[{"data":1,"prerenderedAt":549},["ShallowReactive",2],{"og-image-business-dpa":3,"social-meta-business-dpa":4,"pricing-plan-EUR":5,"page-business,dpa":6},"",[],{},{"id":7,"title":8,"body":9,"description":539,"extension":540,"meta":541,"navigation":544,"path":545,"seo":546,"stem":547,"__hash__":548},"content/eswk.co.uk/business/dpa.md","Data Processing Addendum (DPA) – EasyWeek",{"type":10,"value":11,"toc":519},"minimark",[12,19],[13,14],"blog-header",{":bullet_points":15,"description":16,"headline":17,"tag":18},"[{\"text\":\"1. Definitions\",\"href\":\"#_1-definitions\"},{\"text\":\"2. Roles\",\"href\":\"#_2-roles\"},{\"text\":\"3. Subject matter, duration, purpose\",\"href\":\"#_3-subject-matter-duration-purpose\"},{\"text\":\"4. Customer instructions\",\"href\":\"#_4-customer-instructions\"},{\"text\":\"5. Confidentiality\",\"href\":\"#_5-confidentiality\"},{\"text\":\"6. Security (TOMs)\",\"href\":\"#_6-security-toms\"},{\"text\":\"7. Sub-processors\",\"href\":\"#_7-sub-processors\"},{\"text\":\"8. International transfers\",\"href\":\"#_8-international-transfers\"},{\"text\":\"9. Data subject requests\",\"href\":\"#_9-data-subject-requests\"},{\"text\":\"10. Personal data breach\",\"href\":\"#_10-personal-data-breach\"},{\"text\":\"11. DPIA and prior consultation\",\"href\":\"#_11-dpia-and-prior-consultation\"},{\"text\":\"12. Audit\",\"href\":\"#_12-audit\"},{\"text\":\"13. Return and deletion\",\"href\":\"#_13-return-and-deletion\"},{\"text\":\"14. Liability and miscellaneous\",\"href\":\"#_14-liability-and-miscellaneous\"},{\"text\":\"Annex I – Description of processing\",\"href\":\"#annex-i-description-of-processing\"},{\"text\":\"Annex II – Technical and organisational measures\",\"href\":\"#annex-ii-technical-and-organisational-measures\"},{\"text\":\"Annex III – Approved sub-processors\",\"href\":\"#annex-iii-approved-sub-processors\"}]","This Data Processing Addendum (\"DPA\") forms part of the Business Terms of Service between EasyWeek GmbH and the business customer (\"Customer\") and governs the processing of Customer Personal Data by EasyWeek on the Customer's behalf in connection with the EasyWeek Business Service.","Data Processing Addendum","h1",[20,21,22,29,43,48,51,103,107,110,118,122,129,132,136,139,142,146,149,153,160,164,174,177,180,184,187,250,255,258,262,265,268,272,275,284,288,291,295,298,306,309,313,316,319,323,326,329,332,336,342,348,354,359,373,378,410,416,422,426,429,509,513],"blog-content",{},[23,24,25],"p",{},[26,27,28],"em",{},"Last updated: 15 May 2026",[23,30,31,32,37,38,42],{},"This DPA is incorporated by reference into the ",[33,34,36],"a",{"href":35},"/business/terms-and-policies","Business Terms of Service"," and becomes effective when the Customer accepts the Business Terms of Service or first uses the Service after the date above, whichever is earlier. The Customer that requires a counter-signed copy of this DPA on company letterhead may request one by writing to ",[33,39,41],{"href":40},"mailto:privacy@easyweek.io","privacy@easyweek.io",". EasyWeek will counter-sign without changes to the substance of this template.",[44,45,47],"h2",{"id":46},"_1-definitions","1. Definitions",[23,49,50],{},"Terms capitalised but not defined in this DPA have the meaning given in the Business Terms of Service or in the UK GDPR. In particular:",[52,53,54,63,91,97],"ul",{},[55,56,57,58,62],"li",{},"\"",[59,60,61],"strong",{},"UK GDPR","\" — the EU General Data Protection Regulation (Regulation (EU) 2016/679) as retained in UK law by the European Union (Withdrawal) Act 2018, read together with the Data Protection Act 2018 and, where applicable, the Swiss FADP with the necessary substitutions.",[55,64,57,65,68,69,68,72,68,75,68,78,68,81,68,84,68,87,90],{},[59,66,67],{},"Controller","\", \"",[59,70,71],{},"Processor",[59,73,74],{},"Data Subject",[59,76,77],{},"Personal Data",[59,79,80],{},"Personal Data Breach",[59,82,83],{},"Processing",[59,85,86],{},"Sub-processor",[59,88,89],{},"Supervisory Authority","\" — as defined in UK GDPR Art. 4.",[55,92,57,93,96],{},[59,94,95],{},"Customer Personal Data","\" — Personal Data that the Customer or its authorised users submit to or generate through the Service and which is processed by EasyWeek on the Customer's behalf.",[55,98,57,99,102],{},[59,100,101],{},"IDTA / UK Addendum","\" — the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office, or the UK Addendum to the EU Standard Contractual Clauses approved by the UK Secretary of State on 21 March 2022, each constituting an appropriate safeguard for transfers of personal data from the United Kingdom to third countries under UK GDPR Art. 46.",[44,104,106],{"id":105},"_2-roles","2. Roles",[23,108,109],{},"The Customer is the Controller of Customer Personal Data. EasyWeek is the Processor and processes Customer Personal Data only on documented instructions from the Customer and in accordance with this DPA, the Business Terms of Service, and applicable law.",[23,111,112,113,117],{},"The parties acknowledge that EasyWeek is the Controller for limited categories of personal data that EasyWeek processes for its own purposes — for example, account credentials of authorised users, billing data, and usage telemetry of the Service. That processing is governed by the ",[33,114,116],{"href":115},"/business/privacy","Business Privacy Policy",", not this DPA.",[44,119,121],{"id":120},"_3-subject-matter-duration-purpose","3. Subject matter, duration, purpose",[23,123,124,125,128],{},"The subject matter, nature, purpose, duration, categories of Personal Data, and categories of Data Subjects are described in ",[59,126,127],{},"Annex I",".",[23,130,131],{},"The DPA is effective for as long as EasyWeek processes Customer Personal Data on behalf of the Customer and survives termination of the Business Terms of Service for as long as is necessary to comply with Section 13.",[44,133,135],{"id":134},"_4-customer-instructions","4. Customer instructions",[23,137,138],{},"The Service itself, the configuration applied by the Customer through the Service's user interface and API, the Business Terms of Service, and this DPA constitute the Customer's complete and final documented instructions to EasyWeek regarding the processing of Customer Personal Data. Any additional or different instructions require written agreement and may incur additional fees.",[23,140,141],{},"EasyWeek will inform the Customer without undue delay if, in its opinion, an instruction infringes the UK GDPR (Regulation (EU) 2016/679 as retained in UK law via the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, or another applicable United Kingdom data-protection provision, and may suspend the disputed instruction pending the Customer's written confirmation.",[44,143,145],{"id":144},"_5-confidentiality","5. Confidentiality",[23,147,148],{},"EasyWeek ensures that personnel authorised to process Customer Personal Data have committed themselves to confidentiality (or are under an appropriate statutory obligation of confidentiality) and are bound by access controls and least-privilege principles. Access to Customer Personal Data is limited to personnel who need it to operate or improve the Service.",[44,150,152],{"id":151},"_6-security-toms","6. Security (TOMs)",[23,154,155,156,159],{},"EasyWeek implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in ",[59,157,158],{},"Annex II",". EasyWeek may update its TOMs over time so long as the level of protection is not reduced.",[44,161,163],{"id":162},"_7-sub-processors","7. Sub-processors",[23,165,166,167,170,171,128],{},"The Customer hereby grants EasyWeek a general written authorisation to engage Sub-processors. The list of approved Sub-processors as of the date of this DPA is set out in ",[59,168,169],{},"Annex III"," and maintained at ",[33,172,173],{"href":173},"/business/subprocessors",[23,175,176],{},"EasyWeek will notify the Customer at least thirty (30) days in advance of any intended addition or replacement of Sub-processors, through the in-app notification centre and, where the Customer has subscribed, by email. The Customer may object on reasonable, documented data-protection grounds within thirty (30) days of the notice. If the parties cannot agree on a resolution, the Customer may terminate the Business Terms of Service with respect to the portion of the Service that requires the disputed Sub-processor, with a pro-rata refund of pre-paid fees for the remaining term.",[23,178,179],{},"EasyWeek imposes data-protection obligations on each Sub-processor by written contract that are no less protective than those set out in this DPA. EasyWeek remains fully liable to the Customer for the performance of its Sub-processors' obligations.",[44,181,183],{"id":182},"_8-international-transfers","8. International transfers",[23,185,186],{},"Customer Personal Data is primarily processed in the European Economic Area. Where Customer Personal Data is transferred to a country outside the EEA without an adequacy decision of the European Commission, the SCCs apply with the following selections:",[52,188,189,195,201,207,213,223,229,235,240,245],{},[55,190,191,194],{},[59,192,193],{},"Module Two"," (Controller to Processor) is incorporated by reference for transfers from the Customer (or its UK controller) to EasyWeek where EasyWeek processes Customer Personal Data in a third country.",[55,196,197,200],{},[59,198,199],{},"Module Three"," (Processor to Processor) is incorporated by reference for onward transfers from EasyWeek to Sub-processors in a third country.",[55,202,203,206],{},[59,204,205],{},"Clause 7"," (Docking clause) is included.",[55,208,209,212],{},[59,210,211],{},"Clause 9(a)"," — Option 2 (general written authorisation, 30-day notice) applies.",[55,214,215,218,219,222],{},[59,216,217],{},"Clause 11(a)"," — independent dispute-resolution body is ",[59,220,221],{},"not"," selected.",[55,224,225,228],{},[59,226,227],{},"Clause 17"," — governing law is the law of Germany.",[55,230,231,234],{},[59,232,233],{},"Clause 18"," — competent courts are those of Düsseldorf, Germany.",[55,236,237,239],{},[59,238,127],{}," of the SCCs is populated by reference to Annex I of this DPA.",[55,241,242,244],{},[59,243,158],{}," of the SCCs is populated by reference to Annex II of this DPA.",[55,246,247,249],{},[59,248,169],{}," of the SCCs is populated by reference to Annex III of this DPA.",[23,251,252,253,128],{},"A Transfer Impact Assessment summarising EasyWeek's evaluation of the laws of the destination country and any supplementary technical, contractual, or organisational measures is available on request from ",[33,254,41],{"href":40},[23,256,257],{},"For UK transfers, the UK International Data Transfer Addendum to the SCCs (issued by the ICO and in force from 21 March 2022) applies. Please note that, following the United Kingdom's departure from the European Union, the United Kingdom is treated as a third country for the purposes of EU data transfers under the EU SCCs framework. For Swiss transfers, the SCCs are read with the substitutions required by the FDPIC.",[44,259,261],{"id":260},"_9-data-subject-requests","9. Data subject requests",[23,263,264],{},"The Service provides self-service features that allow the Customer to fulfil Data Subject Requests for access, rectification, erasure, restriction, portability, and objection. Where a Data Subject contacts EasyWeek directly, EasyWeek will forward the request to the Customer without undue delay and will not respond to the Data Subject other than to confirm receipt and route the request to the Customer.",[23,266,267],{},"EasyWeek will assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to Data Subject Requests under UK GDPR Art. 12 to 22 (as retained in UK law via the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018.",[44,269,271],{"id":270},"_10-personal-data-breach","10. Personal data breach",[23,273,274],{},"EasyWeek will notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, at a minimum, the information required by UK GDPR Art. 33(3) (as retained in UK law via the European Union (Withdrawal) Act 2018) to the extent known: nature of the Breach, categories and approximate number of affected Data Subjects and records, likely consequences, and measures taken or proposed.",[23,276,277,278,283],{},"EasyWeek will take reasonable steps to contain and remediate the Breach and to provide the Customer with the information necessary for the Customer to fulfil its own notification obligations to the Information Commissioner's Office (ICO) (",[33,279,280],{"href":280,"rel":281},"https://ico.org.uk/",[282],"nofollow",") and to affected Data Subjects.",[44,285,287],{"id":286},"_11-dpia-and-prior-consultation","11. DPIA and prior consultation",[23,289,290],{},"EasyWeek will provide the Customer with reasonable assistance with any Data Protection Impact Assessment or prior consultation that the Customer is required to carry out under UK GDPR (Regulation (EU) 2016/679 as retained in UK law via the European Union (Withdrawal) Act 2018) Art. 35 or 36, to the extent that such assistance is reasonably required and the information is held by EasyWeek.",[44,292,294],{"id":293},"_12-audit","12. Audit",[23,296,297],{},"EasyWeek will make available to the Customer all information necessary to demonstrate compliance with this DPA, including:",[52,299,300,303],{},[55,301,302],{},"Up-to-date copies of the most relevant certifications and audit reports (such as ISO 27001 where available, SOC 2 type II reports of relevant Sub-processors).",[55,304,305],{},"Written responses to a reasonable security questionnaire, once per twelve-month period, free of charge.",[23,307,308],{},"Where the above information is not sufficient and the Customer is required by its Supervisory Authority to carry out an on-site audit, the Customer may conduct or mandate an independent auditor to conduct an audit at the Customer's expense, on at least sixty (60) days' written notice, during business hours, no more than once per twelve-month period (unless a Personal Data Breach has occurred), under reasonable confidentiality undertakings, and without disrupting EasyWeek's business operations or the security of other customers. The scope of the audit is limited to the verification of EasyWeek's compliance with this DPA.",[44,310,312],{"id":311},"_13-return-and-deletion","13. Return and deletion",[23,314,315],{},"Within thirty (30) days of termination of the Business Terms of Service, the Customer may export Customer Personal Data through the self-service export tools provided by the Service. After this thirty-day grace period, EasyWeek will delete or anonymise Customer Personal Data within a reasonable time and in any event within ninety (90) days, except to the extent EasyWeek is required by applicable UK law (including the UK GDPR and the Data Protection Act 2018) to retain some or all of it (in which case the retained data remains subject to the confidentiality and security obligations of this DPA).",[23,317,318],{},"Backups containing Customer Personal Data are overwritten on a rolling basis within the standard backup retention period and remain subject to this DPA until expiry.",[44,320,322],{"id":321},"_14-liability-and-miscellaneous","14. Liability and miscellaneous",[23,324,325],{},"The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Business Terms of Service.",[23,327,328],{},"This DPA forms part of the Business Terms of Service. In the event of any conflict between this DPA and the Business Terms of Service in relation to the processing of Customer Personal Data, this DPA prevails. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.",[23,330,331],{},"This DPA is governed by the laws of the Federal Republic of Germany. The courts of Düsseldorf, Germany, have exclusive jurisdiction, without prejudice to mandatory protections of Data Subjects under their habitual residence.",[44,333,335],{"id":334},"annex-i-description-of-processing","Annex I – Description of processing",[23,337,338,341],{},[59,339,340],{},"Subject matter","\nThe processing necessary to provide the EasyWeek Business Service to the Customer.",[23,343,344,347],{},[59,345,346],{},"Duration","\nFor the term of the Business Terms of Service and any post-termination retention period required to perform Section 13.",[23,349,350,353],{},[59,351,352],{},"Nature and purpose of processing","\nHosting, storage, retrieval, organisation, modification, transmission, deletion, anonymisation, statistical analysis, and other processing operations necessary to deliver online booking, customer relationship management, finance and invoicing, marketing automation, website building, reminders and notifications, marketplace listing, AI-assisted features, and ancillary functions.",[23,355,356],{},[59,357,358],{},"Categories of Data Subjects",[52,360,361,364,367,370],{},[55,362,363],{},"The Customer's end customers and prospective customers",[55,365,366],{},"The Customer's employees, freelancers, contractors, and other authorised users",[55,368,369],{},"Visitors to the Customer's online booking pages and embedded widgets",[55,371,372],{},"Senders and recipients of communications routed through the Service",[23,374,375],{},[59,376,377],{},"Categories of Personal Data",[52,379,380,383,386,389,392,395,398,401,404,407],{},[55,381,382],{},"Identification data (name, photo, gender)",[55,384,385],{},"Contact data (email, phone, address)",[55,387,388],{},"Account credentials of the Customer's authorised users",[55,390,391],{},"Booking and appointment history",[55,393,394],{},"Notes, files, photos, documents uploaded by the Customer",[55,396,397],{},"Loyalty programme data, gift card balances, customer segments",[55,399,400],{},"Communication content (SMS, WhatsApp, email body, push notification body, in-app chat)",[55,402,403],{},"Financial data (invoice records, payment status, last 4 digits of payment cards — full card data is processed directly by Stripe and not stored by EasyWeek)",[55,405,406],{},"Technical data (IP address, device identifier, browser, language, timestamps)",[55,408,409],{},"Where the Customer chooses to record them: health-related notes (in beauty, wellness, medical, or dental contexts). The Customer is responsible for ensuring it has a valid lawful basis under UK GDPR Art. 9 and the Data Protection Act 2018 before recording such data.",[23,411,412,415],{},[59,413,414],{},"Frequency of transfers"," Continuous.",[23,417,418,421],{},[59,419,420],{},"Retention"," Customer Personal Data is retained for as long as the Customer instructs and as further described in Section 13.",[44,423,425],{"id":424},"annex-ii-technical-and-organisational-measures","Annex II – Technical and organisational measures",[23,427,428],{},"EasyWeek implements at least the following measures, which it may update from time to time provided the level of protection is not reduced:",[52,430,431,437,443,449,455,461,467,473,479,485,491,497,503],{},[55,432,433,436],{},[59,434,435],{},"Pseudonymisation and encryption"," — TLS 1.3 for data in transit on public networks; AES-256 for data at rest (database storage, object storage, backups); per-tenant encryption keys for sensitive fields where applicable.",[55,438,439,442],{},[59,440,441],{},"Confidentiality"," — role-based access control with least-privilege, multi-factor authentication required for all administrative access, automatic session timeout, IP-based access controls for production systems, written confidentiality obligations for all personnel.",[55,444,445,448],{},[59,446,447],{},"Integrity"," — change management, code review, automated dependency scanning, signed deployment artefacts, integrity checks on backups.",[55,450,451,454],{},[59,452,453],{},"Availability and resilience"," — production hosting in Hetzner data centres in Germany with redundant power and network, Kubernetes orchestration with auto-recovery, daily backups with cross-zone replication, documented disaster-recovery plan with annual tabletop exercises, status page at status.easyweek.io.",[55,456,457,460],{},[59,458,459],{},"Restoration"," — backup retention sufficient to restore service following a physical or technical incident; quarterly restore tests.",[55,462,463,466],{},[59,464,465],{},"Testing and evaluation"," — annual third-party penetration test of the production environment, continuous static and dynamic application security testing in CI/CD, vulnerability management process with defined remediation SLAs.",[55,468,469,472],{},[59,470,471],{},"Network segregation"," — production, staging, and development environments are logically and physically separated; admin access via bastion hosts only.",[55,474,475,478],{},[59,476,477],{},"Logging and monitoring"," — centralised audit logs for authentication, authorisation, configuration changes, and data export events, retained for at least one year; security information and event monitoring with alerting on anomalies.",[55,480,481,484],{},[59,482,483],{},"Secure development"," — SDLC with threat modelling, peer review, secret scanning, licence compliance, and OWASP-aligned coding standards.",[55,486,487,490],{},[59,488,489],{},"Supplier management"," — written contracts with all Sub-processors imposing equivalent obligations; periodic review.",[55,492,493,496],{},[59,494,495],{},"Personnel security"," — background checks where lawful; security awareness and data-protection training on hire and annually thereafter.",[55,498,499,502],{},[59,500,501],{},"Incident management"," — 24/7 on-call rotation; documented incident response playbook; breach notification within 72 hours per Section 10.",[55,504,505,508],{},[59,506,507],{},"Physical security"," — physical access to processing facilities is controlled by the Sub-processor operating the facility (Hetzner, Google Cloud) under ISO 27001 / SOC 2 certified controls.",[44,510,512],{"id":511},"annex-iii-approved-sub-processors","Annex III – Approved sub-processors",[23,514,515,516,518],{},"The current list of EasyWeek Sub-processors is published and maintained at ",[33,517,173],{"href":173},". The list at that URL is hereby incorporated by reference into this DPA and Annex III.",{"title":3,"searchDepth":520,"depth":520,"links":521},2,[522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538],{"id":46,"depth":520,"text":47},{"id":105,"depth":520,"text":106},{"id":120,"depth":520,"text":121},{"id":134,"depth":520,"text":135},{"id":144,"depth":520,"text":145},{"id":151,"depth":520,"text":152},{"id":162,"depth":520,"text":163},{"id":182,"depth":520,"text":183},{"id":260,"depth":520,"text":261},{"id":270,"depth":520,"text":271},{"id":286,"depth":520,"text":287},{"id":293,"depth":520,"text":294},{"id":311,"depth":520,"text":312},{"id":321,"depth":520,"text":322},{"id":334,"depth":520,"text":335},{"id":424,"depth":520,"text":425},{"id":511,"depth":520,"text":512},"EasyWeek Data Processing Addendum under UK GDPR Article 28: roles, instructions, sub-processors, TOMs, international transfers, breach notification, audit, and termination.","md",{"layout":542,"meta_keywords":543,"cover_text":17},"business","data processing addendum, DPA, UK GDPR Article 28, processor, controller, SCCs, EasyWeek",true,"/eswk.co.uk/business/dpa",{"title":8,"description":539},"eswk.co.uk/business/dpa","bAYiEUOJeX4Yy26k0N48-Jzyp-6BYPa7YjlDOAibp1I",1779354974110]