Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between PeasyBooking Technologies Inc. (“PeasyBooking”, “Processor”) and the customer business (“Customer”, “Controller”). It governs PeasyBooking’s processing of personal information about the Customer’s clients and patients (“Client Data”) in the course of providing the service.
1. Roles and instructions
The Customer is the organization with control over Client Data and is responsible for the lawful basis and any consents for its collection and use. PeasyBooking processes Client Data solely (a) to provide and support the service, (b) in accordance with the Customer’s documented instructions (including those given through the product), and (c) as required by law. If we believe an instruction violates applicable privacy law, we will inform the Customer.
2. Customer obligations
The Customer represents that it has provided required notices and obtained required consents from its clients, and that its instructions comply with applicable privacy laws, including PIPEDA and applicable provincial health- information laws.
3. Confidentiality
We ensure that personnel authorized to process Client Data are bound by confidentiality obligations and access it only as needed to perform their duties.
4. Security
We implement and maintain the technical and organizational measures described in Annex B, designed to protect Client Data against unauthorized or unlawful processing and accidental loss, destruction, or damage.
5. Sub-processors
The Customer authorizes PeasyBooking to engage the sub-processors listed in Annex C to process Client Data. We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. We will give notice of intended changes to sub-processors and a reasonable opportunity to object.
6. Assisting the Customer
Taking into account the nature of the processing, we will provide reasonable assistance to help the Customer respond to requests from individuals exercising their rights (such as access and correction) and to meet the Customer’s security, breach-notification, and assessment obligations.
7. Personal data breach
We will notify the Customer without undue delay after becoming aware of a breach of security safeguards affecting Client Data, and will provide information reasonably available to help the Customer meet its notification obligations under PIPEDA and applicable provincial law.
8. Location of processing
Client Data is stored in Canada (Google Cloud northamerica-northeast1, Montréal). Where a sub-processor processes limited data outside Canada to deliver its service, we ensure comparable protections apply.
9. Return and deletion
On termination or account closure, Client Data is handled per the Terms: a 30-day grace period during which data can be recovered, after which it is permanently deleted from active systems, with backups aging out on a rolling schedule. On request before deletion, we will make Client Data available for export in a commonly used format.
10. Audit
On reasonable written request, and subject to confidentiality, we will make available information necessary to demonstrate compliance with this DPA.
11. Liability and term
Each party’s liability under this DPA is subject to the limitations in the Terms. This DPA remains in effect for as long as PeasyBooking processes Client Data.
Annex A — Details of processing
- Subject matter: provision of the PeasyBooking scheduling, records, payments, and communications service.
- Duration: the term of the Customer’s subscription, plus the retention period in Section 9.
- Nature and purpose: storing and processing Client Data to enable booking, records management, reminders, payments, and messaging.
- Categories of data subjects: the Customer’s clients and patients.
- Categories of data: contact details, appointment and service history, and any notes or records the Customer chooses to store, which may include health-related information.
Annex B — Security measures
- Encryption of data in transit (TLS) and at rest.
- An encrypted records vault for sensitive client records.
- Role-based access controls and least-privilege staff access.
- Network isolation (private connectivity to the database).
- Audit logging of access and administrative actions.
- Automated, regularly tested backups with point-in-time recovery.
- Secure software-development and change-management practices.
Annex C — Sub-processors
- Google Cloud Platform (Canada) — hosting, database, file storage.
- Google Identity Platform / Firebase — authentication.
- Stripe — subscription billing and payments.
- Resend — transactional email delivery.
- SMS provider — text-message reminders (when enabled by the Customer).
Contact
DPA inquiries: PeasyBooking Technologies Inc., Attn: Privacy Officer, 150 Evergreen Mount SW, Calgary, AB T2Y 0L8, or info@peasybooking.com.