1. Background & Purpose.

1.1. Background. The Company is the legal and beneficial owner of the SimplyBook.me Software Solution (“Solution”), available to common users and enterprise users for real-time scheduling and management of customer bookings, and provides such services as a Data Processor under the GDPR. The User has accepted the online Terms and Conditions on the main website of the Company (for common users), or the Parties have entered into a Software Licensing and Services Agreement (for enterprise users) (either referred to as the “Main Agreement”). Acceptance of this DPA may occur by electronic signature, online acceptance, or other electronic means provided by the Company.

1.2. Data Controller and Processor. The Parties acknowledge that, for the purposes of this DPA, the Company acts solely as Data Processor and the User acts as Data Controller. The User’s use of the Solution or electronic acceptance of this DPA constitutes Your agreement to the terms herein and acknowledgment of its legally binding nature.

1.3. Purpose. This DPA sets out the terms under which the Company will process Personal Data on behalf of You in connection with Your use of the Solution and to ensure compliance with Article 28 GDPR and other applicable Data Protection Laws.

2. Definitions.

2.1. In addition to the terms defined elsewhere in this Agreement and the Main Agreement, for all the purposes of the subject matter hereof, the terms included in Annex 1 (the “Definitions”) herein shall have the meanings set forth therein and Annex 1 is hereby incorporated by reference and forms an integral part of this Agreement.

2.2. The Parties mutually agree and understand that for the purposes of this Agreement, all the definitions of the European Data Protection Laws are adopted and, where relevant, shall be interpreted in accordance with Annex 1.

2.3. For the avoidance of doubt, any use of the pronouns “they,” “them,” “their,” “you,” or “your” in this Agreement shall be interpreted based on context to refer to the appropriate party, including, without limitation, the Data Controller or the Data Processor, as applicable.

3. Responsibilities of You.

3.1. In line with the provisions of this DPA and Main Agreement, You are responsible to comply as Data Controller with all requirements applicable to your operations under applicable Data Protection Laws, for the Processing of Personal Data.

3.2. You are responsible for:

(a) ensuring the accuracy, quality, and legality of the Personal Data You provide to the Company for the Services, as well as how You acquire that data;

(b) complying with all transparency and lawfulness requirements under applicable Data Protection Laws, including European Data Protection Laws;

(c) collecting and using Personal Data lawfully, and obtaining any required consents or authorisations, especially for marketing purposes;

(d) making sure You have the right to transfer or provide access to Personal Data to the Company, so we can process it as set out in this DPA and the Main Agreement;

(e) complying with all laws that apply to you, including Data Protection Laws when using the Solution.

3.3. You hereby confirm and agree to inform the Company promptly and without any undue delay, if You are not able to comply with Your obligations herein, and specifically under the applicable Data Protection Laws.

3.4. This DPA, including its Annexes and together with the Main Agreement and any additional written instructions You provide as Data Controller constitute Your complete and final documented instructions (“Instructions”) for all Processing of Personal Data owned by the Data Controller under this DPA. The Company will Process Personal Data only in accordance with Your Instructions, including the scope, nature and purpose of Processing set out in Annex 2. If applicable law requires Processing beyond Your Instructions, the Company will inform You of that legal requirement prior to Processing, unless that law expressly prohibits such notification on important public-interest grounds.

3.5. You hereby acknowledge, understand and agree that any additional Instructions outside the scope of the documented Instructions described above shall require Your prior written request and written consent, and the Company shall not Process Personal Data except on such documented Instructions from You as Data Controller.

4. Virksomhedens ansvarsområder

4.1. The Company will process Personal Data only on the Data Controller’s documented instructions, as outlined in this DPA and Annex 2 (“Details of Processing”). We will not process Personal Data for any other purpose unless you give written instructions or the law requires us to do so. If processing is required by law, we will inform you before proceeding, unless the law prohibits notification for important public interest reasons.

4.2. The Company shall not be held responsible and liable for compliance with applicable Data Protection Laws which apply solely to the Data Controller and their industry and are not legally applicable to the Company’s operations.

4.3. The Company shall notify the Data Controller immediately and without any undue delay, to the extent permitted by law; if the Company is unable to Process Personal Data in accordance with the provisions of this DPA and due to legal requirements of applicable laws and/or regulations.

Sikkerhed

4.4. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing of Personal Data pursuant to the provisions of this DPA, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company will put in place and maintain appropriate technical and organisational security measures. These Security Measures, as detailed in Annex 3, will ensure a level of security appropriate to the risks involved and are in alignment with ISO/IEC 27001 standard as may be updated and in accordance with GDPR Article 32.

4.5. The Company shall ensure that the Security Measures form part of its implemented Information Security Management System (the “ISMS”), in line with the current ISO/IEC 27001 standard and maintained certification by an accredited certifying body. The ISMS shall be regularly reviewed and updated to reflect changes in technology, risks, and regulatory requirements.

4.6. Notwithstanding any provision to the contrary, the Company may modify or update the Security Measures at its discretion, provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures, and that all updates continue to comply with relevant laws, legal obligations, and current best practices under GDPR.

4.7. The Customer expressly authorises the Company to process Personal Data with its Parent Company and any of its Affiliates (collectively, “Group Entities”) provided that:

(a) such processing is limited to the purposes set out in this DPA and the Main Agreement, including internal administration, coordination, support services, resource allocation, compliance, and group-level reporting;

(b) the Company ensures that any Group Entity granted access to Personal Data implements data protection and security measures meeting or exceeding those required by this DPA;

(c) any transfer of Personal Data to Group Entities located outside the European Economic Area (EEA) or United Kingdom will be subject to appropriate safeguards, including the Standard Contractual Clauses (SCC) or UK International Data Transfer Addendum (IDTA), as applicable;

(d) the Company remains fully responsible and liable for acts or omissions of its Parent Company and Affiliates as if they were its own acts or omissions under this DPA;

(e) upon the Data Controller's written request, the Company will provide a current list of its Parent Company and Affiliates involved in any Processing of Personal Data under this DPA. For purposes of this clause, “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Company, and “Parent Company” means any entity that directly or indirectly controls SimplyBook.me Ltd.

Fortrolighed

4.8. The Company hereby ensures that any worker or appointed person authorised to Process Personal Data for and on our behalf is subject to appropriate confidentiality obligations, contractual and statutory obligations with respect to that Personal Data.

Brud på persondatasikkerheden

4.9. The Company shall notify the Data Controller of any Personal Data Breach without undue delay and in any event no later than 72 hours after becoming aware of the breach, unless a longer period is expressly permitted by applicable Data Protection Laws due to law enforcement requirements or circumstances beyond the Company’s reasonable control. Such notification shall include, at a minimum:

• a description of the nature of the breach;;
• the categories and approximate number of data subjects and personal data records concerned;;
• the likely consequences of the breach; and;
• the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.;

Where notification is delayed due to law enforcement requirements or circumstances beyond the Company’s reasonable control, and only to the extent such delay is permitted by applicable Data Protection Laws, the Company shall notify the User as soon as reasonably practicable and shall provide reasons for the delay.

4.10. The Company shall provide the Data Controller with all relevant information as it becomes known or as reasonably requested by the Data Controller, and shall offer reasonable cooperation and assistance necessary to enable the Data Controller to fulfill its obligations to notify supervisory authorities and, where applicable, affected data subjects in accordance with applicable Data Protection Laws.

4.11. The Company shall also promptly provide any additional assistance reasonably required by the Data Controller to investigate, respond to, and remedy the Personal Data Breach.

Sletning eller tilbagelevering af persondata

4.12. The Company hereby agrees, upon termination or expiration of the Services, to delete or return to the Data Controller, at your written request, all Personal Data relating to the Main Agreement and this DPA, including but not limited to copies of Personal Data which was Processed for the purpose of this DPA, in line with the relevant provisions of the Main Agreement. Such deletion or return shall be completed within sixty (60) days of termination or expiration, in accordance with the Company’s standard data deletion procedures, unless retention is required by applicable law. The Company shall provide written confirmation to the Data Controller upon completion of the deletion or return of Personal Data.

4.13. If applicable law requires the Company to retain some or all Personal Data, the Company will comply. In such cases, the Company will apply additional security measures, including isolating and protecting the retained data from further processing, and will restrict access only to personnel who need it to fulfill legal obligations. Upon your request, the Company will inform the Data Controller of the legal basis and expected duration of this retention.

5. Anmodninger fra registrerede

5.1. The Data Controller hereby acknowledge, agree and accept that the Company shall provide them with controls in the Software via which the Data Controller can retrieve, correct, delete or restrict Personal Data in order to assist the Data Controller in connection with the requirements of Data Protection Laws.

5.2. The Company may, subject to a written request by the Data Controller to provide reasonable assistance for responding to any Data Subject Requests or requests from Data Protection Authorities relating to the Processing of Personal Data under this DPA, subject to any reimbursement deemed necessary.

5.3. The Data Controller undertake the whole, exclusive and sole responsibility to respond to Data Subject Request(s) or other communication regarding the Processing of Personal Data from individual(s) who is/are identified as your client and may be addressed to the Company, subject to prompt notification of such a request from us to the Data Controller.

6. Underprocessorer

6.1. The Company shall not engage any new Sub-Processor for the Processing of Personal Data pursuant to this DPA and Main Agreement unless it has obtained the prior written authorisation of the Data Controller. The current list of Sub-Processors is included in Annex 4 herein, the Sub-Processors’ List, which is hereby incorporated by reference and forms an integral part of this Agreement. Some Sub-Processors will apply as default, and some Sub-Processors will apply only if you integrate them to Your Account, as per the Sub-Processors section of the official website, as may be amended: https://simplybook.me/en/integrations.

6.2. The Company hereby ensures that where a Sub-Processor is appointed, the relevant legal agreement shall be concluded between related parties which shall include appropriate data protection terms subject to appropriate Data Protection Laws and impose at least the same level of protection for Personal Data, as the provisions of this DPA and where deemed necessary, include the last version of Standard Contractual Clauses, as issued by the European Commission.

6.3. Virksomheden forbliver ansvarlig for hver underdatabehandlers overholdelse af forpligtelserne i denne DPA og for enhver handling eller undladelse fra en sådan underdatabehandler, der får os til at overtræde nogen af dens forpligtelser i henhold til denne DPA.

6.4. The Company will notify the Data Controller in writing of any intention to appoint a new Sub-Processor or remove an existing Sub-Processor and they may object to the proposed change on reasonable and documented data protection grounds by providing written notice to dpo@simplybook.me within thirty (30) days of receiving the notification. If the Company cannot reasonably accommodate the Data Controller’s objection, either Party may terminate the affected Services by providing thirty (30) days’ written notice.

6.5. The Company will provide sufficient information regarding each new or removed Sub-Processor, including their role and the nature of their processing activities, to enable the Data Controller to make an informed decision. The Company will not engage any new Sub-Processor until either:

(a) their written authorisation is received; or

(b) the thirty (30) day objection period has expired without objection. Objections may be submitted to dpo@simplybook.me or legal@simplybook.me

7. Overførsel af data

7.1. The Data Controller hereby acknowledges, consents and authorises the Company, subject to provisions herein; to perform necessary Data Transfers for internal and external business operations to third parties identified as Sub-Processors herein which may be located outside the EU and/or the EEA.

7.2. Pursuant to provisions herein, both Parties hereby confirm and agree that any Data Transfers will be performed solely for the purpose of the Main Agreement, this DPA and any additional written Instructions communicated from the Data Controller to the Company, only for the subject matter.

7.3. The Parties hereby mutually agrees that pursuant to provisions herein, the Company shall perform any and all Data Transfers subject to the provisions of Chapter 5 (Article 44-50) of the GDPR and always in compliance with the requirements of applicable Data Protection Laws for the duration of this DPA and the Main Agreement.

7.4. Pursuant to provisions herein, the Company will not transfer European Data to any country or recipient that is not recognised as providing adequate protection for Personal Data under European Data Protection Laws, unless the Company first takes measures to ensure the transfer complies with those laws.

Adequate Level of Protection.

7.5. Pursuant to provisions herein, the Company shall not authorise any Data Transfer to a country which is not recognised as providing an adequate level of protection via:

(a) valid Adequate Decision issued by the European Commission, subject to Article 45 of the GDPR and as this may be illustrated at the official website of the European Commission (Adequacy Decisions); and/or

(b) approved and authorised Binding Corporate Rules, subject to Article 47 of the GDPR; and/or

(c) conclusion and reliance on approved Standard Contractual Clauses, subject to relevant European Data Protection Laws and as per the official website of the European Commission ( Standard Contractual Clauses (SCC)).

7.6. The Parties hereby acknowledge and agree that the Company shall not rely on the EU-US Privacy Shield and related principles for the purposes of transferring Personal Data and ensure appropriate measures are taken to comply with applicable Data Protection Laws as may be amended from time to time, relying on the Data Privacy Framework, to the extent applicable and valid.

Standard Contractual Clauses for the Parties.

7.7. Where required, the parties hereby conclude Standard Contractual Clauses which shall be incorporated by reference and form part of this Agreement, as per applicable relevant provisions of Annex 5 below, which is hereby incorporated by reference and forms an integral part of this Agreement, and subject matter herein.

8. Yderligere bestemmelser

European Data.

8.1. English: This part of the DPA applies to European Data for the purposes of the Main Agreement.

8.2. The Parties hereby agree that when Processing European Data in accordance with the Instructions, You are the Controller of European Data and the Company is the Processor.

8.3. The Company reserves the right to inform the Data Controller where Instructions infringes European Data Protection Laws, as and when applicable, without undue delay.

8.4. The Company will update Annex 4 as necessary to reflect any changes to the list of appointed Sub-Processors and will notify the Data Controller of such changes by email. You will have thirty (30) days from receipt of the notification to object to the engagement of a new Sub-Processor on reasonable grounds relating to this DPA. Each notification will include sufficient details about the new or removed Sub-Processor, including their role and the nature of their processing activities, to enable You to make an informed objection.

8.5. To the extent reasonably possible and where the Data Controller does not otherwise have access to the required information, the Company will provide reasonable assistance to the latter, in connection with any Data Protection Impact Assessments (“DPIA”) and any prior consultations with Supervisory Authorities or other competent Data Privacy Authorities, as required by applicable European Data Protection Laws.

8.6. The Company will make available all information reasonably necessary to demonstrate compliance with this DPA and may allow for audits, including but not limited to inspections, as reasonably requested by the Data Controller, subject to discretion of the Company.

8.7. The Company has appointed a Data Protection Officer (“DPO”) in accordance with European Data Protection Laws which may be contacted for any matters relating to this DPA or the Main Agreement at dpo@simplybook.me.

Other Data.

8.8. This part of the DPA applies to Personal Data other than European Data, under the provisions of applicable Data Protection Laws and the Parties agree that the Company shall Process such Personal Data strictly in accordance with applicable Data Protection Laws and solely for the purposes of providing the Services under the provisions of the Main Agreement.

8.9. The Parties shall enter into any additional legally binding agreements required by law for the purpose complying with the applicable Data Protection Laws.

9. Generelle bestemmelser

9.1. This DPA will remain in force from the Effective Date and until the Data Controller or Data Processor terminates the Main Agreement, in accordance with its applicable provisions. Notwithstanding termination or expiration of this DPA, the provisions regarding confidentiality, data protection, liability, and any other terms which by their nature are intended to survive, shall remain in full force and effect.

9.2. This DPA may be terminated by either party with thirty (30) days’ written notice, pursuant to the provisions of the Main Agreement and by cancelling the system in system settings.

9.3. The Company may amend this DPA by giving You at least 30 days’ written notice and if the Data Controller does not accept the amendment, they may terminate this DPA and the Main Agreement by giving written notice within the notice period. If the Data Controller continues to use the services after the notice period, they hereby accept the amendments and no amendment will reduce the data protection standards applicable to you under this DPA.

9.4. Hvis enkelte bestemmelser i denne DPA anses for at være ugyldige eller ikke kan håndhæves, vil gyldigheden og håndhævelsen af de øvrige bestemmelser i denne DPA ikke blive påvirket.

9.5. Neither Party may, without the prior written consent of the other Party, assign, transfer, charge, license, or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.

9.6. To extent permitted by laws, the User shall indemnify and hold harmless the Company against any claims, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or in connection with the User’s breach of this DPA or applicable Data Protection Laws, or the Data Controller’s instructions that infringe applicable law.

9.7. Except as otherwise required by applicable law, the Company’s aggregate liability arising out of or relating to this DPA, whether in contract, tort, or otherwise, shall not exceed the total fees paid by the Data Controller to the Company under the Main Agreement in the twelve (12) months preceding the event giving rise to the claim. In no event shall the Company be liable for any indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, data, or use, even if advised of the possibility of such damages.

9.8. The Parties agree that this DPA may be executed and delivered electronically, including by click-through acceptance or through an electronic signature platform. Any electronic acceptance, signature, or other form of electronic agreement will have the same legal effect as a handwritten signature and will be deemed valid and binding on the Parties.

9.9. The Parties hereby agree and accept the choice of jurisdiction indicated in the Main Agreement in respect of this DPA.

Bilag 1: Definitioner

This Annex 1: Definitions, forms part of the DPA.

“Data Controller”: means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Processor”: means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

“Data Protection Laws”: means all applicable worldwide legislation relating to data protection and privacy which applies to the respective Party in the role of Processing Personal Data in question under the Agreement, including without limitation: (1) the European Data Protection Laws; (2) the California Consumer Privacy Act of 2018 (“CCPA”); (3) the data protection and privacy laws of Australia and Singapore; (4) and other; in each case as amended, repealed, consolidated or replaced from time to time.

“Data Subject”: means the individual to whom Personal Data relates.

“EU-US Privacy Shield”: the self-certification program operated by the U.S. Department of Commerce and approved by the European Commission, as may be amended, superseded or replaced.

"European Data Protection Laws": means data protection laws applicable in Europe, including: (1) Regulation 2016/679 - the EU General Data Protection Regulation ("GDPR"); (2) Directive 2002/58/EC - the Directive on privacy and electronic communications; (3) applicable national implementations of 1 and 2 points above; (4) any applicable national legislation that replaces or converts in domestic law the GDPR; (5) the Data Protection Act 2018 of the United Kingdom (the “UK GDPR”) in each case, as may be amended, superseded or replaced.

"Europe": means the European Union, the European Economic Area and/or their member states.

“European Data”: means Personal Data that is subject to the protection of European Data Protection Laws, defined below.

“Effective Date” shall mean the later of (a) Your click-through acceptance during account setup; or (b) Your electronic signature via our e-signature platform.

“Instructions”: any written, documented instructions issued by the Data Controller to the Data Processor, and directing the same to perform a specific or general action with regard to Personal Data, including, but not limited to, depersonalising, blocking, deletion, making available.

"Permitted Affiliates": shall include any of Your Affiliates that is permitted to obtain the Services on your behalf, pursuant to the Main Agreement, but have not signed their own separate agreement with us and are not users and qualify as a Controller of Personal Data Processed by us, and can be subject to European Data Protection Laws.

“Personal Data Breach”: shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services but does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Personal Data”: means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, and which is protected as personal information or personally identifiable information under applicable Data Protection Laws.

“Processing”: shall mean any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data and the terms “Process”, “Processes” and “Processed” will be construed accordingly.

“Permitted Affiliates” means any Affiliates of the User that (a) are permitted to use the Services under the Main Agreement, and (b) are not direct parties to a separate agreement with SimplyBook.me Ltd for those Services. For purposes of this definition, “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means the ownership of more than fifty percent (50%) of the voting interests of the entity.

“Services”: shall have the same meaning as in the Main Agreement.

“Standard Contractual Clauses”: means the standard contractual clauses for Data Processors approved pursuant to the European Commission’s relevant decision and as included in Annex 5 herein which forms part of the Agreement and as may be amended, superseded or replaced.

“Sub-Processor”: means any Data Processor engaged by us to assist fulfilling our obligations with respect to the provision of the Services under the Main Agreement and may include third parties, excluding any employee or consultant of SimplyBook.me Ltd.

“UK IDTA” shall mean the template addendum issued by the UK Information Commissioner's Office (“ICO”) and here: International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, and as made available in the official website of ICO International data transfer agreement and guidance | ICO, and as may be amended, suspended or replaced.

“User” shall mean the person or entity entering into this DPA as Data Controller to which this DPA is binding, with authority to enter into this DPA on its own behalf and, if applicable and legally binding, on behalf of its Permitted Affiliates. with details as per their Software Account.

Bilag 2: Detaljer om behandling

This Annex 2: Details of Processing forms part of the DPA.

(a) Processens art og formål: Virksomheden vil behandle personoplysninger som påkrævet med henblik på at levere tjenesterne i henhold til hovedaftalen, og som yderligere kan specificeres i yderligere dokumentation, der udgør en del af hovedaftalen og DPA.

(b) Duration of the Processing: subject to any provisions contained herein specifying otherwise, Processing of Personal Data shall occur for the duration of the Main Agreement, unless otherwise agreed in writing.

(c) Categories of Data Subjects: pursuant to the provisions of the Main Agreement, Data Subjects shall include any type of User’s clients and therefore may vary by the system usage from the Data Controller.

(d) Categories of Personal Data: pursuant to the provisions of the Main Agreement, categories of Personal Data may vary in accordance with the usage of the System and bookings made by the User’s clients and may include: name, surname, email address and phone number. To the extent applicable and as may be requested by the User when using the System, various information such as when completing additional fields, adding comment(s) which are/is linked to booking(s) for a relevant individual, details on the status of bookings, whether they attended, or paid for booking may fall under the definition of Personal Data for which You are acting as the Data Controller pursuant to the provisions of this Agreement. This list is not exhaustive and does not necessarily apply to every User.

Special Categories of Personal Data may include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Such information may be submitted by Your clients via the System, at Your sole discretion and request, as notes/additional fields information and/or comments. Note that where you have our SOAP custom feature, data at rest will be encrypted.

(e) Processing Operations: include the standardised internal processes in which system users’ data are continuously or systematically collected, stored and used for the provision of the Services, in line with the Main Agreement. The Data Processor will Process Personal Data on behalf of the Data Controller for the purpose of using the Appointment Scheduling System and accept appointments, send reminders, process payments, sell products, make promotions and other related activities allowed by our custom features.

Bilag 3: Sikkerhedsforanstaltninger

1. This Annex 3 Security Measures forms part of the DPA and all capitalised terms, not otherwise defined herein, shall have the same meaning set forth in the Main Agreement.

2. The measures herein form part of the ISMS, which shall be maintained in accordance with best practices and standards, including regular review and updates to address evolving threats and vulnerabilities.

3. This section shall be read in conjunction with the official Security page of the Company, as may be amended (here), which provides further details on the technical and organisational measures in place and/or documents of our Security Package, where that was made available.

A. Access Control & Management.

In line with our internal Access Control Policy which is are part of our ISMS, access rights and permissions internally are role-based and commensurate with their functional responsibilities, in line with the “least privileges”, the “need-to-know” and “need-to-use” principles. In order to minimise information being disclosed or accessed prematurely, accidentally or unlawfully, the authorisation infrastructure described below has been implemented as part of our ISMS and:

access to internal information from unauthorised users is blocked by default and privileged access/activities, (un)authorised access attempts are logged and managed; and

where available, 2FA authentication is used when accessing systems, especially when for Processing of Personal Data; and

we conduct internal audits of access rights to internal resources, systems, applications, transactions, and processes to ensure their authorisation and necessity and we modify and validate personnel access authorisation and rights as needed based on these reviews.

For users of our system, 2FA secure login is available with “Google Authenticator” and “HIPAA” custom features for the User; and Password Management is available with the “Strict Password” custom feature for the User.

B. Encryption.

The Company use appropriate encryption technologies to protect Personal Data and implement policies and procedures to protect electronic information from improper alteration or destruction:

for data in transit, all external communications are supported via encrypted channels secured with robust standard protocols (up to TLS 1.3 with AES-128 / AES-256 encryption), depending on the software(s) involved and allowed compatibility circumstances; and

for data at rest data encryption is available for SOAP data and medical history with the “SOAP with Data Encryption” custom feature.

C. Information Classification & Handling.

The Company shall have in place an appropriate Record of Processing Operations, an Asset Handling Procedure and an Acceptable Use Policy all of which ensure that all information, including Personal Data are classified in accordance with its criticality and sensitivity to unauthorised access, disclosure or modification.

D. Human Resources Security.

Virksomheden har truffet rimelige foranstaltninger for at sikre, at dens medarbejdere og entreprenører, som har adgang til personoplysninger, er opmærksomme på og overholder sikkerheds- og privatlivspolitikkerne og -procedurerne.

The measures include:

(a) baggrundskontrol, f.eks. kontrol af straffeattester for alle ansatte og kontrahenter med adgang til personoplysninger;

(b) conclusion of Non-Disclosure and Confidentiality Agreement and Data Processing Agreement for all employees and contractors;

(c) deltagelse i uddannelses- og bevidstgørelsesprogrammer for medarbejdere og entreprenører med fokus på beskyttelse af personoplysninger, privatlivets fred og sikkerhed.

E. Operational Security.

Virksomheden er forpligtet til at sikre, at korrekte og sikre faciliteter til behandling af personoplysninger af:

controlling the changes to the processing systems and facilities by implementing and maintaining procedures in line with the internal Change Management Policy;

udføre regelmæssige sikkerhedskopier og test af sikkerhedskopier ved at implementere og vedligeholde procedurer i overensstemmelse med den interne sikkerhedskopieringspolitik;

maintaining and analysing event logs with records of user activities, exceptions, errors and information security events;

implementing policies and procedures that govern the receipt, removal, reuse and disposal of hardware and electronic media that contain electronic protected health information;

ensure clock synchronisation for all relevant Information Processing Systems;

performing systematic and controlled patching of systems, applications, and network components, with particular priority for security updates;

deploying Endpoint Detection and Response solutions on workstations and servers;

performing regular Vulnerability Assessment and Penetration test campaigns and addressing related remediations/mitigations according to vulnerabilities criticalities and priorities.

F. Network Security.

The Company has implemented Firewall Protection, Network environment segregation principles, Intrusion Detection Systems and is regularly monitoring the Network Activity.

G. Secure Development.

Virksomheden udfører softwareudvikling og relevante supportprocesser i henhold til vedtagne principper for sikker systemudvikling som f.eks:

Sikkerhed gennem design;

Code review

Static Application Security testing

Security testing performed for any changes or new developments;

Segregation of Development/testing/production environments.

H. Supplier Security & Privacy Assessments.

The Company performs security and privacy assessments when engaging new suppliers and then every year forward, and in line with the internal Supplier Relationships Policy requiring to have:

a framework for due diligence established for the selection, overview and ongoing monitoring of the suppliers, especially critical and/or material suppliers; and

ensure that contractual relationships with suppliers align with the Company’s and team.blue Group’s values, ethical standards, and legal requirements; and

engage critical and/or material suppliers based on Company’s internal risk assessment; and

mitigate risks associated with engaging a supplier, such as cyber risk, financial risk, corruption & bribery risk and fraud risk.

The Company acknowledges the responsibility to inform the Data Controller for any changes to the provision of Services pursuant to the Main Agreement.

I. Business Continuity and Incident Management.

The Company has established a Business Continuity Plan which defines a set of contingency procedures that are invoked for all identified impacts, including emergency mode operation. The strategy addresses allowable outage times and associated priorities identified in key activities . The Company trains human resources with defined plan responsibilities in their roles and reviews it regularly by testing relevant action plans.

The Company ensures a consistent approach to the management of privacy and security incidents, including communication on security breaches and weaknesses, in line with the internal Incident Management Policy and Procedure of the Company which contains the Personal Data Breach Notification Procedure.

Generally, the incident management process defines roles, responsibilities and operational methodologies to:

identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes; and

ensure that an organisational incident response policy is in place that addresses all parts of the organisation in which ePHI is created, stored, processed, or transmitted; and

review incident response procedures with staff who have roles and responsibilities related to incident response; solicit suggestions for improvements; and make changes to reflect input if reasonable and appropriate; and

update the procedures as required based on changing organisational needs; and

measure effectiveness and update security incident response procedures to reflect lessons learned, and identify actions to take that will improve security controls after a security incident; and

use information on incidents caused by or influenced by known risks as a feed back into the risk assessment process for a reevaluation of impact and/or likelihood; and

manage remediation and corrective action plans that arise from incidents as input to the risk assessment/management process.

J. Internal Security Audits

The Company performs periodic assessments of risks to Personal Data and reviews the effectiveness of the implemented security policies and procedures. Internal security audits are performed regularly, and remediation management is continuously monitored. At least annually, external audits are conducted by accredited certification bodies for the maintenance of our ISO certification.

Annex 4: Liste over underdatabehandlere

1. Læs dette bilag 4 sammen med paragraf 5 og andre gældende bestemmelser i databeskyttelsesforordningen.

2. Where applicable, respective Sub-Processors will apply when you enable and/or integrate their systems to Your Account as made available to the system and the official website of SimplyBook.me Ltd here.

3. The Company will ensure that the list of Sub-Processors is kept up to date and includes a clear description of each Sub-Processor's role and the nature of processing performed.

Bilag 5: Standardkontraktbestemmelser

1. Under and for the purposes of GDPR, the latest version of the Standard Contractual Clauses available on the official website of the European Commission (found here), is implemented by reference herein, followed for the subject matter and forms part of this DPA, and as may be amended, suspended or replaced and the Parties hereby mutually understand and agree that:

(a) virksomheden påtager sig dataimportørens rettigheder og forpligtelser og du dataeksportørens rettigheder og forpligtelser, som defineret i standardkontraktbestemmelserne, og de træder i kraft på det seneste tidspunkt, hvor en af parterne bliver part i dem, og påbegyndelsen af den relevante dataoverførsel;

(b) Modul to: Overførsel mellem controller og processor er vedtaget;

(c) i paragraf 7, gælder den valgfrie dockingklausul;

(d) i punkt 9, gælder mulighed 2, og ændringer af underdatabehandlere vil blive meddelt i overensstemmelse med afsnittet "Underdatabehandlere" i denne DPA og bilag 4 ovenfor;

(e) i paragraf 11 er det valgfrie sprog slettet;

(f) i punkt 17 og 18 er parterne enige om, at den gældende lov og forummet for tvister for standardkontraktbestemmelserne bestemmes i overensstemmelse med afsnittet "Ordregiver; gældende lov; meddelelse" i de jurisdiktionsspecifikke vilkår eller, hvis et sådant afsnit ikke angiver en EU-medlemsstat, Republikken Irland (uden henvisning til lovkonfliktprincipper);

(g) bilagene til standardkontraktbestemmelserne vil blive anset for at være udfyldt med de oplysninger for brugeren, der er relevante og angivet i bilagene til denne DPA;

(h) den tilsynsmyndighed, der vil fungere som kompetent tilsynsmyndighed, vil blive fastlagt i overensstemmelse med GDPR;

(i) hvis og i det omfang standardkontraktbestemmelserne er i modstrid med nogen bestemmelse i denne DPA, vil standardkontraktbestemmelserne have forrang i det omfang, der er en sådan modstrid.

2. I henhold til den schweiziske føderale databeskyttelseslov og dens forordning ("schweiziskDPA") gælder standardkontraktbestemmelserne i overensstemmelse med punkt 1 ovenfor og nedenstående punkter, og henvisninger til "forordning (EU) 2016/679" fortolkes som henvisninger til den schweiziske DPA, til "EU", "Unionen" og "medlemsstaternes lovgivning" fortolkes som henvisninger til schweizisk lovgivning, til den "kompetente tilsynsmyndighed" og "kompetente domstole" erstattes med "den schweiziske føderale databeskyttelses- og informationskommissær" og de "relevante domstole i Schweiz".

3. Under and for the purposes of UK GDPR, in line with first point above, and provisions herein., the latest version of the UK IDTA, as may be amended, suspended or replaced and currently made available on the official website of the UK Information Commissioner's Office (“ICO”) (found here), shall be implemented by reference herein, followed for the subject matter and forming part of this DPA. The Standard Contractual Clauses are hereby modified and interpreted to align with the UK IDTA, incorporated by reference and form an integral part. Information of Annexes to this DPA complete the information required at Tables 1, 2 and 3 of the UK IDTA and Table 4 will be deemed completed by selecting “neither party”. Any conflict between the terms of the Standard Contractual Clauses and the UK IDTA will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

Get the full signed version of our DPA - this will contain the full version of the latest SCC here.