Data Processing Addendum (DPA) for the EU General Data Protection Regulation (GDPR)

This Schedapple Data Processing Addendum (DPA) forms part of, and is subject to the provisions of, Schedapple's Terms of Service agreed by you (the Business Account Holder), and Schedapple LLC.

Introduction

Schedapple is a Software as a Service (SaaS) that enables online scheduling of appointments between business customers ("End Users") and businesses. By signing up for an account with Schedapple, you as the Business Account Holder (BAH) have agreed to our Terms of Service and entered into an agreement for supply of appointment scheduling services by Schedapple to use in your business operations.

Schedapple's web-based appointment scheduling software collects data from End Users on behalf of the BAH and processes the data enabling End Users to schedule appointments online and the BAH to manage these appointments and the collected End User data (the "Service"). Other than the data gathered from the BAH during account registration, Schedapple does not own, control or direct the use of any of the BAH or End User data stored or processed by the BAH via the Service. The BAH owns and controls this data. Only the BAH or End User are entitled to access, retrieve and direct the use of such data. Schedapple is largely unaware of what BAH and End User data is actually being stored or made available by a BAH or End User to the Service and does not directly access such data except as authorized by the BAH or as necessary to provided services to the BAH and its End Users.

Therefore, for the purposes of this DPA you, the BAH, are the data controller ("Controller"), whilst Schedapple is a data processor ("Processor") under the applicable data protection laws. Schedapple is not acting in the capacity of data controller and does not have the associated responsibilities under EU law.

In light of the above, Schedapple and you as the BAH, have agreed on the following terms and conditions concerning the processing of personal data as set out in this written DPA between you and Schedapple pursuant to applicable Data Protection Laws.

Definitions

The following definitions apply solely to this Data Processing Addendum:

  1. The terms "controller", "data subject", "personal data", "personal data breach", "process", "processing", and "processor" have the meanings given to these terms in EU Data Protection Law.
  2. "EU Data Protection Law" means any data protection or data privacy law or regulation of Switzerland or any European Economic Area ("EEA") country applicable to Your Controlled Data, including, as applicable, European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679).
  3. "Sub-Processor" means an entity engaged by Schedapple to process Your Controlled Data.
  4. "Your Controlled Data" means End Users' personal data that Schedapple processes on your behalf and instructions as part of the Service, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect during account registration and with respect to your interactions with our site (including IP address, device/browser details and web pages visited).

Applicability and Scope

This DPA only applies to you if you are located within the European Economic Area (EEA) or Switzerland and only applies in respect of Your Controlled Data. Schedapple may be an independent controller for some personal data relating to a BAH, such as the data the BAH supplies during account registration and data such as IP addresses and device/browser details. Please see our Privacy Policy for details concerning this personal data which we control. The data for which we act as a controller is not subject to this DPA.

This DPA stipulates the rights and obligations of the Controller (you as the BAH) and the Processor (Schedapple LLC) in the context of processing personal data on behalf of you, the Controller, by the Processor.

Subject Matter, Purpose and Nature of Processing Activities

Schedapple shall provide a web service to allow your End Users to schedule appointments online and allow you to manage these appointments and the collected End User data (the "Service"). We will process Your Controlled Data for the purpose of providing you with the Service, as may be used, configured or modified by you from within your account. Processing activities include: collecting, recording, organization, storage, retrieval, consultation, sorting, saving, transferring, restricting and deleting data.

Duration of Processing

Processing shall begin on the date you signed up for an account and shall be carried out for an unspecified period until your account is canceled.

Type of Data to be Processed

The following data is to be processed: Data entered by Controller's End Users in the process of using the service.

Categories of Persons Affected

The following Data Subjects are affected by the data being processed: End Users of the online scheduling application of the Controller.

Rights and Obligations of the Processor

  • Schedapple will process Your Controlled Data as a Processor only for the purpose of providing the Service in accordance with the Terms of Service and your instructions given to us through your account (provided that such instructions are commensurate with the functionalities of the Service), unless we are legally obliged to carry out a specific type of data processing. Should we be bound by such obligations, we will inform you prior to processing the data, unless informing you is illegal.
  • In the scope of the data processed on your behalf we may only correct, delete or block the data in accordance with the Terms of Service or your written instructions.
  • We will document the instructions received from you and their implementation.
  • We confirm that we are aware of the applicable legal provisions on data protection and will observe the principles of correct data processing and confidentiality of Your Controlled Data.
  • Schedapple is not responsible for the content of the personal data contained within Your Controlled Data or other information stored at your discretion on its servers or its subcontractor servers, nor is Schedapple responsible for the manner in which you collect, handle disclosures, distribute or otherwise process such data. Schedapple is not responsible for personal data that you have elected to process through third party services or outside of the Service, including the systems of any other third-party cloud services, offline or on-premises storage.
  • We shall immediately inform you if, in our opinion, an instruction you issue for processing of Your Controlled Data violates legal requirements and we shall be entitled to cease all processing (other than merely storing and maintaining the security of the affected personal data) until such time as you issue new instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Terms of Service for any failure to perform the applicable services until such time as you issue new instructions in regard to the processing. We will notify you if we are unable to comply with your instructions or when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law.
  • Should you as Controller be subject to the inspection of supervisory authorities or any other bodies or should affected persons exercise any rights against you as the Controller, then we shall support you to the extent required, if the data being processed on your behalf is affected. All cost associated with this assistance will be paid by you.
  • We will ensure that the individuals we employ who may process and access the personal data are subject to confidentiality obligations that restrict their ability to disclose the personal data, have received training and/or instruction in the care and handling of personal data and are adequately instructed and supervised on an ongoing basis in terms of fulfilling data protection requirements.
  • We will, to the extent that you cannot reasonably do so through the Service, your account or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as Controller to respond to requests by data subjects seeking to exercise their rights under the Data Protection Law with respect to personal data (including access, rectification, restriction, deletion or portability of personal data, as applicable), to the extent permitted by the law and under Chapter 3 of the GDPR, taking into account the nature of the Service and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance. If such request is made directly to us we will promptly inform you and will advise data subjects to submit their request to you directly. You as the Controller shall be solely responsible for responding to any data subjects' requests.
  • We shall, in accordance with Data Protection Laws and in response to a reasonable written request by you, make available to you such information in our possession or control related to our compliance with the obligations set forth in this DPA in relation to processing of Your Controlled Data. Where such information is not otherwise available to you, we shall provide you with written responses, provided that you agree not to exercise this right more than one time per calendar year (unless it is necessary for you to do so to comply with EU Data Protection Law). The information to be made available is limited to solely that information necessary, taking into account the nature of the Service, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation with supervisory authorities which you reasonably consider to be required by article 35 or 36 of the GDPR. You agree that you may be required to agree to a non-disclosure agreement with Schedapple before we share any such information with you.
  • If you are located within the EEA or Switzerland any data processing will be carried out in the EU or EEC. Any change to a third-party country may take place with your consent and in accordance with the conditions stipulated in chapter V of the GDPR and this DPA.
  • We will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures will be detailed in our Security Statement and shall be appropriate to the harm which might result from such an event and appropriate to the nature of the personal data which is to be protected. We may adjust our data protection measures according to the continued technical and organizational advancement to maintaining information security. We will update our Security Statement to inform you of such changes.

Rights and Obligations of the Controller

  • Your Controlled Data is and shall remain the your property, and you take full responsibility for Your Controlled Data, including that such data does not infringe any third-party rights or in any other way violate applicable Data Protection Laws.
  • You are solely responsible for the manner Your Controlled Data is collected and used. You will ensure that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with applicable laws, rules and regulations.
  • As the Controller you are solely responsible for determination of the means and purpose of the processing of such data, for assessing the admissibility of the processing requested, and for the rights of affected parties. You are responsible for reviewing the information available from us relating to data security pursuant to the Terms of Service and making an independent determination as to whether the Service meets your requirements and legal obligations as well as your obligations under this DPA. You are responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of personal data to the us and the processing of personal data.
  • You have the right of full authority to issue instructions concerning data processing on your behalf. You will ensure that your instructions to us comply with all the Data Protection Laws applicable in relation to Your Controlled Data and you will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law).
  • You agree that the Terms of Service which includes this DPA and the instructions given through your account are the complete and final documented instructions to us in relation to Your Controlled Data. Additional instructions outside the scope of the Terms of Service require prior written agreement between you and Schedapple, including agreement on any additional fees payable by you to us for carrying out such instructions.
  • You shall document all instructions. In urgent cases, instructions may be given verbally. These instructions will be immediately confirmed and documented by you.
  • You shall immediately notify us if you find any errors or irregularities related to statutory provisions on the processing of personal data when reviewing the results of the processing.
  • If you request and we provide you with personal data related to your account that is controlled by us, such as data regarding End User interactions with our web site, you acknowledge that you receive such data as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.
  • You can access, modify, download and delete Your Controlled Data through your account at any time. Once canceled Your Controlled Data will be deleted in accordance with our data retention policy.

Audits and Inspections

  • You may, upon written request and at least 30 days notice to Schedapple, conduct an inspection of business operations to determine compliance with this DPA and the applicable data protection laws or have the same conducted by a qualified third party auditor bound by a duty of confidentiality subject to our approval, which shall not be unreasonably withheld. You shall bear any and all costs associated with the audit or inspection. Inspections at our premises must be carried out during regular business hours and without interrupting our business operations and cannot be conducted more frequently than every 12 months. If we provide evidence of the agreed data protection obligations being correctly implemented, any inspections shall be limited to samples.
  • Upon your written request and on at least 30 days notice we will provide you with all information necessary for such an audit, to the extent that such information is within our control and Schedapple is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

Notification Obligations

  • We will notify you without undue delay if we become aware of a personal data breach for which notification to you is required under applicable EU Data Protection Laws. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the personal data breach as we are reasonably able to disclose to you, taking into account the nature of the Service, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a personal data breach under this section is not and will not be construed as an acknowledgment by Schedapple of any fault or liability of Schedapple with respect to the personal data breach. Schedapple's obligations under this section do not apply to incidents that are caused by you, any activity on your account and/or third-party services.
  • We shall immediately inform you of any inspections or measures carried out by supervisory authorities or other third parties if they relate to Your Controlled Data and our Service.
  • We will notify you if we receive an inquiry or complaint from a data subject or other individual whose personal data is included in Your Controlled Data, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data, provided we are permitted to do so by applicable law.

Sub-Processors

  • In the course of providing the Service, you acknowledge and agree that Schedapple may use Sub-Processors to process Your Controlled Data provided that Schedapple's use of any specific Sub-Processor is in compliance with Data Protection Legislation and governed by a contract between Schedapple and Sub-Processor which provides the same level of data protection for Your Controlled Data as this DPA, subject to the nature of the services provided by such Sub-Processor.
  • You agree that Schedapple may continue to use Sub-Processors already engaged by Schedapple as at the date of this DPA, subject to these Sub-Processors meeting requirements of EU Data Protection Legislation. Details of current Sub-Processors used by Scheapple are contained in our Privacy Policy.
  • We shall give you prior written notice of the appointment of any new Sub-Processor, including details of the processing to be undertaken by the Sub-Processor. If, within 5 days of receipt of that notice, you notify us in writing at 1603 Capitol Ave, Ste 310 #A307, Cheyenne, Wyoming 82001 USA of any objections (on reasonable grounds) to the proposed appointment, we will attempt to address your concerns and notify you of our actions. If we are unable to address yor concerns we will notify you to allow you to cancel your account before the Sub-Processor commences any activities for Schedapple. No objection from you within 5 days of receipt of our notice will be taken as you consent to use of the Sub-Processor.

Termination of Agreement and Deletion of Personal Data

  • This DPA is terminated by the cancellation of the account by you or Schedapple. If you require a copy of Your Controlled Data you can download the data prior to account termination using our website tools. After account cancellation you can obtain a copy of Your Controlled Data from Schedapple by written request provided that request is made within 13 days of account cancellation. Upon account cancellation all copies of Your Controlled Data will be deleted in accordance with our data retention policy. Until Your Controlled Data is deleted, the provisions of this DPA shall continue to apply. If we are unable to delete personal data for technical or other reasons, we will apply measures to ensure that personal data is blocked from any further processing.

Liability

  • You shall be liable for compensation to anyone for damage caused by any unauthorized party or for incorrect data processing within the scope of the Terms of Service.
  • You shall bear the burden for proving that any damage is the result of circumstances that the Processor is responsible for insofar as the relevant data have been processed under this DPA. If this proof has not been provided, the Controller shall, when initially requested to do so, release the Processor from all claims that are levied against the latter in connection with the data processing.
  • Schedapple shall not be liable to the you or your End Users for any loss or damages whether direct or indirect (including, without limitation, damages for loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages) unless caused by the gross negligence or intent of the Processor in connection with rendering our Service under this DPA. Our liability is limited to the amount paid to Schedapple by you in the year preceding the incident causing the liability.
  • We shall not be liable if the damage occurred as a result of correctly implementing the Service requested or an instruction provided by the you.
  • You shall hold Schedapple harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Schedapple is held liable by a competent court, authority or any other dispute resolution body for processing of personal data that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Schedapple's failure to perform its obligations under this DPA.

Miscellaneous

  • Save as specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the Terms of Service shall remain in full force and effect and govern this DPA. In the event of any conflict or inconsistency between the provisions of the Terms of Service and this DPA, the provisions of this DPA shall prevail.
  • You acknowledge and agree that Schedapple may amend this DPA from time to time by posting the relevant amended and restated DPA on Schedapple's website, available at Schedapple.com and such amendments to the DPA are effective as of the date of posting. Your continued use of the Service after the amended DPA is posted to Schedapple's website constitutes your agreement to, and acceptance of, the amended DPA. If you do not agree to any changes to the DPA, do not continue to use the Service.
  • Should any parts of this agreement be invalid, this will not affect the validity of the remainder of the agreement.
  • You cannot assign the rights or obligations under this DPA to a third-party without Schedapple's express written permission.
  • We may assign our rights and obligations under this DPA to a third party in case of a merger, joint venture or transfer of businesses or substantially all parts of businesses. Any such assignment of rights shall not be considered as Schedapple engaging a Sub-Processor.