Data Processing Addendum
Last updated on: April 12, 2026
GDPR Articles: 28, 32, 33, 44-49
UK GDPR Articles: 28, 32, 33, 44-49
Background
This Data Processing Addendum ("DPA") forms part of the Terms of Service between BookingTimes (ABN 93 115 131 989) ("Processor", "BookingTimes", "we", "us") and the entity agreeing to the Terms of Service ("Controller", "Client", "you") and reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").
This DPA applies where: (a) the Client is established in the European Economic Area ("EEA") or the United Kingdom ("UK"); (b) the Client provides goods or services to individuals in the EEA or UK; or (c) the Client is otherwise subject to the GDPR or UK GDPR and personal data of EEA/UK individuals is processed through the BookingTimes platform.
1. Definitions
In this DPA, unless the context requires otherwise:
- "Applicable Data Protection Law" means the GDPR, the UK GDPR, and any national implementing legislation, as applicable to the processing of personal data under this DPA.
- "Approved SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.
- "Approved UK Transfer Mechanism" means the UK International Data Transfer Agreement or the UK Addendum to the Approved SCCs, as issued by the UK Information Commissioner's Office.
- "Controller" means the Client, which determines the purposes and means of the processing of personal data.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the BookingTimes platform.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Processor" means BookingTimes, which processes Personal Data on behalf of the Controller.
- "Sub-Processor" means any third party engaged by BookingTimes to process Personal Data on behalf of the Controller.
- "Supervisory Authority" means an independent public authority established by an EU or UK Member State pursuant to the GDPR or UK GDPR.
2. Scope and Roles
2.1. The Controller has engaged BookingTimes to provide scheduling, booking, CRM, payment processing, marketing, and website hosting services ("Services") as described in the Terms of Service.
2.2. In providing the Services, BookingTimes processes Personal Data on behalf of the Controller. The Controller is the data controller and BookingTimes is the data processor with respect to Personal Data processed through the platform.
2.3. The details of the processing are as follows:
| Element | Description |
|---|
| Subject matter | Provision of the BookingTimes SaaS platform |
| Duration | For the term of the Client's subscription, plus any applicable retention period |
| Nature and purpose | Storage, retrieval, display, and management of Personal Data to provide scheduling, booking, CRM, payment, marketing, and website hosting services |
| Categories of Data Subjects | End users of the Client's services (customers, patients, students, attendees, and other individuals) |
| Categories of Personal Data | Names, email addresses, phone numbers, postal addresses, booking/appointment details, payment transaction references, communications history, and any other personal data the Client enters into the platform |
| Special categories (if any) | Health-related data where the Client is a healthcare, wellness, or fitness provider (entered at the Client's discretion and under the Client's responsibility) |
3. Controller Obligations
3.1. The Controller warrants that:
- It has a lawful basis under Applicable Data Protection Law for the processing of Personal Data and for instructing BookingTimes to process Personal Data as described in this DPA
- It has provided appropriate notice to Data Subjects regarding the processing of their Personal Data by BookingTimes
- Where consent is the lawful basis, it has obtained valid consent from Data Subjects and can demonstrate such consent
- It will not instruct BookingTimes to process Personal Data in violation of Applicable Data Protection Law
3.2. The Controller is responsible for the accuracy, quality, and legality of Personal Data provided to BookingTimes.
4. Processor Obligations
4.1. BookingTimes shall:
- Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data outside the EEA/UK, unless required to do so by law (in which case BookingTimes will inform the Controller of that legal requirement before processing, unless prohibited by law)
- Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement and maintain appropriate technical and organisational security measures as described in Section 6
- Comply with the conditions for engaging Sub-Processors as described in Section 7
- Assist the Controller, taking into account the nature of processing, in responding to Data Subject rights requests as described in Section 8
- Assist the Controller in ensuring compliance with breach notification obligations as described in Section 9
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless storage is required by law
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits as described in Section 10
4.2. BookingTimes shall immediately inform the Controller if, in BookingTimes's opinion, an instruction from the Controller infringes Applicable Data Protection Law.
5. Processing Instructions
5.1. The Controller instructs BookingTimes to process Personal Data as necessary to provide the Services in accordance with the Terms of Service and this DPA.
5.2. Additional or alternative instructions must be agreed in writing and may be subject to additional fees if they require changes to the Services.
6. Security Measures
6.1. BookingTimes implements and maintains the following technical and organisational measures to protect Personal Data:
Technical Measures
- Encryption at rest: AES-256 encryption for all databases, file stores, and backups, using keys managed via AWS Key Management Service (KMS)
- Encryption in transit: TLS 1.2 or higher for all external communications; SSL termination at AWS Application Load Balancers with VPC network isolation for internal traffic
- Tenant isolation: Logical data separation using unique BusinessId identifiers, enforced at the application and database layers through stored procedures
- Access control: Role-based access control; production access disabled by default and granted through a time-limited approval process
- Authentication: Multi-factor authentication required for administrative access
- Vulnerability management: Regular vulnerability scanning and patching in accordance with the Vulnerability Management Policy
- Intrusion detection: Security monitoring agents on production systems with centralised alerting
Organisational Measures
- Personnel security: Background checks, confidentiality agreements, and role-based access provisioning
- Training: Annual security awareness and data protection training for all personnel
- Incident response: Documented Incident Response Plan with defined roles and communication procedures
- Business continuity: Business Continuity Plan and Disaster Recovery Plan with defined recovery objectives
- Vendor management: Third-party risk assessments and contractual security requirements as per the Vendor Management Policy
- Audit: Annual SOC 2 Type II audit; PCI DSS SAQ-D compliance
6.2. BookingTimes regularly tests and evaluates the effectiveness of these measures and will update them as necessary to maintain an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
7. Sub-Processors
7.1. The Controller provides general written authorisation for BookingTimes to engage Sub-Processors to assist in providing the Services.
7.2. BookingTimes's current Sub-Processors are listed in Annex B to this DPA.
7.3. BookingTimes shall:
- Notify the Controller of any intended changes to Sub-Processors (additions or replacements) by email at least 30 days before the change takes effect
- Provide the Controller with an opportunity to object to such changes. If the Controller objects on reasonable grounds relating to data protection, BookingTimes will use commercially reasonable efforts to make available an alternative arrangement. If no alternative is available, either party may terminate the affected Services.
- Ensure that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA
- Remain fully liable for the acts and omissions of its Sub-Processors
8. Data Subject Rights
8.1. BookingTimes shall assist the Controller in fulfilling its obligations to respond to Data Subject rights requests under Applicable Data Protection Law, including requests for access, rectification, erasure, restriction, data portability, and objection.
8.2. If BookingTimes receives a request directly from a Data Subject, BookingTimes will promptly notify the Controller and will not respond to the request unless instructed to do so by the Controller, or unless required by law.
8.3. BookingTimes provides the following platform capabilities to assist the Controller with Data Subject requests:
- Access: Clients can view and export end user records through the platform interface
- Rectification: Clients can update end user records directly in the platform
- Erasure: Clients can delete individual end user records. BookingTimes also provides a configurable ClientIdentifiablePeriod setting and a DeleteAllNonEssentialData option for automated PII deletion
- Restriction: Clients can deactivate end user records without deletion
- Portability: Clients can export end user data in structured formats via the platform
9. Personal Data Breach Notification
9.1. BookingTimes shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's data.
9.2. Such notification shall include, to the extent available:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of BookingTimes's Data Protection Lead
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
9.3. BookingTimes shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
9.4. BookingTimes's notification of a Personal Data Breach shall not be construed as an acknowledgement of fault or liability.
10. Audits
10.1. BookingTimes shall make available to the Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA.
10.2. BookingTimes shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:
- The Controller shall provide at least 30 days' written notice of any audit request
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt BookingTimes's operations
- The Controller (or its auditor) shall execute a confidentiality agreement before commencing the audit
- Audits shall be limited to once per 12-month period, unless required by a Supervisory Authority or following a Personal Data Breach
10.3. BookingTimes's current SOC 2 Type II report and other compliance documentation may be provided in lieu of an on-site audit where the Controller agrees that such documentation adequately addresses the Controller's audit requirements.
11. International Data Transfers
11.1. BookingTimes hosts all production data in AWS ap-southeast-2 (Sydney, Australia).
11.2. For transfers of Personal Data from the EEA to Australia, BookingTimes relies on the European Commission's adequacy decision for Australia and, as a supplementary measure, the Approved SCCs (Module 2: Controller to Processor).
11.3. For transfers of Personal Data from the UK to Australia, BookingTimes relies on the Approved UK Transfer Mechanism.
11.4. The Approved SCCs (as set out in Annex A) and/or the Approved UK Transfer Mechanism are hereby incorporated into this DPA by reference. In the event of any conflict between this DPA and the Approved SCCs, the Approved SCCs shall prevail.
11.5. BookingTimes implements supplementary measures to protect transferred Personal Data as described in Section 6 and in the GDPR Compliance Policy.
12. Term and Termination
12.1. This DPA takes effect on the date the Controller accepts the Terms of Service (or, for existing clients, on the date this DPA is published) and remains in effect for the duration of BookingTimes's processing of Personal Data on behalf of the Controller.
12.2. Upon termination of the Services:
- BookingTimes will continue to process Personal Data during any applicable retention period (currently 18 months for expired accounts, as per the Data Retention Policy)
- After the retention period, BookingTimes will delete the Controller's Personal Data from production systems. Backup copies will age out according to the 12-month backup retention schedule.
- The Controller may request earlier deletion by contacting support@bookingtimes.com. Such requests are subject to the deletion process described in the Data Retention Policy.
12.3. The obligations of BookingTimes under this DPA shall survive termination to the extent BookingTimes retains Personal Data.
13. Liability
13.1. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
13.2. The parties agree that BookingTimes shall not be liable for any breach of this DPA caused by the Controller's failure to comply with its obligations, including providing unlawful processing instructions.
14. Governing Law
14.1. This DPA is governed by the laws of Australia, except to the extent that Applicable Data Protection Law requires the application of the law of an EU or UK Member State.
14.2. The Approved SCCs are governed by the law of the EU Member State in which the Controller is established, or (where the Controller is not established in the EU) by Irish law. The Approved UK Transfer Mechanism is governed by the laws of England and Wales.
Annex A: Standard Contractual Clauses
The Approved SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated by reference. The following selections apply:
- Module: Module 2 (Controller to Processor)
- Clause 7 (Docking clause): Included
- Clause 9(a) (Sub-processor authorisation): Option 2 (General written authorisation) with 30 days' prior notice
- Clause 11 (Redress): The optional language is not included
- Clause 13(a) (Supervision): The supervisory authority of the EU Member State in which the Controller is established, or (where the Controller is not established in the EU) the Irish Data Protection Commission
- Clause 17 (Governing law): The law of the EU Member State in which the Controller is established, or (where not established in the EU) Irish law
- Clause 18(b) (Forum): The courts of the EU Member State in which the Controller is established, or (where not established in the EU) the courts of Ireland
Annex B: Sub-Processors
The following Sub-Processors are authorised as of the date of this DPA:
| Sub-Processor | Purpose | Location |
|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting (compute, storage, database, CDN) | Sydney, Australia (ap-southeast-2) |
| Stripe | Payment processing | United States (with global presence) |
| Stripe Connect | Marketplace payment processing for client businesses | United States (with global presence) |
| NAB Transact | Payment processing (AU/NZ clients) | Australia |
| Windcave | Payment processing (NZ/AU clients) | New Zealand |
| eWAY | Payment processing (AU clients) | Australia |
| Authorize.NET | Payment processing (US/CA clients) | United States |
| Xero | Accounting integration (at client's direction) | New Zealand (with global presence) |
| Intuit (QuickBooks) | Accounting integration (at client's direction) | United States |
| Twilio | SMS messaging (reminders, authentication) | United States |
| Amazon SES | Transactional email delivery | Sydney, Australia (ap-southeast-2) |
This list is updated as Sub-Processors change. Clients are notified of changes in accordance with Section 7.
BookingTimes - support@bookingtimes.com