Data Processing Agreement - SimplyBook.me scheduling software

Overview

This Data Processing Agreement of SimplyBook.me Ltd and its Annexes (collectively the “DPA” or “Agreement”) is a legally binding agreement between SIMPLYBOOK.ME LTD, a company incorporated and organized under the laws of the Republic of Cyprus, with Registration Number: 387490 and having its Registered Address at 21 Karaiskaki Street, Oasis Centre, Flat/Office: 23, 3093 Limassol, Cyprus; and You, the User of our System (collectively the “Parties”).

This DPA is concluded between You and SimplyBook.me Ltd for the purpose of processing personal data on your behalf pursuant to the Terms and Conditions of the SimplyBook.me System and any other supplementary document and/or legally binding agreement in writing (hereafter collectively the “Main Agreement”).

Read this document carefully and in conjunction with our Privacy Policy.

This DPA forms part of the Main Agreement, as may be amended and in case of any conflict or inconsistency with the terms of this Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency for the subject matter.

We reserve the right to amend this DPA from time to time, in order to reflect changes in the law or our business operations. We will notify you for any major changes. Contact us if you want a copy of our old versions of the DPA.

Last update: 28.12.2020
Effective date: 04.01.2021

1. DEFINITIONS
2. RESPONSIBILITIES OF YOU
3. RESPONSIBILITIES OF SIMPLYBOOK.ME:
SECURITY, CONFIDENTIALITY, PERSONAL DATA BREACHES, DELETION OR RETURN OF PERSONAL DATA
4. DATA SUBJECTS REQUESTS
5. SUB-PROCESSORS
6. DATA TRANSFERS:
RESTRICTED DATA TRANSFERS
7. TRANSFER MECHANISMS FOR DATA TRANSFERS
8. ADDITIONAL PROVISIONS:
UROPEAN DATA, OTHER DATA
9. PARTIES TO THE DPA
10. GENERAL PROVISIONS

Annex 1: Definitions
Annex 2: Details of Processing
Annex 3: Security Measures
Annex 4: Sub-Processors
Annex 5: Standard Contractual Clauses

FOR A SIGNED VERSION CLICK HERE.

1. Definitions

1.1 In addition to the terms defined elsewhere in this Agreement, for all the purposes of the subject matter hereof, the terms included in Annex 1 (the “Definitions”) herein shall have the meanings set forth therein.
1.2 The Parties mutually agree and understand that for the purposes of this Agreement, all the definitions of the European Data Protection Laws are adopted.

2. Responsibilities of you

2.1 In line with the provisions of this DPA and Main Agreement, You are responsible to comply as Data Controller with all requirements applicable to your operations under applicable Data Protection Laws, for the Processing of Personal Data.
2.2 You agree and acknowledge that, without prejudice to the generality of the below; there is sole responsibility towards You for:
- 2.2.1 the accuracy, quality and legality of the Personal Data provided by You for the purposes of the Services as well as the means and methods of acquiring that;
- 2.2.2 compliance with with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations, particularly for use by the User for marketing purposes;
- 2.2.3 ensuring that You have the right to transfer or provide access to, the Personal Data to us for Processing in accordance with the terms of this DPA and Main Agreement;
- 2.2.4 ensuring that You comply with any laws applicable to You, including but not limited to Data Protection Laws, for any emails or other content created, sent or otherwise managed through our Services.
2.3 You hereby confirm and agree to inform SimplyBook.me Ltd promptly and without any undue delay, if You are not able to comply with your obligations under this Clause 2, and specifically under the applicable Data Protection Laws.
2.4 The provisions herein and any relevant provisions of the Main Agreement shall constitute the complete and final Instructions of You as Data Controller for the purposes of this DPA for and in relation to the Processing of Personal Data.
2.5 The Parties agree that, any additional Instructions outside the scope herein, shall require prior written agreement between them.

3. Responsibilities of SimplyBook.me

3.1 SimplyBook.me shall only Process Personal Data for the purpose of described in this DPA and in line with Annex 2 herein (the “Details of Processing”) or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law.
3.2 SimplyBook.me shall not be held responsible and liable for compliance with applicable Data Protection Laws which apply to You or your industry, but are not legally applicable to our operations.
3.3 SimplyBook.me shall notify You immediately and without any undue delay, to the extent permitted by law; where it is deemed we are unable to Process Personal Data in accordance with your Instructions, due to legal requirements of applicable laws or requirements.

Security

3.4 SimplyBook.me shall implement and maintain appropriate technical and organisational measures, for the protection of Personal Data, in accordance with Annex 3 herein (the “Security Measures”).
3.5 The Security Measures form part of the implemented Information Security Management System (the “ISMS”) of SimplyBook.me Ltd, in accordance with the ISO/IEC 27001:2013 standard.
3.6 Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

Confidentiality

3.7 SimplyBook.me hereby ensures that any worker or appointed person authorised to Process Personal Data for and on our behalf is subject to appropriate confidentiality obligations, contractual and statutory obligations with respect to that Personal Data.

Personal data breaches

3.8 SimplyBook.me hereby agrees to notify prompt and without undue delay once becoming aware of any Personal Data Breach, following the provisions of applicable Data Protection Laws and where necessary provide You with information as it becomes known or reasonably requested by You.
3.9 At Your request, SimplyBook.me hereby agrees to promptly provide You with such reasonable assistance as necessary to enable notifying relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, pursuant to the applicable Data Protection Laws.

Deletion or return of personal data

3.10 SimplyBook.me hereby agrees to delete or return to You all Personal Data relating to the Main Agreement and this DPA, including but not limited to copies of Personal Data which was Processed for the purpose of this DPA, on termination or expiration of Services, in line with the relevant provisions of the Main Agreement.
3.11 The requirement herein shall be exercised pursuant to any applicable law which may require to retain some or all Personal Data, subject to additional security measures such as isolation and protection from further Processing.

4. Data subject requests

4.1 You hereby acknowledge, agree and accept that SimplyBook.me Ltd shall provide You with controls that You can use to retrieve, correct, delete or restrict Personal Data in order to assist You in connection with the requirements of Data Protection Laws.
4.2 SimplyBook.me shall, upon your written request provide reasonable assistance for responding to any Data Subject Requests or requests from Data Protection Authorities relating to the Processing of Personal Data under this DPA, subject to any reimbursement deemed necessary for our assistance.
4.3 If a Data Subject Request or other communication regarding the Processing of Personal Data under this DPA is made directly to us, we will promptly inform You and advise the Data Subject to submit their request to You.
4.4 You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

5. Sub-processors

5.1 You hereby acknowledge, agree and accept that we may appoint Sub-Processors for the Process of Personal Data pursuant to this DPA and Main Agreement in line with Annex 4: Sub-Processors List (the “List of Sub-Processors”) herein.
5.2 SimplyBook.me hereby ensures that where a Sub-Processor is appointed, data protection terms will be imposed on the latter providing at least the same level of protection for Personal Data, as the provisions of this DPA; including but not limited to the last version of Standard Contractual Clauses, as issued by the European Commission.
5.3 SimplyBook.me shall impose data protection terms to Sub-Processors to the extent permitted by applicable laws and in line with the nature of the services to be provided.
5.4 SimplyBook.me shall remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.

6. Data transfers

6.1 You hereby acknowledge, agree and accept that SimplyBook.me Ltd shall access and Process Personal Data on a global basis, as deemed necessary and appropriate for the purposes of providing the Services in line with this DPA and Main Agreement.
6.2 You hereby acknowledge, agree and accept that Personal Data will be transferred to and Processed by SimplyBook.me Ltd in the Republic of Cyprus and other jurisdictions where we have operations.
6.3 SimplyBook.me Ltd hereby guarantees that the transfer of Personal Data shall be made in compliance with the requirements of the Data Protection Laws, at all times.

Restricted data transfers

6.4 The Parties hereby enter into the Standard Contractual Clauses included in Annex 5 (the “Standard Contractual Clauses”) in respect of any Restricted Transfer pursuant to the Main Agreement for the provision of Services and as part of this DPA.
6.5 SimplyBook.me Ltd shall be the “data importer” and You shall be the “data exporter” for the purposes of Clause 6.4 herein.
6.6 The Standard Contractual Clauses shall come into effect on the later of either Party becoming a party to them and the commencement of the relevant Restricted Transfer.
6.7 The Parties agree that where the Standard Contractual Clauses are applicable and there is a conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict for the subject matter.

7. Transfer mechanisms for data transfers

7.1 SimplyBook.me shall not not transfer European Data to any country or recipient not recognised as providing an adequate level of protection for Personal Data, in accordance with the provisions of the European Data Protection Laws; unless such measures are first taken to ensure the transfer is in compliance with applicable European Data Protection Laws.
7.2 For the purposes of this Clause 7.1. such measures shall include without limitation, transferring such data:
- 7.2.1 to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data;
- 7.2.2 to a recipient that has achieved Binding Corporate Rules authorization in accordance with European Data Protection Laws; or
- 7.2.3 to a recipient that has executed appropriate Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
7.3 SimplyBook.me shall not rely on the EU-US Privacy Shield and related principles for the purposes of transferring Personal Data and ensure appropriate measures are taken to comply with applicable Data Protection Laws as may be amended from time to time.

8. Additional provisions (European data)

8.1 This part of the DPA applies to European Data for the purposes of the Main Agreement.
8.2 The Parties hereby agree that when Processing European Data in accordance with the Instructions, You are the Controller of European Data and SimplyBook.me Ltd is the Processor.
8.3 SimplyBook.me reserves the right to inform You where Instructions infringes European Data Protection Laws, as and when applicable, without undue delay.
8.4 SimplyBook.me will make any necessary changes to Annex 4 regarding the appointed Sub-Processors and give you the opportunity to be notified via email in which case You have the opportunity to object to the engagement on reasonable grounds relating this DPA and within 30 (thirty) days after such notification.
8.5 SimplyBook.me shall, to the extent that the required information is reasonably available and you do not otherwise have access to the required information; provide reasonable assistance to You with any Data Protection Impact Assessments, and prior consultations with Supervisory Authorities or other competent Data Privacy Authorities to the extent required by European Data Protection Laws.
8.6 SimplyBook.me shall make all information reasonably necessary to demonstrate compliance with provisions herein, available to You and may allow for audits including but not limited to inspections.
8.7 The Data Processor has appointed a Data Protection Officer (“DPO”) in line with the European Data Protection Laws and can be contacted for the purposes of this DPA and Main Agreement via email: dpo@simplybook.me.

(Other data)

8.8 This part of the DPA applies to Personal Data other than European Data, under the provisions of applicable Data Protection Laws.
8.9 The Parties agree that SimplyBook.me Ltd shall Process such Personal Data strictly in accordance with applicable Data Protection Laws and solely for the purposes of providing the Services under the provisions of the Main Agreement.
8.10 The Parties shall enter into any additional agreements required by law for the purpose complying with the applicable Data Protection Laws.
8.10 The Data Processor has appointed a UK Representative for all the processing of personal data taking place in the UK, contacted via email UKRepresentative@simplybook.me.

9. Parties to the DPA

9.1 By signing the Main Agreement, You as a User of the System enter into this DPA on behalf of Yourself and where applicable and to the extent permitted by law and applicable Data Protection Laws, in the name and on behalf of Your Permitted Affiliates, establishing a separate DPA between us and each such Permitted Affiliate subject to the Agreement and provisions herein.
9.2 You hereby agree and acknowledge that each Permitted Affiliate agrees to be bound by the obligations of this DPA and as applicable to the Main Agreement.
9.3 You hereby agree and acknowledge that to the extent permitted by law, for the purposes of this DPA and except as otherwise provided herein, “User”, “You” and “Your” will include You and such Permitted Affiliates.
9.4 The legal entity agreeing to this DPA as User represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

10. General provisions

10.1 This DPA will remain in force from the Effective Date and until the Data Controller or Data Processor terminates the Main Agreement, in line with applicable provisions.
10.2 This DPA may be terminated by either party with a 30 (thirty) days written notice, pursuant to the provisions of the Main Agreement and by cancelling the system in system settings.
10.3 Notwithstanding anything else to the contrary in this DPA and Main Agreement, SimplyBook.me reserves the right to make any updates and amendments to this DPA subject to any additional terms herein.
10.4 If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
10.5 Neither party may, without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.
10.6 The Parties and Permitted Affiliates' liability arising out of or related to this DPA in whole whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Main Agreement.
10.7 The Parties hereby agree and accept the choice of the jurisdiction indicated in the Main Agreement in respect of this DPA.

Annex 1: Definitions

”Data Controller”	means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws”	means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the California Consumer Privacy Act of 2018 (“CCPA”) and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time.
“Data Subject”	means the individual to whom Personal Data relates.
“Data Processor”	means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.
"Europe"	means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data”	means Personal Data that is subject to the protection of European Data Protection Laws.
"European Data Protection Laws"	means data protection laws applicable in Europe, including: (i) Regulation 2016/679 - The General Data Protection Regulation ("GDPR"); and (ii) Directive 2002/58/EC; and (iii) applicable national implementations of (i) and (ii); or (iii) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
“EU-US Privacy Shield”	the self-certification program operated by the U.S. Department of Commerce and approved by the European Commission, as may be amended, superseded or replaced.
“Instructions”	any written, documented instructions issued by the Data Controller to the Data Processor, and directing the same to perform a specific or general action with regard to Personal Data, including, but not limited to, depersonalizing, blocking, deletion, making available.
"Permitted Affiliates"	includes any of Your Affiliates that is permitted to obtain the Services on your behalf, pursuant to the Main Agreement, but have not signed their own separate agreement with us and are not users and qualify as a Controller of Personal Data Processed by us, and can be subject to European Data Protection Laws.
“Personal Data Breach”	a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services but does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Processing”	any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms <span class="bold">“Process”</span>, <span class="bold">“Processes”</span> and <span class="bold">“Processed”</span> will be construed accordingly.
“Services”	shall have the same meaning as in the Main Agreement
“Standard Contractual Clauses”	means the standard contractual clauses for Data Processors approved pursuant to the European Commission’s decision as included in Annex 5 herein and as may be amended, superseded or replaced.
“Sub-Processor”	means any Data Processor engaged by us to assist fulfilling our obligations with respect to the provision of the Services under the Main Agreement and may include third parties, excluding any employee or consultant of SimplyBook.me Ltd.

Annex 2: Details of Processing

This Annex 2: Details of Processing forms part of the DPA.

A. Nature and purpose of the Processing

SimplyBook.me Ltd will Process Personal Data as required for the purposes of providing the Services, pursuant to the Main Agreement and as may further be specified in additional documentation which forms part of this DPA.

B. Duration of the Processing

Subject to any provisions contained herein specifying otherwise, Processing of Personal Data shall occur for the duration of the Main Agreement, unless otherwise agreed in writing.

C. Categories of data subjects

Pursuant to the provisions of the Main Agreement, Data Subjects shall include any type of User’s clients and therefore may vary by the system usage from the Data Controller.

D. Categories of personal data

Pursuant to the provisions of the Main Agreement, categories of Personal Data may vary in accordance with the usage of the System and my cover the below:

name and surname
email address
phone numbers
information that is requested by the Data Controller through the usage of additional fields
information that the Data Controller makes as comments on individual bookings that relate to a person
medical related personal information, concerning the evaluation of patients as may be encrypted at rest on the Data Processor’s servers at the Data Controller’s choice
information on the status of bookings, whether they attended, or paid for booking
medical related information field on subject used for non medical informational purposes by the Data Controller
the Data Controller’s comments on Data Subject‘s bookings that can relate to services required, or personal information on the subject matter.

The above shall vary by the system usage from the Data Controller and is not absolute.

E. Special categories of data (if applicable)

Medical and Health related information that describes SOAP information and medical history - when the feature is enabled in the system.
Transactional information about an individual's purchasing, or income.

F. Processing operations

A standardised internal processes in which system users’ data are continuously or systematically collected, stored and used for the provision of the Services, in line with the Main Agreement. The Data Processor will Process Personal Data on behalf of the Data Controller for the purpose of using the Appointment Scheduling System and accept appointments, send reminders, process payments, sell products, make promotions and other related activities allowed by our custom features.

Annex 3: Security Measures

This Annex 3: Security Measures forms part of the DPA and all capitalised terms, not otherwise defined herein, shall have the same meaning set forth in the Main Agreement.

The measures herein form part of the ISMS which shall be maintained in accordance with best practices and standards.

A. Access control and management

SimplyBook.me Ltd has take appropriate measures to prevent unauthorised access to the System, network, applications and eventually Personal Data such as:

1. Access Control Policies and Procedures are in place;
2. Access rules are based on “need-to-know” and “least privileged” principles and direct access to databases is restricted;
3. 2FA authentication is used by the workers when accessing system for Processing of Personal Data
4. 2FA secure login is available with “Google Authenticator” and “HIPAA” custom features for the User.
5. Password Management is available with the “Strict Password” custom feature for the User.

B. Encryption

SimplyBook.me Ltd uses appropriate encryption technologies to protect Personal Data and where applicable:

data in transit: for all communications, between end-users and server

“SOAP with Data Encryption” custom feature.

C. Information classification and handling

SimplyBook.me Ltd has in place an appropriate Record of Processing Operations, an Asset Handling Procedure and an Acceptable Use Policy all of which ensure that all information, including Personal Data are classified in accordance with its criticality and sensitivity to unauthorised access, disclosure or modification.

D. Human resources security

SimplyBook.me Ltd has taken reasonable measures to ensure that its employees and contractors, which have access to Personal Data are aware of and adhere to the security and privacy policies and procedures, including:

1. background verification checks, such as criminal records checking for all employees and contractors with access to Personal Data;
2. conclusion of Non-Disclosure and Confidentiality Agreement for all employees and contractors;
3. participation in training and awareness programs by employees and contractors, focused on the protection of personal data, privacy and security.

E. Operational security

SimplyBook.me Ltd has taken reasonable measures to ensure that its employees and contractors, which have access to Personal Data are aware of and adhere to the security and privacy policies and procedures, including:

1. controlling the changes to the processing systems and facilities by implementing and maintaining procedures in line with the internal Change Management Policy;
2. performing regular back-ups and test of back-ups, by implementing and maintaining procedures in line with the internal Back-Up Policy;
3. maintaining event logging with records of user activities, exceptions, errors and information security events;
4. ensure clock synchronisation for all relevant Information Processing Systems.

F. Network security

SimplyBook.me Ltd has implemented a Firewall Protection, an Intrusion Detection System and is regularly monitoring the Network Activity.

G. Secure development

SimplyBook.me Ltd performs software development and relevant support processes according to adopted secure system engineering principles such as:

1. Security by design;
2. Security testing shall be performed for any changes or new developments;
3. Development/testing/production environments shall be separated.

H. Supplier assessments

SimplyBook.me Ltd performs regular assessments of supplier services and acknowledges the responsibility to inform the Data Controller for any changes to the provision of Services pursuant to the Main Agreement.

I. Business continuity and incident management

SimplyBook.me Ltd ensures a consistent approach to the management of privacy and security incidents, including communication on security breaches and weaknesses via:

1. the Business Continuity and Incident Management Procedures which is documented and tested regularly; and
2. the Personal Data Breach Notification Procedure which is documented and tested regularly.

J. Internal security audits

SimplyBook.me Ltd performs periodic assessments of risks to Personal Data and reviews the effectiveness of the implemented security policies and procedures.

Annex 4: List of Sub-Processors

Read this Annex 4 in conjunction with Clause 5 and other applicable provisions of the DPA.

SUB-PROCESSOR	PURPOSE	LOCATION
Google Inc.	Hosting & Infrastructure	USA
Facebook	Hosting & Infrastructure	USA
Live Agent	Services & Support	Europe
OVH	Hosting & Infrastructure	UK, Canada, France & Singapore
Amazon Web Services Inc.	Hosting & Infrastructure	Ireland
Linode	Mail Server	UK
Nexmo (Vonage Holdings Corp.)	Services & Support	UK
Sendinblue	Services & Support	France
Hotjar	Statistics & Analytics	France
Piwik	Statistics & Analytics	France
Twilio Inc.	Services & Support	USA
PayPal	Payment Processing Provider	USA
MaxMind Inc.	Services & Support	USA
Borgun	Payment Processing Provider	Iceland
SafeCharge	Payment Processing Provider	UK, USA, Canada

Annex 5: Standard Contractual Clauses

The latest version of the Standard Contractual Clauses available on the official website of the European Commission here is implemented and followed for the subject matter.

Get the full signed version of our DPA containing the applicable SCC here.