Please read the Data Processing Addendum (“DPA") carefully as they form a contract between You ("Customer" or "Purchaser") and Us ("Schedule it Ltd" or "Vendor" or "Our" or "We"). As referenced in sections 8.4 (a) and 9.4 of the Schedule it Ltd Terms of Service available at https://www.scheduleit.com/terms-conditions.htm ("Terms", this DPA will apply where We and Our Group Companies are processors of personal data. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.

1. Data Protection

1.1 Definitions: In this DPA, the following terms shall have the following meanings:

a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and

b) "Applicable Data Protection Law" shall mean: (i) prior to 25 May 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679) and (iii) any other applicable data protection laws and regulations.

1.2 Relationship of the parties: Customer (the controller) appoints Schedule it Ltd as a data processor to process the personal data (if any) recorded by or on behalf of Customer on our platform (the "Data") for the purposes of us providing the services described in our Terms and Conditions (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.

1.3 Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Schedule it Ltd for processing.

1.4 International transfers: Schedule it Ltd shall not transfer the Data outside of the UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.

1.5 Confidentiality of processing: Schedule it Ltd shall ensure that any person it authorises to process the Data (an "Authorised Person") shall protect the Data in accordance with Schedule it Ltd's confidentiality obligations under the Terms.

1.6 Security: The processor shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").

1.7 Subcontracting: Customer consents to Schedule it Ltd engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) Schedule it Ltd maintains an up-to-date list of its subprocessors at https://www.scheduleit.com/privacy-sub-processor.htm, which it shall update with details of any change in subprocessors prior to any such change; (ii) Schedule it Ltd imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law. Customer may object to Schedule it Ltd's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Schedule it Ltd will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination). Schedule it Ltd will notify Customer of any changes to the list of its subprocessors within 7 days.

1.8 Cooperation and data subjects' rights: Schedule it Ltd shall provide reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Schedule it Ltd, Schedule it Ltd shall promptly inform Customer providing full details of the same.

1.9 Data Protection Impact Assessment: If Schedule it Ltd believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

1.10 Security incidents: If it becomes aware of a confirmed Security Incident, Schedule it Ltd shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Schedule it Ltd shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.

1.11 Deletion of Data: Customer may export all personal data prior to the termination of the Customer's Account. In any event, following the termination of Customer's Account by either party, subject to (ii) and (iii) below, data on Customer's Account will be retained for a period of 14 days from such termination within which Customer may contact Provider to export Service Data; (ii) the e-mail feature, if available within the Service(s), automatically archives any e-mails forming part of Service Data for a period of 3 months; and (iii) logs are archived for a period of 1 year (each a “Data Retention Period”). Beyond each such Data Retention Period, Processor reserves the right to delete all Personal Data in the normal course of operation. This requirement shall not apply to the extent that Schedule it Ltd is required by applicable law to retain some or all of the Data, or to Data it has archived on backup systems, which Data Schedule it Ltd shall securely protect from any further processing except to the extent required by such law.

1.12 Record keeping: Schedule it Ltd will maintain, and allow Customer access to on reasonable prior written notice for an agreed fee to cover any administrative work, complete and accurate records and information to demonstrate its compliance with this Addendum and applicable data protection law.

1.13 Right to Audit: The Purchaser shall have the right to audit Schedule it Ltd records and facilities related to the performance of this Agreement. Such audits may be conducted by the Purchaser or its authorized representatives at reasonable times during normal business hours upon providing 21 days written notice to Schedule it Ltd upon agreement of the scope and methodology. The purpose of such audits is to ensure compliance with the terms of this Agreement and to verify the accuracy of our performance. We shall provide the Purchaser or its authorized representatives with access to all relevant records, documents, and our facilities necessary for the audit. Following the audit, the Purchaser will provide Schedule it Ltd with a written report detailing the findings, including any identified discrepancies, non-compliance issues, or areas for improvement. In the event of non-compliance, the parties shall work together to develop and implement a corrective action plan. Both parties agree to maintain the confidentiality of any proprietary, sensitive, or confidential information disclosed during the audit. All audit-related findings and communications shall be treated as confidential, unless otherwise required by law or regulatory authorities. The Purchaser shall bear all costs associated with the audit, including any expenses incurred by the Purchaser's representatives and Schedule it Ltd during the audit process. Any disputes arising from the audit findings shall be resolved in accordance with the dispute resolution provisions set forth in this Agreement. Audits can be conducted annually during the term of this Agreement and upon reasonable request by either party.

View our Sub-processors here.