1. DPA Overview

This Data Processing Agreement (DPA) is incorporated into and forms part of the Terms of Service between Reservr Inc. (the "Data Processor") and our customers (the "Data Controller") who use our business management platform services.

1.1 Purpose

This DPA ensures that personal data processing activities comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), and establishes the rights and obligations of both parties.

1.2 Scope

This DPA covers:

All personal data processed by Reservr on behalf of customers
Data processing activities related to our platform services
Customer data, employee data, and end-user data
Data processing for business operations and service delivery

1.3 Legal Basis

This DPA is based on:

Article 28 of the GDPR (Processor)
Article 26 of the GDPR (Joint Controllers)
Applicable national data protection laws
Industry best practices and standards

2. Definitions

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Personal Data" means any information relating to an identified or identifiable natural person ('data subject').

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data.

"Data Subject" means the identified or identifiable natural person to whom personal data relates.

"Sub-Processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

3. Data Controller & Processor Roles

3.1 Data Controller (Customer)

As the Data Controller, you are responsible for:

Determining the purposes and means of personal data processing
Ensuring lawful basis for processing personal data
Obtaining necessary consents from data subjects
Implementing appropriate technical and organizational measures
Responding to data subject requests and complaints
Notifying supervisory authorities of data breaches

3.2 Data Processor (Reservr)

As the Data Processor, we are responsible for:

Processing personal data only on documented instructions from the Controller
Implementing appropriate security measures
Ensuring confidentiality of processing
Assisting the Controller with data subject requests
Notifying the Controller of data breaches
Maintaining records of processing activities

3.3 Joint Controllers

In certain circumstances, we may act as joint controllers for specific processing activities. In such cases, we will enter into a separate joint controller agreement that clearly defines our respective responsibilities.

4. Processing Details

4.1 Categories of Personal Data

We process the following categories of personal data:

Customer Data: Names, email addresses, phone numbers, business information
Employee Data: Staff information, schedules, performance data
End-User Data: Client information, appointment data, preferences
Technical Data: IP addresses, device information, usage analytics
Financial Data: Payment information, billing details, transaction records

4.2 Processing Purposes

Personal data is processed for the following purposes:

Providing and maintaining our platform services
Processing appointments and bookings
Managing customer accounts and billing
Providing customer support and technical assistance
Improving our services and user experience
Complying with legal and regulatory requirements

4.3 Data Subjects

Personal data relates to the following categories of data subjects:

Business owners and administrators
Employees and staff members
Clients and customers
End users of our platform
Third-party service providers

4.4 Retention Periods

Personal data is retained for the following periods:

Account Data: Duration of service plus 2 years
Transaction Data: 7 years for legal compliance
Support Data: 3 years after resolution
Analytics Data: 2 years in anonymized form

5. Technical & Organizational Measures

We implement appropriate technical and organizational measures to ensure data security:

5.1 Technical Measures

Encryption: Data encrypted in transit and at rest using AES-256
Access Controls: Role-based access control and multi-factor authentication
Network Security: Firewalls, intrusion detection, and monitoring
Data Backup: Regular encrypted backups with geographic distribution
Monitoring: 24/7 security monitoring and incident detection

5.2 Organizational Measures

Staff Training: Regular data protection and security training
Confidentiality: Confidentiality agreements for all personnel
Access Management: Regular review and revocation of access rights
Incident Response: Documented procedures for security incidents
Audit Trail: Comprehensive logging of all data processing activities

5.3 Security Certifications

SOC 2 Type II certification
ISO 27001 compliance (in progress)
GDPR compliance verification
Regular third-party security assessments

6. Sub-Processors

We may engage sub-processors to assist in providing our services. All sub-processors are bound by data protection obligations.

6.1 Sub-Processor Categories

Cloud Infrastructure: AWS, Azure, Google Cloud Platform
Payment Processing: Stripe, PayPal
Communication Services: Twilio, SendGrid
Analytics & Monitoring: Google Analytics, DataDog
Customer Support: Zendesk, Intercom

6.2 Sub-Processor Requirements

Data protection agreements with equivalent obligations
Appropriate technical and organizational measures
Regular security assessments and compliance verification
Notification of any changes to sub-processing arrangements

6.3 Sub-Processor Changes

We will notify you of any intended changes to our sub-processors at least 30 days in advance. You may object to such changes if you have legitimate concerns about the sub-processor's ability to protect personal data.

7. Data Subject Rights

We assist you in fulfilling data subject rights under applicable data protection laws:

7.1 Rights We Support

Right of Access: Providing copies of personal data upon request
Right to Rectification: Correcting inaccurate personal data
Right to Erasure: Deleting personal data when requested
Right to Portability: Providing data in structured, machine-readable format
Right to Restrict Processing: Limiting processing when requested
Right to Object: Ceasing processing when objected to

7.2 Response Procedures

Data subject requests forwarded to you within 24 hours
Assistance provided in responding to requests
Technical support for data extraction and deletion
Verification of data subject identity before processing requests

7.3 Data Subject Requests

Data subjects may exercise their rights by contacting you directly or through our support channels. We will assist you in responding to such requests in accordance with applicable data protection laws.

8. International Data Transfers

We may transfer personal data outside the European Economic Area (EEA) with appropriate safeguards:

8.1 Transfer Mechanisms

Adequacy Decisions: Transfers to countries with adequate protection
Standard Contractual Clauses: EU Commission approved clauses
Binding Corporate Rules: Internal data protection policies
Certification Schemes: Approved certification mechanisms

8.2 Transfer Documentation

We maintain documentation of all international transfers including:

Transfer impact assessments
Appropriate safeguards implemented
Data subject rights and remedies
Supervisory authority contact information

8.3 Transfer Monitoring

We continuously monitor and assess the adequacy of protection in destination countries and adjust our transfer mechanisms accordingly.

9. Data Breach Notification

We have procedures in place for detecting, assessing, and notifying data breaches:

9.1 Breach Detection

24/7 security monitoring and threat detection
Automated incident response systems
Staff training on breach identification
Regular security assessments and testing

9.2 Notification Timeline

Initial Detection: Immediate internal notification
Assessment: Within 24 hours of detection
Controller Notification: Within 72 hours of confirmation
Supervisory Authority: Within 72 hours if required

9.3 Breach Information

Breach notifications will include:

Nature of the personal data breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken to address the breach
Contact details for further information

10. Audit Rights

You have the right to audit our compliance with this DPA:

10.1 Audit Scope

Technical and organizational measures implementation
Data processing activities and procedures
Security controls and access management
Staff training and awareness programs

10.2 Audit Procedures

Audit requests must be made in writing with 30 days notice
Audits must be conducted during business hours
Confidentiality agreements required for auditors
Audit reports must be kept confidential

10.3 Audit Frequency

Audits may be conducted:

Once per year during normal business operations
Immediately following a data breach or security incident
Upon reasonable suspicion of non-compliance
As required by applicable laws or regulations

11. Termination & Data Return

11.1 Termination

This DPA terminates when:

The main service agreement is terminated
Either party provides 30 days written notice
Required by applicable law or regulation
Mutual agreement between the parties

11.2 Data Return

Upon termination, we will:

Return all personal data to you in a structured format
Delete all copies of personal data from our systems
Provide certification of data deletion
Maintain only data required for legal compliance

11.3 Data Retention

We may retain personal data after termination only if:

Required by applicable law or regulation
Necessary for legitimate business purposes
Requested by competent authorities
Agreed upon in writing by both parties

12. Contact Information

For questions about this DPA or data processing activities:

Data Protection Officer: dpo@reservr.com

Privacy Team: privacy@reservr.com

Phone: +61 (0) 7 3000 0000

Address: 123 Business St, Brisbane, QLD 4000, Australia

12.1 DPA Execution

This DPA is automatically incorporated into our Terms of Service and becomes effective when you begin using our services. No separate signature is required.

12.2 DPA Updates

We may update this DPA from time to time to reflect changes in applicable laws or our processing activities. We will notify you of material changes at least 30 days in advance.