Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Slotsy and the Business ("Data Controller"). It governs the processing of personal data by Slotsy ("Data Processor") on behalf of the Business.

This DPA applies to all personal data processed by Slotsy in the course of providing the booking platform services.

"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on personal data. "Sub-processor" means a third party engaged by Slotsy to process personal data. All terms not defined here have the meanings given in the GDPR.

Slotsy processes personal data for the purpose of providing online booking services, including appointment scheduling, customer communication, and payment processing.

Categories of data subjects include: business customers, staff members, and end-user clients. Types of personal data include: names, contact details, appointment history, and payment information.

Slotsy will: process personal data only on documented instructions from the Data Controller, ensure personnel are bound by confidentiality obligations, implement appropriate technical and organizational security measures, assist the Data Controller with data subject requests and GDPR compliance.

Slotsy will not process personal data for purposes other than those specified in this DPA without prior written consent from the Data Controller.

Slotsy may engage sub-processors to assist in providing the Service. A current list of sub-processors is available upon request.

We will notify the Data Controller of any intended changes to sub-processors at least 30 days in advance. The Data Controller may object to a new sub-processor within 14 days.

Slotsy implements industry-standard security measures including: encryption of data in transit (TLS 1.3) and at rest (AES-256), access controls and authentication, regular security audits and penetration testing, intrusion detection and monitoring systems.

Slotsy will notify the Data Controller without undue delay, and in any event within 48 hours, upon becoming aware of a personal data breach.

The notification will include: the nature of the breach, categories and approximate number of affected individuals, likely consequences, and measures taken or proposed to mitigate the breach.

Slotsy will assist the Data Controller in fulfilling data subject requests (access, rectification, erasure, portability, etc.) through appropriate technical and organizational measures.

We will promptly forward any data subject request received directly to the relevant Data Controller.

The Data Controller has the right to audit Slotsy's compliance with this DPA. Audits may be conducted by the Data Controller or an independent auditor, subject to reasonable notice and confidentiality obligations.

Slotsy will make available all information necessary to demonstrate compliance with GDPR obligations.

Upon termination of the Service agreement, Slotsy will, at the Data Controller's choice, return or delete all personal data within 30 days, unless retention is required by law.

We will provide data export capabilities in standard formats (CSV, JSON) to facilitate data portability.

For DPA-related inquiries: [email protected]

To request a signed copy of this DPA: [email protected]