Data Processing Addendum (DPA)
Effective Date: February 2, 2026
This Data Processing Addendum ("DPA") applies when Appointment.com, LLC processes personal data on behalf of a Customer in connection with the Service.
1. Roles and Scope
The Parties: The Customer is the "Controller" (or business) and Appointment is the "Processor" / "Service Provider."
The Data: This DPA covers personal data processed to provide the Service (for example, Invitee names, emails, and booking details).
2. Data Protection Compliance (GDPR / CCPA / UCPA)
2.1 Instructions
Appointment will process personal data only on documented instructions from the Customer (including these terms and the normal operation of the Service).
2.2 Service Provider Status
Appointment does not sell or share personal data, and will not retain, use, or disclose personal data for any purpose other than providing the Service.
2.3 Sensitive Data
Customer agrees not to use the Service to collect Sensitive Data (such as Social Security numbers, health records, etc.) unless agreed in a separate written agreement (for example, a BAA).
3. Security and Audits
3.1 Technical measures
Appointment will implement commercially reasonable technical and organizational measures (for example, encryption at rest, TLS in transit, and MFA for staff).
3.2 Breach notification
Appointment will notify the Customer without undue delay (and in no event later than 72 hours) after becoming aware of a personal data breach affecting the Customer's data.
3.3 Audit rights
Once per year, upon written request, Appointment will provide a summary of its most recent security audit or SOC 2 report (if applicable), to demonstrate compliance.
4. Sub-processors
General authorization: Customer provides general authorization for Appointment to use sub-processors (for example, hosting and email providers).
Change notification: Appointment will maintain an online list of sub-processors and provide 30 days' notice before adding a new sub-processor, allowing the Customer to object on reasonable privacy grounds.
5. Data Subject Rights (Invitee Requests)
If an Invitee contacts Appointment directly to request access or deletion, Appointment will redirect the request to the Customer. Appointment will provide the Customer with tools necessary to fulfill these requests within the app when available.