Data Processing Addendum

This Data Processing Addendum (DPA) applies to the extent BookedOnCall processes Customer Personal Data on behalf of a customer in connection with the Service and applicable data protection law requires such terms.

This DPA forms part of the applicable customer agreement with BookedOnCall, including the Terms of Service or any order form, statement of work, or other written commercial agreement. If there is a conflict between this DPA and the underlying agreement with respect to data protection matters, this DPA controls to that extent.

As between the parties, the customer acts as the controller or business for Customer Personal Data processed through the Service, and BookedOnCall acts as a processor or service provider solely on the customer's behalf, except to the extent BookedOnCall acts as an independent controller for account management, billing, security, fraud prevention, legal compliance, or other processing that is outside the scope of customer instructions.

Subject matter: AI-assisted call handling, call routing, summaries, scheduling support, messaging workflows, account support, and related service operations.

Duration: For the term of the customer's use of the Service, plus any limited retention period required for backups, legal compliance, security, or dispute resolution.

Nature and purpose: Receiving, storing, organizing, redacting, transmitting, analyzing, and otherwise processing data needed to provide the Service and support the customer's configured workflows.

Categories of data subjects: Customer personnel, callers, leads, customers, prospects, vendors, and other individuals whose data the customer submits or routes through the Service.

Categories of personal data: Contact details, call metadata, caller intake details, service addresses, job descriptions, communication content, transcripts, summaries, recordings if enabled, integration identifiers, and related workflow records.

BookedOnCall will process Customer Personal Data only on the customer's documented instructions, including the customer's configuration of the Service, support requests, written directions, and the underlying agreement, unless otherwise required by applicable law. If BookedOnCall believes an instruction violates applicable law, BookedOnCall may notify the customer and suspend the affected processing.

The customer is responsible for ensuring that its instructions, configuration, notices, consents, and use of the Service comply with applicable data protection law.

BookedOnCall will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations and receive appropriate access limitations for the role they perform.

BookedOnCall will implement and maintain reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

Those measures are designed to include, as appropriate to the service and risk:

• access controls and least-privilege practices,
• authentication and credential management,
• encryption in transit and other network protections where appropriate,
• service logging, monitoring, and incident investigation support,
• backup and recovery controls appropriate to the platform, and
• change-management and vendor management processes appropriate to the service.

BookedOnCall will notify the customer without undue delay after becoming aware of a confirmed security incident involving Customer Personal Data processed under this DPA. BookedOnCall may provide information in phases as it becomes available and will take reasonable steps to investigate, contain, and mitigate the incident.

The customer authorizes BookedOnCall to use subprocessors that are reasonably required to operate the Service, including providers for hosting, storage, authentication, communications, AI processing, payments, analytics, and customer-authorized integrations.

BookedOnCall will remain responsible for the performance of its subprocessors to the extent required by applicable law and will impose data protection obligations on subprocessors that are materially protective of Customer Personal Data.

Taking into account the nature of processing and the information available to BookedOnCall, BookedOnCall will provide commercially reasonable assistance to help the customer respond to data subject requests, regulator inquiries, security reviews, and other controller obligations under applicable data protection law.

Where the request requires substantial time or expense beyond standard support, BookedOnCall may charge reasonable fees for that assistance.

Upon termination or expiration of the Service, BookedOnCall will delete or return Customer Personal Data in its possession or control, unless retention is required by law, necessary for security or audit purposes, or maintained in backups and archives subject to ordinary retention and access controls.

Upon reasonable written request, BookedOnCall will make available information reasonably necessary to demonstrate compliance with this DPA. If that information is insufficient, the parties may cooperate on a reasonable audit process that is limited in scope, scheduled in advance, and subject to confidentiality, security, and operational safeguards.

If Customer Personal Data is transferred across borders in circumstances where applicable law requires a transfer mechanism, the parties will cooperate in good faith to implement an appropriate mechanism and reasonable supplementary measures where needed.

Liability under this DPA is subject to the liability limitations and exclusions in the underlying agreement, unless applicable law requires otherwise. This DPA supplements, and does not replace, any broader confidentiality, security, or commercial terms in the underlying agreement.

DPA questions, diligence requests, and processor-related inquiries can be sent to bookedoncall@bookedoncall.com.