Processes Personal Data on behalf of Customer under the Agreement and such Processing is subject to Data Protection Laws (as defined below).

By using the Services, or by executing the Agreement to which this DPA is attached or referenced, the parties agree to be bound by the terms of this DPA.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined in this DPA shall have the meaning given to them in the Agreement.

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
  • “Controller” (or “Data Controller”) means the natural or legal person which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes of this DPA, the Controller is the Customer.
  • “Customer” means the organization or individual that has entered into the Agreement with BookKei and on whose behalf BookKei Processes Personal Data.
  • “Data Protection Laws” means all applicable privacy and data protection laws and regulations, including, where applicable, the EU General Data Protection Regulation (“GDPR”), the UK GDPR and Data Protection Act 2018, and any local laws implementing or supplementing the foregoing.
  • “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed by BookKei on behalf of Customer.
  • “EU SCCs” means the standard contractual clauses adopted by the European Commission for the transfer of personal data to third countries under the GDPR, as may be amended or replaced from time to time.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by BookKei on behalf of the Customer in connection with the Services.
  • “Process”, “Processing” or “Processed” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure or destruction.
  • “Processor” (or “Data Processor”) means a natural or legal person which Processes Personal Data on behalf of the Controller. For purposes of this DPA, the Processor is BookKei.
  • “Services” means the appointment booking, calendar, communication, website and related services provided by BookKei under the Agreement.
  • “Sub-processor” means any third party engaged by BookKei to Process Personal Data on behalf of the Customer.
  • “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to the GDPR or by the UK pursuant to the UK GDPR.

2. Role of the Parties

  • Customer acts as the Controller with respect to Personal Data Processed under the Agreement.
  • BookKei acts as the Processor with respect to such Personal Data.
  • Each party shall comply with its respective obligations under Data Protection Laws in relation to the Processing of Personal Data.

3. Subject Matter, Duration, Nature and Purpose of Processing

The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are described in Annex 1 (Details of Processing) to this DPA.

BookKei shall Process Personal Data only for the purpose of providing the Services and performing its obligations under the Agreement and this DPA, and in accordance with Customer’s documented instructions.

4. Customer Instructions

  1. Documented Instructions. BookKei shall Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law. In such case, BookKei shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
  2. Default Instructions. The Agreement and this DPA constitute Customer’s complete and final instructions to BookKei for the Processing of Personal Data. Any additional or alternate instructions must be agreed in writing, and BookKei may charge reasonable fees for complying with such instructions if they require material changes to the Services.
  3. Customer Responsibility. Customer is solely responsible for ensuring that its instructions comply with Data Protection Laws. BookKei shall inform Customer if, in its opinion, an instruction infringes Data Protection Laws, but shall have no obligation to provide legal advice.

5. Confidentiality

  • BookKei shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • BookKei shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data.

6. Security of Processing

  1. Technical and Organisational Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risks to the rights and freedoms of natural persons, BookKei shall implement and maintain appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, including, as appropriate:
    • pseudonymisation and encryption of Personal Data;
    • measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • measures to restore availability and access to Personal Data in a timely manner in the event of an incident;
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.
    A description of key TOMs is set out in Annex 2 (Security Measures).
  2. Customer Responsibilities. Customer is responsible for using the Services in a secure manner, including configuring access controls, choosing strong passwords, and protecting account credentials.

7. Use of Sub-processors

  1. Authorised Sub-processors. Customer grants BookKei general written authorisation to engage Sub-processors for the provision of the Services. A current list of Sub-processors may be maintained by BookKei (e.g., in the application, documentation, or upon request) and constitutes Annex 3 to this DPA.
  2. Sub-processor Obligations. BookKei shall ensure that Sub-processors are bound by written agreements that impose data protection obligations no less protective than those set out in this DPA. BookKei remains fully liable to Customer for the performance of a Sub-processor’s obligations to the same extent BookKei is liable for its own acts and omissions.
  3. Changes to Sub-processors. BookKei will provide notice of any intended changes to Sub-processors (for example via email, in-app notice, or website). Customer may object to such changes on reasonable data protection grounds by notifying BookKei in writing within the period specified in the notice. If Customer reasonably objects, BookKei will work with Customer in good faith to address the objection, and if the parties cannot reach a resolution, Customer may terminate the affected Services as its sole and exclusive remedy.

8. International Data Transfers

  1. Transfers. BookKei may Process and store Personal Data in any country where it or its Sub-processors maintain facilities, subject to compliance with Data Protection Laws.
  2. EEA/UK Data. To the extent the Processing of Personal Data subject to the GDPR or UK GDPR involves a transfer to a country that does not provide an adequate level of protection, the parties agree that such transfer shall be governed by the applicable Standard Contractual Clauses (SCCs) or other appropriate safeguards recognised under Data Protection Laws.
  3. Incorporation of SCCs. Where required, the relevant SCCs (for example, the EU SCCs for Controller–Processor transfers, and the UK-approved addendum for UK data) are deemed incorporated by reference into this DPA, with Customer as “data exporter” and BookKei as “data importer”. The parties will take any additional steps necessary to give full effect to the SCCs.

9. Data Subject Requests

  1. Assistance with Requests. Taking into account the nature of the Processing, BookKei shall assist Customer, by appropriate technical and organisational measures, in fulfilling Customer’s obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws (such as rights of access, rectification, erasure, restriction, portability and objection).
  2. Handling Requests. If BookKei receives a request directly from a Data Subject in relation to Personal Data it Processes on behalf of Customer, BookKei will (where reasonably possible) promptly forward the request to Customer and will not respond directly except as required by law or authorised by Customer.
  3. Costs. BookKei may charge Customer reasonable fees for assistance with complex or excessive Data Subject requests where permitted by Data Protection Laws.

10. Data Protection Impact Assessments & Prior Consultation

Taking into account the nature of the Processing and the information available to BookKei, BookKei shall provide reasonable assistance to Customer in fulfilling its obligations to carry out data protection impact assessments (DPIAs) and, where required, consult with Supervisory Authorities in relation to the Processing of Personal Data under this DPA.

11. Personal Data Breach Notification

  1. Notification. In the event of a Personal Data Breach affecting Personal Data Processed by BookKei on behalf of Customer, BookKei shall notify Customer without undue delay after becoming aware of the breach.
  2. Content of Notification. The notification shall contain sufficient information to allow Customer to meet its obligations under Data Protection Laws, to the extent such information is known to BookKei at the time, including:
    • the nature of the breach;
    • the categories and approximate number of Data Subjects and records concerned;
    • the likely consequences of the breach; and
    • the measures taken or proposed to address the breach and mitigate any possible adverse effects.
  3. Cooperation. BookKei shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation and remediation of any Personal Data Breach.

12. Audits & Demonstration of Compliance

  1. Records. BookKei shall maintain records of its Processing activities as required by Data Protection Laws and shall make such records available to Customer upon reasonable request.
  2. Third-Party Certifications. Where BookKei has relevant third-party certifications or audit reports (for example, security assessments), it may make such reports available to Customer as a primary means of demonstrating compliance.
  3. On-site Audits. Where such documentation is not sufficient to demonstrate compliance, Customer may, upon reasonable prior written notice and at its own cost, conduct or have conducted an audit of BookKei’s Processing of Personal Data. Any audit:
    • shall be limited to once per year (unless required by a Supervisory Authority or in the event of a confirmed Personal Data Breach);
    • shall be conducted during normal business hours and in a manner that minimises disruption;
    • shall be subject to reasonable confidentiality and security restrictions; and
    • may not permit access to information relating to BookKei’s other customers or trade secrets.

13. Return or Deletion of Personal Data

  1. End of Services. Upon termination or expiration of the Agreement or upon Customer’s written request, BookKei shall, at Customer’s choice and subject to applicable law, either:
    • return to Customer all Personal Data in its possession, or
    • delete such Personal Data, except to the extent BookKei is required by law or legitimate business need (e.g., for billing or dispute resolution) to retain certain data.
  2. Backup Copies. Personal Data stored in standard backup systems may be deleted in accordance with BookKei’s regular backup deletion schedules.
  3. Confirmation. Upon Customer’s request, BookKei shall confirm in writing that it has complied with Customer’s instructions regarding the deletion or return of Personal Data.

14. Liability

The liability of each party arising out of or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party’s liability to Data Subjects where such limitation is not permitted under Data Protection Laws.

15. Precedence & Conflicts

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the parties’ data protection obligations. In the event of a conflict between this DPA and the SCCs (where applicable), the SCCs shall prevail to the extent of the conflict.

16. Term & Termination

  • This DPA shall remain in force for as long as BookKei Processes Personal Data on behalf of Customer under the Agreement.
  • Termination of the Agreement shall automatically terminate this DPA, subject to BookKei’s obligations regarding return or deletion of Personal Data.

17. Miscellaneous

  • Nothing in this DPA shall be construed as creating a joint controller relationship between the parties.
  • If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.
  • This DPA shall be governed by and construed in accordance with the governing law specified in the Agreement, unless Data Protection Laws require otherwise.

Annex 1 – Details of Processing

1. Subject matter and purpose

BookKei Processes Personal Data to provide the Services to Customer, including online booking, calendar integration, customer communications, reminders, analytics and related support, as described in the Agreement.

2. Duration of Processing

For the term of the Agreement and any additional period during which BookKei retains Personal Data in accordance with the Agreement and this DPA.

3. Nature of Processing

  • Collection, storage and organisation of booking and customer data;
  • Transmission of communications (e.g., email/SMS reminders and notifications);
  • Integration and synchronisation with external calendars (e.g., Google, Outlook);
  • Generation of reports and analytics;
  • Support, troubleshooting and maintenance of the Services.

4. Types of Personal Data

The Personal Data Processed may include, but is not limited to:

  • Identification data (e.g., name, username, business name);
  • Contact details (e.g., email address, phone number, address);
  • Booking and appointment details (e.g., service type, date/time, staff member, notes);
  • Customer communication logs (e.g., messages, reminders sent);
  • Account and billing details relating to business users (excluding full payment card numbers, which are handled by payment processors);
  • Technical data (e.g., IP address, device identifiers, usage logs) as described in the Privacy Policy.

5. Categories of Data Subjects

  • Customers and prospective customers of the Customer’s business;
  • Employees, staff and contractors of the Customer who use the Services;
  • Other individuals whose data is entered into the Services by or on behalf of Customer.

Annex 2 – Security Measures (Summary)

BookKei maintains a security program designed to protect Personal Data, which includes, at a minimum:

  • Access Control – Role-based access, strong authentication, session management, and least-privilege principles for staff; logging of administrative access.
  • Data Encryption – Encryption of Personal Data in transit using TLS/HTTPS; encryption of data at rest using industry-standard algorithms where applicable.
  • Network & Infrastructure Security – Firewalls, network segmentation where appropriate, and monitoring of infrastructure for vulnerabilities and potential incidents.
  • Application Security – Secure development practices, regular patching, and vulnerability management; logical separation of customer data.
  • Backup & Continuity – Regular backups, tested restoration procedures, and business continuity / disaster recovery planning.
  • Organisational Controls – Staff training on data protection and information security, confidentiality obligations, and documented policies and procedures.
  • Incident Management – Defined incident response process for detection, investigation, mitigation and notification of security events and Personal Data Breaches.

More detailed information on security practices may be provided to Customer upon reasonable request and subject to confidentiality obligations.

Annex 3 – Sub-processors

BookKei may engage the following categories of Sub-processors (a detailed, up-to-date list may be maintained in the application or provided upon request):

  • Cloud infrastructure and hosting providers;
  • Database and storage providers;
  • Email and SMS communication providers;
  • Payment service providers and billing platforms;
  • Analytics and logging services;
  • Customer support and ticketing tools;
  • Calendar integration providers (e.g., Google, Microsoft) acting as independent controllers for their own services.

Customer acknowledges and agrees to the engagement of such Sub-processors, subject to the conditions set out in this DPA.

This DPA template is provided for informational purposes only and does not constitute legal advice. You should review and adapt this document with your own legal counsel to ensure it meets your specific business, jurisdictional and regulatory requirements.