Data Processing Addendum
Last updated: 2026-04-19
This Data Processing Addendum ("DPA") is incorporated by reference into the Service Agreement between Uxtra Creatives ("Processor") and the Client ("Controller"). Capitalized terms have the meaning given in the Service Agreement or the GDPR.
1. Scope & roles
The Controller determines the purposes and means of processing end-customer personal data collected via the EverBooking platform. The Processor processes such data solely on behalf of the Controller to provide the Service.
2. Categories of data
- Identifiers: name, email, phone number, timezone
- Booking context: service selected, time slot, custom fields, notes
- Technical: IP address, user agent (for security / rate limiting)
3. Categories of data subjects
- Controller's customers who book via the widget
- Controller's staff users authenticated to the admin dashboard
4. Processing activities
- Storage of bookings, services, staff, calendar configurations
- Two-way sync with Controller's Google Calendar
- Delivery of confirmation, reminder, and cancellation emails
- Optional SMS delivery via Twilio (if enabled on plan)
- Audit logging of administrative actions
5. Duration
Processor retains personal data for the duration of the Service Agreement plus 30 days for export, after which data is permanently deleted except where retention is required by law (e.g. billing records retained for 7 years).
6. Sub-processors
Processor engages the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google LLC | Calendar sync & OAuth | US / EU |
| Postmark (ActiveCampaign) | Transactional email | US |
| Twilio | SMS delivery | US |
| Stripe | Payment processing (opt-in) | US / EU |
| Cloudflare | DNS, CDN, DDoS mitigation | Global edge |
Processor provides 30 days' notice of new sub-processors; Controller may object in writing to [email protected].
7. International transfers
Where personal data is transferred outside the EEA/UK, Processor relies on Standard Contractual Clauses (Module 3 where applicable) and, for US sub-processors, the EU-US Data Privacy Framework where the sub-processor is self-certified.
8. Technical & organizational measures
- TLS 1.2+ for all transport
- AES-256-GCM encryption at rest for OAuth tokens and webhook secrets
- API keys hashed (SHA-256 with server-side pepper)
- Least-privilege database access via parameterized ORM
- Tenant isolation enforced at the query layer by
clientId - Audit logs retained for 12 months covering all admin actions
- Automated daily encrypted backups with 30-day retention
- Security incident runbook with 72-hour breach notification SLA
- Annual third-party penetration test (on Enterprise)
9. Data subject requests
Processor assists Controller with responses to access, rectification, deletion, and portability requests. Export and erasure endpoints are available from the super-admin panel (for platform operator) and via email request (for Controllers).
10. Audit rights
Controller may audit Processor's compliance once per year with 30 days' notice, or more frequently in the event of a security incident. Processor may provide audit reports from an independent third party in lieu of on-site audit.
11. Breach notification
Processor notifies Controller of any personal data breach affecting Controller's data without undue delay and in any event within 72 hours of becoming aware.
12. Return or deletion
On termination, Processor returns or deletes all personal data within 60 days, except where retention is required by law.
To execute a countersigned copy of this DPA, email [email protected].