Overview
This Data Processing Agreement of SimplyBook.me Ltd and its Annexes (collectively the “DPA” or “Agreement”) is a legally binding agreement between SIMPLYBOOK.ME LTD, a company incorporated and organized under the laws of the Republic of Cyprus, with Registration Number: 387490 and having its Registered Address at 21 Karaiskaki Street, Oasis Centre, Flat/Office: 23, 3093 Limassol, Cyprus; and You, the User of our System (collectively the “Parties”).
This DPA is concluded between You and SimplyBook.me Ltd for the purpose of processing personal data on your behalf pursuant to the Terms and Conditions of the SimplyBook.me System and any other supplementary document and/or legally binding agreement in writing (hereafter collectively the “Main Agreement”).
Read this document carefully and in conjunction with our Privacy Policy.
This DPA forms part of the Main Agreement, as may be amended and in case of any conflict or inconsistency with the terms of this Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency for the subject matter.
We reserve the right to amend this DPA from time to time, in order to reflect changes in the law or our business operations. We will notify you for any major changes. Contact us if you want a copy of our old versions of the DPA.
Last update: 28.12.2020
Effective date: 04.01.2021
FOR A SIGNED VERSION CLICK HERE.
Annex 2: Details of Processing
This Annex 2: Details of Processing forms part of the DPA.
A. Nature and purpose of the Processing
SimplyBook.me Ltd will Process Personal Data as required for the purposes of providing the Services, pursuant to the Main Agreement and as may further be specified in additional documentation which forms part of this DPA.
B. Duration of the Processing
Subject to any provisions contained herein specifying otherwise, Processing of Personal Data shall occur for the duration of the Main Agreement, unless otherwise agreed in writing.
C. Categories of data subjects
Pursuant to the provisions of the Main Agreement, Data Subjects shall include any type of User’s clients and therefore may vary by the system usage from the Data Controller.
D. Categories of personal data
Pursuant to the provisions of the Main Agreement, categories of Personal Data may vary in accordance with the usage of the System and my cover the below:
- name and surname
- email address
- phone numbers
- information that is requested by the Data Controller through the usage of additional fields
- information that the Data Controller makes as comments on individual bookings that relate to a person
- medical related personal information, concerning the evaluation of patients as may be encrypted at rest on the Data Processor’s servers at the Data Controller’s choice
- information on the status of bookings, whether they attended, or paid for booking
- medical related information field on subject used for non medical informational purposes by the Data Controller
- the Data Controller’s comments on Data Subject‘s bookings that can relate to services required, or personal information on the subject matter.
The above shall vary by the system usage from the Data Controller and is not absolute.
E. Special categories of data (if applicable)
- Medical and Health related information that describes SOAP information and medical history - when the feature is enabled in the system.
- Transactional information about an individual's purchasing, or income.
F. Processing operations
A standardised internal processes in which system users’ data are continuously or systematically collected, stored and used for the provision of the Services, in line with the Main Agreement. The Data Processor will Process Personal Data on behalf of the Data Controller for the purpose of using the Appointment Scheduling System and accept appointments, send reminders, process payments, sell products, make promotions and other related activities allowed by our custom features.
Annex 3: Security Measures
This Annex 3: Security Measures forms part of the DPA and all capitalised terms, not otherwise defined herein, shall have the same meaning set forth in the Main Agreement.
The measures herein form part of the ISMS which shall be maintained in accordance with best practices and standards.
A. Access control and management
SimplyBook.me Ltd has take appropriate measures to prevent unauthorised access to the System, network, applications and eventually Personal Data such as:
- 1. Access Control Policies and Procedures are in place;
- 2. Access rules are based on “need-to-know” and “least privileged” principles and direct access to databases is restricted;
- 3. 2FA authentication is used by the workers when accessing system for Processing of Personal Data
- 4. 2FA secure login is available with “Google Authenticator” and “HIPAA” custom features for the User.
- 5. Password Management is available with the “Strict Password” custom feature for the User.
B. Encryption
SimplyBook.me Ltd uses appropriate encryption technologies to protect Personal Data and where applicable:
data in transit: for all communications, between end-users and server
“SOAP with Data Encryption” custom feature.
C. Information classification and handling
SimplyBook.me Ltd has in place an appropriate Record of Processing Operations, an Asset Handling Procedure and an Acceptable Use Policy all of which ensure that all information, including Personal Data are classified in accordance with its criticality and sensitivity to unauthorised access, disclosure or modification.
D. Human resources security
SimplyBook.me Ltd has taken reasonable measures to ensure that its employees and contractors, which have access to Personal Data are aware of and adhere to the security and privacy policies and procedures, including:
- 1. background verification checks, such as criminal records checking for all employees and contractors with access to Personal Data;
- 2. conclusion of Non-Disclosure and Confidentiality Agreement for all employees and contractors;
- 3. participation in training and awareness programs by employees and contractors, focused on the protection of personal data, privacy and security.
E. Operational security
SimplyBook.me Ltd has taken reasonable measures to ensure that its employees and contractors, which have access to Personal Data are aware of and adhere to the security and privacy policies and procedures, including:
- 1. controlling the changes to the processing systems and facilities by implementing and maintaining procedures in line with the internal Change Management Policy;
- 2. performing regular back-ups and test of back-ups, by implementing and maintaining procedures in line with the internal Back-Up Policy;
- 3. maintaining event logging with records of user activities, exceptions, errors and information security events;
- 4. ensure clock synchronisation for all relevant Information Processing Systems.
F. Network security
SimplyBook.me Ltd has implemented a Firewall Protection, an Intrusion Detection System and is regularly monitoring the Network Activity.
G. Secure development
SimplyBook.me Ltd performs software development and relevant support processes according to adopted secure system engineering principles such as:
- 1. Security by design;
- 2. Security testing shall be performed for any changes or new developments;
- 3. Development/testing/production environments shall be separated.
H. Supplier assessments
SimplyBook.me Ltd performs regular assessments of supplier services and acknowledges the responsibility to inform the Data Controller for any changes to the provision of Services pursuant to the Main Agreement.
I. Business continuity and incident management
SimplyBook.me Ltd ensures a consistent approach to the management of privacy and security incidents, including communication on security breaches and weaknesses via:
- 1. the Business Continuity and Incident Management Procedures which is documented and tested regularly; and
- 2. the Personal Data Breach Notification Procedure which is documented and tested regularly.
J. Internal security audits
SimplyBook.me Ltd performs periodic assessments of risks to Personal Data and reviews the effectiveness of the implemented security policies and procedures.
Annex 4: List of Sub-Processors
Read this Annex 4 in conjunction with Clause 5 and other applicable provisions of the DPA.
SUB-PROCESSOR |
PURPOSE |
LOCATION |
Google Inc. |
Hosting & Infrastructure |
USA |
Facebook |
Hosting & Infrastructure |
USA |
Live Agent |
Services & Support |
Europe |
OVH |
Hosting & Infrastructure |
UK, Canada, France & Singapore |
Amazon Web Services Inc. |
Hosting & Infrastructure |
Ireland |
Linode |
Mail Server |
UK |
Nexmo (Vonage Holdings Corp.) |
Services & Support |
UK |
Sendinblue |
Services & Support |
France |
Hotjar |
Statistics & Analytics |
France |
Piwik |
Statistics & Analytics |
France |
Twilio Inc. |
Services & Support |
USA |
PayPal |
Payment Processing Provider |
USA |
MaxMind Inc. |
Services & Support |
USA |
Borgun |
Payment Processing Provider |
Iceland |
SafeCharge |
Payment Processing Provider |
UK, USA, Canada |
Annex 5: Standard Contractual Clauses
The latest version of the Standard Contractual Clauses available on the official website of the European Commission here is implemented and followed for the subject matter.
Get the full signed version of our DPA containing the applicable SCC here.