Data Processing Addendum
GDPR Data Processing Addendum for businesses operating in the EU, EEA, and United Kingdom. Ensuring compliance with the EU General Data Protection Regulation and UK GDPR.
Data Processing Addendum (DPA) – GDPR
Capitalised terms not defined here have the meanings given in the applicable Data Protection Laws.
- "Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Personal Data Breach", "Special Categories of Personal Data" have the meanings in the EU GDPR and UK GDPR (as applicable).
- "Services" means the SaaS booking platform services provided by Processor to Controller, including booking management, scheduling, payments, client communications, and optional intake forms.
- "Data Protection Laws" means the EU GDPR (Regulation 2016/679), the UK GDPR, the Data Protection Act 2018, and related regulations as applicable to the Controller's jurisdiction.
Subject Matter and Duration of Processing
Provision of the Services for the term of the Main Agreement plus any post-termination obligations (e.g., data return/deletion).
Nature and Purpose
Collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure (limited to authorised parties), alignment, combination, restriction, erasure, or destruction of Personal Data solely to deliver the Services.
Type of Personal Data
Contact information (name, email, phone), booking details, payment references (processed via sub-processors), and optionally Special Categories of Personal Data (health/medical information) via intake forms.
Categories of Data Subjects
Controller's clients (including minors for children's classes), staff, and other end-users.
Processor shall:
3.1 Documented Instructions
Process Personal Data only on the documented instructions of Controller (including instructions to comply with applicable Data Protection Laws), unless required by law (in which case Processor shall inform Controller beforehand unless prohibited).
3.2 Confidentiality
Ensure that persons authorised to Process Personal Data are bound by confidentiality obligations.
3.3 Security Measures
Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (but not limited to) encryption in transit (HTTPS/TLS) and at rest where applicable, access controls, pseudonymisation/anonymisation where feasible, regular testing, and backup procedures. For Special Categories of Personal Data (health/medical), additional restrictions apply (e.g., limited access, heightened encryption).
3.4 Sub-processors
Not engage sub-processors without Controller's prior specific or general written authorisation. Controller provides general written authorisation for the sub-processors listed in Annex A. Processor shall notify Controller of any intended changes and allow 30 days to object. Processor remains fully liable for sub-processor compliance.
3.5 Assistance
Assist Controller (at Controller's reasonable cost) by:
- Implementing measures to enable Data Subject rights requests (access, rectification, erasure, etc.);
- Supporting data protection impact assessments (DPIAs) where required;
- Notifying Controller without undue delay (and, where feasible, within 48 hours of becoming aware) of any Personal Data Breach;
- Assisting with prior consultation with supervisory authorities if needed.
3.6 Data Return and Deletion
On termination or expiry of the Agreement, at Controller's election: return all Personal Data (in a commonly used format) or securely delete/destroy it and all copies (unless law requires retention, in which case Processor shall continue protection obligations).
3.7 Audits
Make available to Controller (on reasonable request, no more than annually unless a breach is suspected) information necessary to demonstrate compliance, and allow audits/inspections (with reasonable advance notice and under confidentiality).
Personal Data may be transferred outside the EU/EEA or UK, including to Australia (Processor's location) and to sub-processors in non-adequate jurisdictions. Such restricted transfers are safeguarded under Article 46 of the applicable GDPR by:
- The EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision 2021/914), incorporated by reference and deemed executed between the parties for transfers from the EU/EEA;
- The UK International Data Transfer Agreement (IDTA) (as issued by the ICO under s119A Data Protection Act 2018), incorporated by reference for transfers from the UK; or
- The UK Addendum to the EU Standard Contractual Clauses (where applicable).
Controller authorises these transfers. Upon request, Processor shall provide copies of executed SCCs, IDTA, or Addendum documents (or confirm their incorporation). Processor shall not transfer Personal Data to a third country without equivalent safeguards.
Authorised sub-processors (general authorisation):
| Sub-processor | Purpose |
|---|---|
| DigitalOcean | Infrastructure hosting |
| Amazon Web Services (AWS) | File storage (images/documents) |
| Stripe | Payment processing |
| Square | Payment processing |
| Paystack | Payment processing |
| Sendgrid | Transactional email delivery (notifications, booking confirmations) |
| Mailchimp | Email marketing lists (if enabled by Controller) |
| Twilio | Transactional SMS delivery (booking confirmations, reminders, cancellations). Data subjects can opt out at any time via their Bookamat account or bookamat.co/sms. |
| Analytics and optional integrations (e.g. Calendar sync) where enabled |
Processor maintains an up-to-date list and will provide 30 days' notice of additions/changes.
The Services do not target children under 13. For children's classes, Controller is solely responsible for obtaining parental/guardian consent where required (including under Article 8 of the applicable GDPR for information society services) and ensuring a lawful basis for processing children's Personal Data.
Processor provides configurable intake/booking forms to support consent collection, age gates, or guardian fields, but implementation and compliance remain with Controller.
This DPA is governed by the applicable data protection laws of the Controller's jurisdiction. It survives termination of the Agreement for as long as Processor holds Personal Data.
Processor implements appropriate technical and organisational measures, which may include:
- Encryption in transit: HTTPS/TLS for web traffic.
- Access controls: role-based access, least-privilege principles, and authentication controls.
- Tenant separation: logical separation of business (tenant) data within the platform.
- Backups: regular backup processes and recovery procedures.
- Auditability: platform audit fields and logs to support troubleshooting and accountability.
- Secure development: updates, dependency patching, and change control practices.
Additional measures may apply where Special Categories of Personal Data are collected via intake forms (e.g., restricted access and additional safeguards).
Key Points
- Personal Data is processed only on documented instructions from the Controller.
- International data transfers are safeguarded by EU SCCs, the UK IDTA, or UK Addendum to EU SCCs.
- Personal Data Breaches are reported to the Controller without undue delay (and where feasible within 48 hours).
- Sub-processor changes require 30 days' notice with the right to object.
- On termination, data is returned or securely deleted at the Controller's election.
This DPA supplements our Terms of Service and Privacy Policy.
For questions, contact us at [email protected].
Ready to get back in the room?
Join 200+ studios. Affordable pricing — pay only for the members you have. No sales calls, no lock-in.
Most studios are live quickly. Switching support and migration help available.