Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Controller": The customer (you) who determines the purposes and means of processing personal data.
• "Processor": Rosenheim Bookings Ltd, which processes personal data on behalf of the Controller.
• "Personal Data": Any information relating to an identified or identifiable natural person.
• "Data Subject": The individual to whom Personal Data relates (your clients/customers).
• "Processing": Any operation performed on Personal Data.
• "GDPR": General Data Protection Regulation (EU) 2016/679.
• "UK GDPR": GDPR as incorporated into UK law by the Data Protection Act 2018.

2. Scope and Roles

2.1 Data Controller

You (the Customer) are the Data Controller. You determine what personal data is collected from your clients and how it is used.

2.2 Data Processor

Rosenheim Bookings acts as a Data Processor. We process personal data only on your documented instructions and in accordance with this DPA.

2.3 Types of Data

We process the following categories of personal data on your behalf:

• Client contact information (name, email, phone number)
• Appointment and booking data
• Payment information (processed through Stripe)
• Communication preferences
• Service history and notes
• Any other data you choose to input

3. Data Processing Obligations

3.1 Processing Instructions

We will process personal data only:

• On your documented instructions
• To provide the Services as described in our Terms
• As required by applicable law

3.2 Confidentiality

All Rosenheim personnel authorized to process personal data are subject to confidentiality obligations and are trained in data protection principles.

3.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (256-bit SSL/TLS)
• Encryption of personal data at rest (AES-256)
• Regular security assessments and penetration testing
• Access controls and authentication measures
• Regular data backups with encryption
• Security incident response procedures
• ISO 27001 aligned security practices

4. Sub-Processors

4.1 Authorized Sub-Processors

We engage the following sub-processors to assist in providing the Services:

4.2 Sub-Processor Changes

We will notify you at least 30 days before adding or replacing a sub-processor. You may object to the use of a new sub-processor on reasonable data protection grounds within 14 days of notification.

5. Data Subject Rights

We will assist you in responding to requests from Data Subjects exercising their rights under GDPR:

• Right of access: We provide tools to access personal data
• Right to rectification: Data can be updated through the platform
• Right to erasure: We will delete data upon request
• Right to restriction: We can restrict processing as needed
• Right to data portability: Data export available in standard formats
• Right to object: Processing can be stopped upon request

6. Data Breaches

6.1 Notification

We will notify you without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach affecting your data.

6.2 Information Provided

Our notification will include:

• Nature of the breach
• Categories and approximate number of affected records
• Likely consequences
• Measures taken to address the breach
• Point of contact for further information

7. Data Deletion and Return

7.1 Upon Termination

Upon termination of the Services, we will:

• Return all personal data to you in a standard format
• Securely delete all copies of personal data within 90 days
• Provide written certification of deletion upon request

7.2 Legal Requirements

We may retain personal data as required by law, but will notify you and isolate such data from further processing.

8. Audits and Compliance

8.1 Audit Rights

You have the right to audit our compliance with this DPA. We will:

• Provide audit reports and certifications upon request
• Allow reasonable audits with 30 days notice
• Cooperate with regulatory investigations

8.2 Documentation

We maintain records of all processing activities, security measures, and data breaches as required by GDPR.

9. International Data Transfers

9.1 Data Location

Personal data is primarily stored in data centers within the European Economic Area (EEA).

9.2 Transfer Mechanisms

Where we transfer personal data outside the EEA, we ensure appropriate safeguards through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for certain countries
• Additional security measures as appropriate

10. Liability and Indemnification

10.1 Respective Liability

Each party is liable to the other for damages caused by its violation of this DPA or applicable data protection laws.

10.2 Indemnification

We will indemnify you against claims arising from our breach of this DPA, except where the breach results from your instructions or actions.

11. Term and Termination

This DPA remains in effect for the duration of the Services and survives termination with respect to obligations relating to data deletion, return, and confidentiality.

12. Contact Information

For questions about this DPA or data protection matters:

• Data Protection Officer: dpo@rosenheimbookings.com
• Legal Department: legal@rosenheimbookings.com
• Address: Rosenheim Bookings Ltd, London, United Kingdom