Data Processing Addendum

Last updated: 15 May 2026

This DPA is incorporated by reference into the Business Terms of Service and becomes effective when the Customer accepts the Business Terms of Service or first uses the Service after the date above, whichever is earlier. The Customer that requires a counter-signed copy of this DPA on company letterhead may request one by writing to privacy@easyweek.io. EasyWeek will counter-sign without changes to the substance of this template.

1. Definitions

Terms capitalised but not defined in this DPA have the meaning given in the Business Terms of Service or in the DPDP Act 2023. In particular:

• "DPDP Act 2023" — the Digital Personal Data Protection Act, 2023 (India), and any rules and regulations notified thereunder.
• "Data Fiduciary", "Data Processor", "Data Principal", "Personal Data", "Personal Data Breach", "Processing", "Sub-processor", "Data Protection Board of India (DPB)" — as defined in DPDP Act 2023 Sec. 2.
• "Customer Personal Data" — Personal Data that the Customer or its authorised users submit to or generate through the Service and which is processed by EasyWeek on the Customer's behalf.
• "SCCs" — the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to GDPR adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, applicable to transfers involving data principals located in the European Economic Area. For cross-border transfers of Personal Data of Indian data principals, the applicable transfer mechanism is DPDP Act 2023 Sec. 16, pursuant to which such transfers may be made to countries or territories notified by the Central Government of India as permissible destinations; any such transfer will be subject to the conditions specified in the applicable Central Government notification.

2. Roles

The Customer is the Data Fiduciary of Customer Personal Data. EasyWeek is the Data Processor and processes Customer Personal Data only on documented instructions from the Customer and in accordance with this DPA, the Business Terms of Service, and applicable law.

The parties acknowledge that EasyWeek is the Data Fiduciary for limited categories of personal data that EasyWeek processes for its own purposes — for example, account credentials of authorised users, billing data, and usage telemetry of the Service. That processing is governed by the Business Privacy Policy, not this DPA.

3. Subject matter, duration, purpose

The subject matter, nature, purpose, duration, categories of Personal Data, and categories of Data Principals are described in Annex I.

The DPA is effective for as long as EasyWeek processes Customer Personal Data on behalf of the Customer and survives termination of the Business Terms of Service for as long as is necessary to comply with Section 13.

4. Customer instructions

The Service itself, the configuration applied by the Customer through the Service's user interface and API, the Business Terms of Service, and this DPA constitute the Customer's complete and final documented instructions to EasyWeek regarding the processing of Customer Personal Data. Any additional or different instructions require written agreement and may incur additional fees.

EasyWeek will inform the Customer without undue delay if, in its opinion, an instruction infringes the DPDP Act 2023 or another applicable data-protection provision, and may suspend the disputed instruction pending the Customer's written confirmation.

5. Confidentiality

EasyWeek ensures that personnel authorised to process Customer Personal Data have committed themselves to confidentiality (or are under an appropriate statutory obligation of confidentiality) and are bound by access controls and least-privilege principles. Access to Customer Personal Data is limited to personnel who need it to operate or improve the Service.

6. Security (TOMs)

EasyWeek implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex II. EasyWeek may update its TOMs over time so long as the level of protection is not reduced.

7. Sub-processors

The Customer hereby grants EasyWeek a general written authorisation to engage Sub-processors. The list of approved Sub-processors as of the date of this DPA is set out in Annex III and maintained at /business/subprocessors.

EasyWeek will notify the Customer at least thirty (30) days in advance of any intended addition or replacement of Sub-processors, through the in-app notification centre and, where the Customer has subscribed, by email. The Customer may object on reasonable, documented data-protection grounds within thirty (30) days of the notice. If the parties cannot agree on a resolution, the Customer may terminate the Business Terms of Service with respect to the portion of the Service that requires the disputed Sub-processor, with a pro-rata refund of pre-paid fees for the remaining term.

EasyWeek imposes data-protection obligations on each Sub-processor by written contract that are no less protective than those set out in this DPA. EasyWeek remains fully liable to the Customer for the performance of its Sub-processors' obligations.

Cross-border data transfers (DPDP Act 2023, Section 16). Where EasyWeek or its Sub-processors transfer personal data of data principals located in India to servers or personnel outside India, such transfers are carried out in accordance with Section 16 of the Digital Personal Data Protection Act, 2023 and any notifications or rules issued thereunder by the Government of India. EasyWeek will not transfer personal data to a country or territory that has been restricted by the Central Government under Section 16. Customers who process personal data of Indian data principals are encouraged to review the current list of permitted transfer destinations and contact EasyWeek at privacy@easyweek.io if they have specific data-residency requirements.

8. International transfers

Where Customer Personal Data is transferred from India to EasyWeek GmbH in Germany or any other country, such transfer is governed by Section 16 of the Digital Personal Data Protection Act, 2023 (DPDP Act 2023). EasyWeek shall transfer Customer Personal Data to countries outside India only to the extent permitted under the DPDP Act 2023 and any rules or orders notified thereunder by the Central Government.

Customer Personal Data is primarily processed in the European Economic Area. Where Customer Personal Data is transferred to a country outside the EEA without an adequacy decision of the European Commission, the Standard Contractual Clauses (SCCs) apply with the following selections:

• Module Two (Controller to Processor) is incorporated by reference for transfers from the Customer (or its EEA controller) to EasyWeek where EasyWeek processes Customer Personal Data in a third country.
• Module Three (Processor to Processor) is incorporated by reference for onward transfers from EasyWeek to Sub-processors in a third country.
• Clause 7 (Docking clause) is included.
• Clause 9(a) — Option 2 (general written authorisation, 30-day notice) applies.
• Clause 11(a) — independent dispute-resolution body is not selected.
• Clause 17 — governing law is the law of Germany.
• Clause 18 — competent courts are those of Düsseldorf, .
• Annex I of the SCCs is populated by reference to Annex I of this DPA.
• Annex II of the SCCs is populated by reference to Annex II of this DPA.
• Annex III of the SCCs is populated by reference to Annex III of this DPA.

A Transfer Impact Assessment summarising EasyWeek's evaluation of the laws of the destination country and any supplementary technical, contractual, or organisational measures is available on request from privacy@easyweek.io.

For UK transfers, the UK International Data Transfer Addendum to the SCCs (issued by the ICO and in force from 21 March 2022) applies. For Swiss transfers, the SCCs are read with the substitutions required by the FDPIC.

9. Data principal requests

The Service provides self-service features that allow the Customer to fulfil Data Principal Requests for access, rectification, erasure, restriction, portability, and objection. Where a Data Principal contacts EasyWeek directly, EasyWeek will forward the request to the Customer without undue delay and will not respond to the Data Principal other than to confirm receipt and route the request to the Customer.

EasyWeek will assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to Data Principal Requests under the DPDP Act 2023, Chapter IV (Sections 11–14).

10. Personal data breach

EasyWeek will notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, at a minimum, the information required by DPDP Act 2023 Sec. 8(6) to the extent known: nature of the Breach, categories and approximate number of affected Data Principals and records, likely consequences, and measures taken or proposed.

EasyWeek will take reasonable steps to contain and remediate the Breach and to provide the Customer with the information necessary for the Customer to fulfil its own notification obligations to its Supervisory Authority and to affected Data Principals.

11. DPIA and prior consultation

EasyWeek will provide the Customer with reasonable assistance with any Data Protection Impact Assessment or prior consultation that the Customer is required to carry out under the DPDP Act 2023 (including any data protection impact assessment or risk assessment obligations applicable to Significant Data Fiduciaries as notified by the Central Government under Sec. 10 of the DPDP Act 2023), to the extent that such assistance is reasonably required and the information is held by EasyWeek.

12. Audit

EasyWeek will make available to the Customer all information necessary to demonstrate compliance with this DPA, including:

• Up-to-date copies of the most relevant certifications and audit reports (such as ISO 27001 where available, SOC 2 type II reports of relevant Sub-processors).
• Written responses to a reasonable security questionnaire, once per twelve-month period, free of charge.

Where the above information is not sufficient and the Customer is required by its Supervisory Authority to carry out an on-site audit, the Customer may conduct or mandate an independent auditor to conduct an audit at the Customer's expense, on at least sixty (60) days' written notice, during business hours, no more than once per twelve-month period (unless a Personal Data Breach has occurred), under reasonable confidentiality undertakings, and without disrupting EasyWeek's business operations or the security of other customers. The scope of the audit is limited to the verification of EasyWeek's compliance with this DPA.

13. Return and deletion

Within thirty (30) days of termination of the Business Terms of Service, the Customer may export Customer Personal Data through the self-service export tools provided by the Service. After this thirty-day grace period, EasyWeek will delete or anonymise Customer Personal Data within a reasonable time and in any event within ninety (90) days, except to the extent EasyWeek is required by applicable law to retain some or all of it (in which case the retained data remains subject to the confidentiality and security obligations of this DPA).

Backups containing Customer Personal Data are overwritten on a rolling basis within the standard backup retention period and remain subject to this DPA until expiry.

14. Liability and miscellaneous

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Business Terms of Service.

This DPA forms part of the Business Terms of Service. In the event of any conflict between this DPA and the Business Terms of Service in relation to the processing of Customer Personal Data, this DPA prevails. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

This DPA is governed by the laws of the Federal Republic of Germany. The courts of Düsseldorf, , have exclusive jurisdiction, without prejudice to mandatory protections of Data Principals under their habitual residence.

Annex I – Description of processing

Subject matter The processing necessary to provide the EasyWeek Business Service to the Customer.

Duration For the term of the Business Terms of Service and any post-termination retention period required to perform Section 13.

Nature and purpose of processing Hosting, storage, retrieval, organisation, modification, transmission, deletion, anonymisation, statistical analysis, and other processing operations necessary to deliver online booking, customer relationship management, finance and invoicing, marketing automation, website building, reminders and notifications, marketplace listing, AI-assisted features, and ancillary functions.

Categories of Data Principals

• The Customer's end customers and prospective customers
• The Customer's employees, freelancers, contractors, and other authorised users
• Visitors to the Customer's online booking pages and embedded widgets
• Senders and recipients of communications routed through the Service

Categories of Personal Data

• Identification data (name, photo, gender)
• Contact data (email, phone, address)
• Account credentials of the Customer's authorised users
• Booking and appointment history
• Notes, files, photos, documents uploaded by the Customer
• Loyalty programme data, gift card balances, customer segments
• Communication content (SMS, WhatsApp, email body, push notification body, in-app chat)
• Financial data (invoice records, payment status, last 4 digits of payment cards — full card data is processed directly by Stripe and not stored by EasyWeek)
• Technical data (IP address, device identifier, browser, language, timestamps)
• Where the Customer chooses to record them: health-related notes (in beauty, wellness, medical, or dental contexts). The Customer is responsible for ensuring it has a valid lawful basis under the DPDP Act 2023 before recording such data.

Frequency of transfers Continuous.

Cross-border data transfers Transfers of personal data of Indian data principals outside India are subject to any restrictions notified by the Central Government under DPDP Act 2023, Section 16. Where EasyWeek transfers such personal data to sub-processors or infrastructure located outside India, such transfers are conducted in accordance with applicable Central Government notifications issued under Section 16 of the DPDP Act 2023. Customers operating in India are encouraged to review their own obligations under Section 16 and contact EasyWeek if specific data-residency arrangements are required.

Retention Customer Personal Data is retained for as long as the Customer instructs and as further described in Section 13.

Annex II – Technical and Organisational Measures

EasyWeek implements at least the following measures, which it may update from time to time provided the level of protection is not reduced:

• Pseudonymisation and encryption — TLS 1.3 for data in transit on public networks; AES-256 for data at rest (database storage, object storage, backups); per-tenant encryption keys for sensitive fields where applicable.
• Confidentiality — role-based access control with least-privilege, multi-factor authentication required for all administrative access, automatic session timeout, IP-based access controls for production systems, written confidentiality obligations for all personnel.
• Integrity — change management, code review, automated dependency scanning, signed deployment artefacts, integrity checks on backups.
• Availability and resilience — production hosting in Hetzner data centres in Germany with redundant power and network, Kubernetes orchestration with auto-recovery, daily backups with cross-zone replication, documented disaster-recovery plan with annual tabletop exercises, status page at status.easyweek.io.
• Restoration — backup retention sufficient to restore service following a physical or technical incident; quarterly restore tests.
• Testing and evaluation — annual third-party penetration test of the production environment, continuous static and dynamic application security testing in CI/CD, vulnerability management process with defined remediation SLAs.
• Network segregation — production, staging, and development environments are logically and physically separated; admin access via bastion hosts only.
• Logging and monitoring — centralised audit logs for authentication, authorisation, configuration changes, and data export events, retained for at least one year; security information and event monitoring with alerting on anomalies.
• Secure development — SDLC with threat modelling, peer review, secret scanning, licence compliance, and OWASP-aligned coding standards.
• Supplier management — written contracts with all Sub-processors imposing equivalent obligations; periodic review.
• Personnel security — background checks where lawful; security awareness and data-protection training on hire and annually thereafter.
• Incident management — 24/7 on-call rotation; documented incident response playbook; breach notification within 72 hours per Section 10.
• Physical security — physical access to processing facilities is controlled by the Sub-processor operating the facility (Hetzner, Google Cloud) under ISO 27001 / SOC 2 certified controls.

Annex III – Approved Sub-processors

The current list of EasyWeek Sub-processors is published and maintained at /business/subprocessors. The list at that URL is hereby incorporated by reference into this DPA and Annex III.