Data Processing Agreement

1. Definitions

• Affiliate – any entity that controls, is controlled by, or is under common control with a party.
• Personal Data, Data Subject, Processing, Supervisory Authority – as defined in GDPR.
• Sub-processor – any processor engaged by ClearBook to assist with processing Personal Data on behalf of the Customer.
• Services – the ClearBook booking and scheduling platform and related offerings.

2. Scope & Duration

ClearBook processes Personal Data on the Customer’s behalf only for providing the Services. Processing continues for the duration of the subscription and any post-termination retention period required under the service agreement, unless otherwise instructed in writing.

3. Categories of Data & Data Subjects

Depending on how the Customer uses the Service, Personal Data may include:

• End customers booking appointments.
• Staff members and contractors managed by the Customer.
• Tenant administrators and account users.

Data types may include contact details, booking information, payment references, availability, and notes.

4. Processor Obligations

1. Process Personal Data only on documented instructions from the Customer.
2. Ensure authorized personnel are bound by confidentiality obligations.
3. Implement appropriate technical and organizational measures, including encryption, role-based access, monitoring, backups, and secure development practices.
4. Assist the Customer with data subject rights by providing export, erasure, and purge tooling and by responding to reasonable additional requests.
5. Assist the Customer with GDPR Articles 32–36 obligations, considering the nature of processing.
6. Notify the Customer without undue delay after becoming aware of a Personal Data breach, including relevant details for compliance reporting.
7. Delete or return Personal Data at the Customer’s choice after the end of services, subject to legal retention requirements. Soft-deleted records are purged after the configured grace period (default 30 days).
8. Make available information necessary to demonstrate compliance and allow audits with reasonable notice and safeguards.

5. Customer Responsibilities

1. Ensure a lawful basis for processing and transferring Personal Data to ClearBook.
2. Configure roles, access, and retention settings to meet applicable laws.
3. Respond to data subject requests that pertain to Customer-controlled data.
4. Avoid uploading sensitive categories unless legally permitted and configured appropriately.

6. Sub-processors

1. Customer authorizes ClearBook to engage Sub-processors listed on our sub-processor page and any future Sub-processor we notify the Customer about.
2. ClearBook imposes data protection obligations on Sub-processors equivalent to those in this DPA.
3. If the Customer objects to a new Sub-processor, the parties will work in good faith to resolve the concern.

7. International Transfers

When Personal Data is processed outside the EEA, ClearBook ensures compliance with GDPR Chapter V using safeguards such as Standard Contractual Clauses or adequacy decisions.

8. Records & Cooperation

ClearBook maintains records of processing activities and cooperates with supervisory authorities upon request. We will promptly inform the Customer if a request conflicts with applicable law.

9. Liability

Liability under this DPA is governed by the limitations set out in the Service Agreement.

10. Miscellaneous

• This DPA prevails over conflicting terms in the Service Agreement regarding data protection matters.
• The DPA is governed by the laws of Sweden and follows the dispute resolution terms of the Service Agreement.
• We will communicate DPA updates in writing. Continued use of the Services signifies acceptance.

Signature

To obtain a countersigned copy, download and sign this DPA or email legal@clearbook.dev with your completed details.