Schedulista Terms of Use GDPR Addendum

This General Data Processing Addendum (“DPA”), forms part of the Terms of Use available at https://www.schedulista.com/businesses/terms between you, as a Customer, and Schedulista (the “Agreement’). The parties have entered into the Agreement under which Schedulista will process certain Customer Data. The parties intend this DPA to be an extension of the Agreement that will outline certain requirements for the processing of such personal data. This DPA applies exclusively to personal data provided or made available by Customer in the EEA to Schedulista in the US. All terms not defined herein have the meaning set forth in the Terms of Use

  1. Definitions.
    1. "Data Protection Law" means all applicable laws relating to privacy and the processing of personal data that may exist in any applicable jurisdiction. Data Protection Law includes the General Data Protection Regulation (Regulation (EU) 2016/279).
    2. "data controller", "data processor", “subprocessor”, "data subject", "personal data", "processing", and "appropriate technical and organisational measures" shall be interpreted in accordance with Directive 95/46/EC, or other applicable Data Protection Law, in the relevant jurisdiction.
    3. "Services" means the services provided by Schedulista to Customer pursuant to the Agreement.
    4. "Customer Data" means the personal data provided or made available by Customer to Schedulista that is processed by Schedulista on behalf of Customer as a data processor in the course of providing Services, as more particularly described in this DPA.
  2. Scope. The parties agree that Customer is a data controller and that Schedulista is a data processor in relation to the Customer Data. The subject-matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to that necessary to carry out the Services described in, the Agreement. The processing will be carried out until the date Schedulista ceases to provide the Services to Customer. The subject matter, duration, nature, and purpose of the processing of the personal data as well as the type of personal data and categories of data subjects are:
    1. The subject matter of the data processing under this DPA is the Customer Data.
    2. The duration of the processing equals the Term of the Agreement, unless otherwise requested by Customer in writing.
    3. The nature and purposes of the processing under this DPA is the provision of the Services to the Customer and the performance of Schedulista’s obligations under the Agreement, including the provision of support services.
    4. The categories of the data subjects include Customer’s clients, whether booking directly using the Services or submitted to the Services by Customer.
    5. The categories of personal data include appointment data about specific bookings provided by Customer or its client in the course of the applicable client booking services with Customer. For clarity, Customer Data does not include personal data for which Schedulista acts as data controller, including profile data about client users that utilize accounts to make bookings across multiple businesses.
  3. Data Protection. In respect of Customer Data, Schedulista shall adhere to the following requirements:
    1. Schedulista will process the personal data only in accordance with the written instructions from Customer (the Agreement and this DPA are hereby deemed to be Customer’s sole written instructions) and only in compliance with Data Protection Law. The nature and purposes of the processing shall be limited that that necessary to carry out such instructions, and not for Schedulista's own purposes, or for any other purposes except as required by law. If Schedulista is required by law to process the personal data for any other purpose, Schedulista will inform Customer of such requirement prior to the processing unless prohibited by law from doing so.
    2. Schedulista will process the personal data only to the extent, and in such manner, as is necessary for the provision of the Services. Schedulista may only correct, delete or block the personal data processed on behalf of Customer as and when instructed to do so by Customer.
    3. Schedulista will implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Law.
    4. Schedulista will not give access to or transfer any personal data to any third party (including any affiliates, group companies or sub-contractors) without the prior consent of Customer. Where Customer does consent to Schedulista engaging a sub-contractor to carry out any part of the Services, Schedulista must ensure the reliability and competence of such third party, its employees or agents who may have access to the personal data processed in the provision of the Services, and must include in any contract with such third party provisions in favor of Customer which are equivalent to those in this DPA and the Agreement and as are required by applicable Data Protection Law. For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Law, Schedulista will remain fully liable to Customer for the fulfilment of its obligations under this DPA and the Agreement. Customer hereby authorizes the transfer of personal data to the following sub-contractors for purposes of providing the services: Amazon Web Services, Google, Honeybadger, Intercom, MailChimp, New Relic, Stripe and Twilio. In the event that Schedulista adds or replaces any such third parties, Customer will have ten days to object to such changes.
    5. Schedulista will take reasonable steps to ensure the reliability and competence of any Schedulista personnel who have access to the personal data. Schedulista will ensure that all Schedulista personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this DPA.
    6. Schedulista will take all reasonable steps to assist Customer in meeting Customer’s obligations under applicable Data Protection Law, including Customer’s obligations to respond to requests by data subjects to exercise their rights with respect to personal data, adhere to data security obligations, respond to data breaches and other incidents involving personal data, conduct data protection impact assessments, and consult with supervisory authorities. Schedulista will promptly inform Customer in writing if it receives: (i) a request from a data subject concerning any personal data; or (ii) a complaint, communication, or request relating to Customer’s obligations under Data Protection Law.
    7. Schedulista will not retain any of the personal data for longer than is necessary to provide the Services. At the end of the Services, or upon Customer's request, Schedulista will destroy or return (at Customer’s election) the personal data to Customer.
    8. With regard to personal data related to data subjects located in the European Economic Area, Schedulista will not process such personal data in a location outside the European Economic Area, except pursuant to standard contractual clauses attached hereto as Exhibit 1.
    9. Schedulista will allow Customer and its respective auditors or authorized agents to conduct audits and inspections during the term of the Agreement and for 12 months thereafter, which shall solely include, unless otherwise expressly required by applicable law, providing access to summaries of Schedulista’s data protection and data security measures and access to personnel used by Schedulista in connection with the provision of the Services for purposes of asking questions regarding Schedulista’s data protection and data security measures. The purposes of an audit pursuant to this paragraph include to verify that Schedulista is processing personal data in accordance with its obligations under this DPA and applicable Data Protection Law.
    10. If Schedulista becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Schedulista in the course of providing the Services under the Agreement (a "Security Breach"),
      1. it shall promptly and without undue delay notify Customer and provide Customer with: a detailed description of the Security Breach; the type of data that was the subject of the Security Breach; the identity of each affected person, and the steps Schedulista takes in order to mitigate and remediate such Security Breach, in each case as promptly as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Customer may reasonably request relating to the Security Breach); and
      2. take action promptly, at its own expense, to investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and to carry out appropriate recovery actions to remedy the Security Breach.
    11. Schedulista shall comply at all times with, and assist Customer in complying with its applicable obligations under, Data Protection Law. Schedulista shall provide reasonable information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
    12. Schedulista will notify Customer immediately if, in Schedulista's opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Law.