Data Processing Agreement (DPA)
Last Updated: 09/01/2026
Note: This DPA applies to clients who signed up on or after 29/01/2026. If you signed up before this date, please refer to the previous version of the DPA.
This Data Processing Agreement ("DPA") forms part of the Terms & Conditions ("Agreement") between:
- Client (referred to as "Controller"); and
- BookedSolid Ltd, registered in the United Kingdom with company number 16019450, (referred to as "Processor" or "BookedSolid").
1. Definitions
Capitalised terms used in this DPA have the meanings set out in the Agreement unless otherwise defined herein.
"Account Data" means personal data pertaining to data subjects who are employees or other natural persons given access to administration functions of the Service by the Client.
"Client" means the natural person acting in the exercise of a profession or business, or the legal entity, that enters into an Agreement with BookedSolid.
"Client Personal Data" means Personal Data that BookedSolid processes as a Processor on behalf of the Client
"Customer" or "End-User" means the Data Subjects that are customers of the Client.
"Data Protection Laws" means the UK GDPR, the EU GDPR, and any applicable national data protection laws.
"Operational Emergency" means an unforeseeable event or circumstance that: (a) Threatens the security, availability, or integrity of Client Personal Data or the Services; (b) Requires immediate remedial action to prevent or mitigate harm, data loss, service interruption, or legal non-compliance; and (c) Makes it impracticable to provide the advance notice required under Section 6 without materially increasing the risk of harm. Operational Emergency circumstances may include, but are not limited to: (i) Security breaches, cyber-attacks, or imminent threats requiring immediate defensive measures; (ii) Critical failure, insolvency, or sudden termination of services by an existing sub-processor; (iii) Force majeure events (natural disasters, war, terrorism, pandemic, government actions) rendering existing sub-processors unable to perform.
"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
"Processing, Processor, Controller, Data Subject, and Supervisory Authority" have the meanings given in GDPR Article 4.
Services: All fee-liable products and services delivered by BookedSolid, including software development, hosting, and consulting.
Security Breach: means a breach of security leading to any accidental, unauthorised or unlawful loss, disclosure, destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data transmitted, stored or otherwise processed by BookedSolid. A Security Incident shall not include an unsuccessful attempt or activity that does not compromise the security of Client Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents.
2. Subject Matter
This DPA governs BookedSolid's processing of Personal Data on behalf of the Client for the purpose of providing the services described in the Agreement.
3. Duration
This DPA remains in effect for as long as BookedSolid processes Personal Data on behalf of the Client under the Agreement.
4. Nature and Purpose of Processing
Purpose: To provide AI-powered booking and customer interaction tools via phone calls and text-based channels, as well as administration of Service.
Nature: Storage, transmission, analysis, and organisation of user (data subject) interaction data.
Types of Data: Names, contact information, appointment data, voice messages, text messages, metadata within Client Personal Data.
Categories of Data Subjects: Customers of the Client, including adults, children and other potentially vulnerable groups
Retention timeframe: See section 9 below
Both parties recognise that this data constitutes Special Category data under GDPR, given that it relates to the health data of Data Subjects.
Legal basis for processing:
- UK/EU/EEA: The Client/Controller represents and warrants that it has a valid legal basis of GDPR Article 9(2)(h) in the form of the provision of health care and the management of health care systems or services in a context where health data is under the care of a professional subject to the obligation of professional secrecy under rules established by national competent bodies.
- Australia: The Client represents and warrants that it has a valid legal basis under Section 16B and APP6.1of the Privacy Act 1988 allowing collection and use of health information necessary to provide a health service.
- New Zealand: The Client represents and warrants that it has a valid legal basis under rules 10, 11 and 12 of the Health Information Privacy Code 2020.
5. Client/Controller Obligations
The Client shall:
- be responsible for ensuring that: (a) all such notices have been given, and all such authorisations have been obtained, as required under Data Protection Laws, for BookedSolid and its Sub-processors to process Client Personal Data as contemplated by the Agreement and this DPA; (b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including the Data Protection Laws; and (c) it has, and will continue to have, the right to transfer, or provide access to, Client Personal Data to BookedSolid for processing in accordance with the terms of the Agreement and this DPA.
- be solely responsible for its use of the Service, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of Client Personal Data; (b) securing the account authentication credentials, systems and devices Client uses to access the Service; and (c) backing up or retaining copies of Client Personal Data as may be required under applicable medical record-keeping laws and regulations.
- Inform BookedSolid within 2 days and within its obligations under Data Protection Laws if it suspects or knows of any Security Breach within the Service.
6. Processor Obligations
BookedSolid shall:
- Process Personal Data only on documented instructions from the Client as defined in this Data Processing Agreement or in other written communications from authorised representatives of the Client.
- Ensure persons authorised to process the data are under confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure data security.
- Assist the Client in responding to data subject rights requests.
- Notify the Client within 24 hours of detection of any personal data breach and provide on an ongoing basis such information (including data subjects and data types affected. and the relevant timeframe for the breach) and documentation as the Client may reasonably require, including to enable Client to fulfil its data breach and other reporting obligations under relevant Data Protection Laws. Such notification shall not be construed as an acknowledgement by BookedSolid of any fault or liability with respect to the Security Breach.
- Provide Client with reasonable assistance with inputs to Data Protection Impact Assessments (DPIAs), fundamental rights impact assessments, legitimate interest assessments or prior consultations with data protection authorities that the Client is required to carry out under relevant Data Protection Laws.
- Upon termination of services, delete or return all personal data unless otherwise required by law.
7. Sub-processors
Client grants herewith a general written authorisation for BookedSolid may engage sub-processors to support the delivery of services.
BookedSolid shall ensure sub-processors are bound by similar data protection obligations.
BookedSolid may, by giving reasonable notice to the Client, add or replace Sub-processors listed below. BookedSolid will notify Client if it intends to add or replace Sub-processors at least twenty (20) days prior to any such changes. If Client reasonably objects to the appointment of a new Sub-processor within twenty (20) days of receiving such notice, on reasonable grounds relating to the protection of the Client Personal Data, then BookedSolid will work in good faith with Client to find an alternative solution. In the event that the parties are unable to reach a mutually acceptable resolution within a reasonable time thereafter, Client is permitted to terminate the Agreement.
As of the date of this DPA, approved sub-processors, their processing purposes and their primary country locations include the following:
| Sub-Processor Name | Location | Purpose | Transfer Legal Basis |
|---|---|---|---|
| Twilio | USA | SMS and phone communication | UK Extension to EU-US DPF or UK IDTA |
| WhatsApp Business | USA | WhatApp communication integration | UK Addendum to SCCs |
| Render | USA | Hosting Infrastructure | UK Extension to EU-US DPF or UK IDTA |
| USA | AI Processing, Data Storage and Communications | UK Extension to EU-US DPF or SCCs | |
| OpenAI | USA | AI Processing | UK IDTA |
| Anthropic | USA | AI Processing | UK IDTA |
| Deepgram | USA | AI Processing | TBD |
| ElevenLabs | USA | AI Processing | UK IDTA |
| Stripe | USA | Payment Processing | UK Extension to EU-US DPF or UK IDTA |
| MongoDB | USA | Data Storage | UK Extension to EU-US DPF or UK IDTA |
| Cloudinary | USA | Data Storage | UK Extension to EU-US DPF or UK IDTA |
| Pinecone | USA | Data Storage | UK Extension to EU-US DPF or UK IDTA |
| CloudFlare | USA | Security | UK Extension to EU-US DPF or UK IDTA |
Notwithstanding the notice requirements above for new Sub-Processors, BookedSolid may engage a new sub-processor or replace an existing sub-processor without prior notice to Client if: (a) BookedSolid reasonably determines that an Operational Emergency exists as defined in Section 1 above; (b) The engagement is necessary to address the Operational Emergency and protect Client Personal Data or maintain service continuity; (c) BookedSolid selects a sub-processor that meets substantially equivalent security and data protection standards to those required under this DPA; and (d) BookedSolid provides notice to Client within 24 hours of doing so.
Regularisation and Client Objection Rights. (a) Within three (3) days of Operational Emergency engagement, BookedSolid shall either: (i) provide formal notice as described above so as to retain the sub-processor permanently, (ii) present a transition plan to an alternative sub-processor, or (iii) confirm disengagement if the Operational Emergency is resolved.
Client may object to continued use of the Operational Emergency sub-processor within ten (10) business days of receiving notice. If Client objects and the Parties cannot reach agreement within ten (10) business days, BookedSolid shall either disengage the emergency sub-processor within twenty (20) days or offer the Client immediate termination rights to the Agreement.
8. Data Transfers
Data transfers from the UK to the EU/EEA: Both parties acknowledge that UK and EU adequacy recognitions from the ICO and the European Commission equate to a legal basis for transfers of personal data under UK GDPR.
Data transfers from the UK to the USA: Both parties acknowledge that either the UK extension to the EU/US Data Protection Framwork or UK International Data Transfer Agreement terms equate, respectively, to adequacy (EU/US DPF) or appropriate safeguards under GDPR Article 46(2) and thus form a correct legal basis for transfers of personal data under UK GDPR.
Data transfers from Australia to the UK and onwards to the EU/EEA and USA: Both parties acknowledge that Australia Privacy Principle 8.2(a)(i) and (ii) are applicable, meaning that the application of UK GDPR to data exports to the EU/EEA and onwards to the USA are "subject to a law, or binding scheme, that has the effect of protecting the information in a way that is at least substantially similar to the way in which the APPs protect the information; AND there are mechanisms that the individual can access to take action to enforce that protection", the result of which is the formation of a proper legal basis for export of personal data to BookedSolid and its sub-processors. BookedSolid's assessment of this mechanism is available for Controllers/Clients to review on request, as well as Transfer Risk Assessments for each vendor for UK to US transfers under the UK International Data Transfer Agreement terms.
Data transfers from New Zealand to the UK and onwards to the EU/EEA and USA: Both parties acknowledge that the transmission and use of personal data from Clients in New Zealand to BookedSolid in the UK and onwards to its sub-processors in the EU,EEA and USA is subject to privacy laws that provide comparable safeguards to those in the New Zealand Privacy Act 2020.
BookedSolid's assessment of this mechanism is available for Controllers/Clients to review on request, as well as Transfer Risk Assessments for each vendor for UK to US transfers under the UK International Data Transfer Agreement terms.
9. Data Subject and Third Party Rights
BookedSolid will assist the Client in fulfilling its obligation to respond to data subjects' requests to exercise their rights under Data Protection Laws and will respond in writing within 5 days to requests from the Client. Requests should be sent by Clients to the contact details for BookedSolid given above. Escalations should be directed to the Data Protection Officer for BookedSolid via info@waivern.com. Requests received directly from Data Subjects will be relayed to the relevant Client within 5 days.
In the event that either party receives any Third Party Request relating to the processing of Account Data or Client Personal Data conducted by the other party, such party will promptly inform the other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Data Protection Laws.
10. Data Retention and Record Keeping
The Client permits BookedSolid to retain audio recordings of telephone with Customers for a 30 day period for use to improve the quality of the Service and to facilitate Client's access to very Customer data. After this 30 day period all Customer voice recordings are permanently deleted. All other Customer personal data (e.g. appointment data) is retained for seven (7) years and then permanently deleted.
BookedSolid is the Controller for Account Data. It is retained for six (6) years beyond the duration of the Agreement and handled within the terms of the BookedSolid Privacy Policy, to be found on the BookedSolid website.
11. Audit Rights
The Client may at their own cost audit compliance with this DPA, with reasonable notice and during business hours. BookedSolid will provide all necessary documentation to demonstrate compliance with Data Protection Laws.
12. Liability
Liability arising under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.
13. Governing Law
This DPA shall be governed by the laws of England and Wales.
14. Contact
For any data protection-related inquiries, please contact:
Email: contact@bookedsolid.co.uk.
The BookedSolid Data Protection Officer can be contacted at info@waivern.com.
15. Technical and Organisational Measures to Protect Data
These are detailed in Schedule 1.
16. Agreement to Terms
By using BookedSolid's services, the Client agrees to the terms of this DPA.
Schedule 1
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
The following table provides more information regarding the technical and organisational security measures set forth below. These are specifically enhanced due to the Special Category data being processed by BookedSolid.
| Technical and Organisational Security Measure | Evidence of Technical and Organisational Security Measure |
|---|---|
| Measures of pseudonymisation and encryption of personal data | All data sent to or from BookedSolid is encrypted in transit using TLS 1.2. Client Personal Data is encrypted at rest using 256-bit encryption All BookedSolid datastores used to process Client data are configured and patched using commercially reasonable methods according to industry-recognised system-hardening standards. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | BookedSolid has implemented a formal procedure for handling security events. When security events are detected, they are escalated to relevant expert staff, management notified, and appropriate staff assembled to rapidly address the event. After a security event is contained and mitigated, relevant teams write up a post-mortem analysis, which is reviewed in person and distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future. By default, all Client Data is permanently stored in the UK or the EU and is backed up for disaster recovery. BookedSolid relies on Render, a reputable Infrastructure-As-A-Service provider. BookedSolid leverages their portfolio of redundant services to ensure Services run reliably. BookedSolid benefits from the ability to dynamically scale up, or completely re-provision its infrastructure resources on an as-needed basis, using the same vendor, tools, and APIs. BookedSolid' infrastructure scales up and down on demand as part of day-to-day operations and does so in response to any changes in our Clients' needs. This includes not just compute resources, but storage and database resources, networking, security, and DNS. Every component in BookedSolid' infrastructure is designed and built for high availability. BookedSolid' data security, high availability, and built-in redundancy are designed to ensure application availability and protect information from accidental loss or destruction. BookedSolid' Disaster Recovery plan incorporates geographic failover between Render data centers. Subscription Service restoration is within commercially reasonable efforts and is performed in conjunction with Render's ability to provide adequate infrastructure at the prevailing failover location. All of BookedSolid recovery and resilience mechanisms are tested regularly and processes are updated as required. BookedSolid operates an incident management function, ready to immediately respond to, and mitigate, any Client impacting issues. BookedSolid has no direct reliance on specific office locations to sustain operations. All operational access to production resources can be exercised at any location on the Internet. BookedSolid leverages a range of best-of- breed technologies and other critical cloud tools to deliver uninterrupted remote work for all employees. With respect to Client Data encrypted in compliance with this security policy, this deletion may be done by permanently and securely deleting all copies of the keys used for encryption. |
| Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | BookedSolid regularly tests their security systems and processes to ensure they meet the requirements of this security policy. Application Scans. BookedSolid performs periodic (but no less than once per month) application vulnerability scans. Vulnerabilities shall be remediated on a risk basis. Third party penetration tests. BookedSolid employs an independent third-party vendor to conduct periodic (but no less than once per year) penetration tests on their web properties. |
| Measures for user identification and authorisation | Single Sign-On (SSO) Logical Access Controls. BookedSolid assigns a unique ID to each employee and leverages an Identity Provider to manage access to systems processing Client Data. All access to systems processing Client Data is protected by Multi Factor Authentication (MFA). BookedSolid restricts access to Client Data to only those BookedSolid employees and other associates with a "need-to-know" for a Permitted Purpose and following least privileges principles. BookedSolid regularly reviews the list of people and systems with access to Client Data and removes accounts upon termination of employment with BookedSolid or a change in job status that results in them no longer requiring access to Client Data. BookedSolid mandates and ensures the use of system-enforced "strong passwords" in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to Client Data and will require that all passwords and access credentials are kept confidential and not shared among personnel. Password best practices implemented by BookedSolid' Identity Provider. Passwords must meet the following criteria: a. contain at least 8 characters; b. must contain lowercase and uppercase letters, numbers, and a special character; BookedSolid maintains and enforces progressive delayed "account lockout" on accounts with access to Client Data when an account consecutive incorrect password attempts. BookedSolid does not operate any internal corporate network. All access to BookedSolid resources is protected by strong passwords and MFA. BookedSolid monitors their production systems and implements and maintains security controls and procedures designed to prevent, detect, and respond to identified threats and risks. Strict privacy controls exist in the application code that are designed to ensure data privacy and to prevent one Client from accessing another Client's data (i.e., logical separation). |
| Measures for the protection of data during transit and storage | Intrusion Prevention. BookedSolid implements and maintains a working network firewall to protect data accessible via the Internet and will keep all Client Data protected by the firewall at all times. BookedSolid keeps its systems and software up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications necessary to ensure security of the Client Data. Security Awareness Training. BookedSolid requires periodic security and privacy training for all employees with access to Client Data. BookedSolid uses anti-malware software and keeps the anti-malware software up to date. Client instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Endpoint security software System inputs recorded via log files Access Control Lists (ACL) Multi-factor Authentication (MFA) |
| Measures for ensuring physical security of locations at which personal data are processed | Physical Access Control. BookedSolid' services and data are hosted in Render's facilities in the EEA and protected by Render in accordance with their security protocols. Access only to approved personnel. All personnel who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege and are time-bound. Requests are reviewed and approved by authorised personnel, and access is revoked after the requested time expires. |
| Measures for ensuring events logging | See "Measures for the protection of data during transit and storage" above. |
| Measures for ensuring system configuration, including default configuration | Change and Configuration Management. BookedSolid uses continuous automation for application and operating systems deployment for new releases. Integration testing and unit testing are done upon every build with safeguards in place for availability and reliability. BookedSolid has a process for critical emergency fixes that can be deployed to Clients within minutes. As such BookedSolid can roll out security updates as required based on criticality. Access Control Policy and Procedures Change Management Procedures |
| Measures for internal IT and IT security governance and management | Information security policy Security Breach Response Plan |
| Measures for ensuring data minimisation | Data collection is limited to the purposes of processing (or the data that the Client chooses to provide). Security measures are in place to provide only the minimum amount of access (least privilege) necessary to perform required functions. Upon termination or expiry of this Agreement, BookedSolid will (at Client's election) delete or return to Client all Client Personal Data (including copies) in its possession or control. Client may request to BookedSolid to delete all Client Personal Data, and BookedSolid will proceed to delete the data as soon as reasonably practicable and within a maximum period of 30 days from Client's written request. If Client does not request deletion of Client Personal Data, BookedSolid will automatically delete it from our systems 180 days after the termination or expiration of this Agreement. Client Personal Data from our back-up systems will be deleted after 14 days, save that this requirement will not apply to the extent that BookedSolid is required by Applicable Data Protection Legislation to retain some or all of the Client Personal Data, which BookedSolid will securely isolate and protect from any further processing, except to the extent required by applicable law. |
| Measures for ensuring data quality | The Client, as Controller, have the primary obligation to ensure Data Subjects have access to their personal data rights. BookedSolid commits within this Data Processing Agreement to cooperating with Clients to support this. See "Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services" above. |
| Measures for ensuring limited data retention | See "Measures for ensuring data minimisation" above. |
| Measures for ensuring accountability | BookedSolid has implemented data protection policies for data for which it is the Controller and a Data Processing Agreement for data for which it is a Processor. BookedSolid follows a compliance by design approach BookedSolid maintains documentation of your processing activities |
| Measures for allowing data portability and ensuring erasure | Archival Copies. When required by law to retain archival copies of Client Data for tax or similar regulatory purposes, this archived Client Data is stored as a "cold" or offline (i.e., not available for immediate or interactive use) backup stored in a physically secure facility. BookedSolid has a process that allows data subjects whose Personal Data is under the controllership of BookedSolid to exercise their privacy rights (including a right to amend and update their Personal Data), as described in BookedSolid' Privacy Statement. |
| Technical and organisational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Client. | Vendor & Services Providers. Prior to engaging new third-party service providers or vendors who will have access to BookedSolid Data, BookedSolid conducts a risk assessment of vendors' data security practices. BookedSolid will restrict the onward sub-processor's access to Client Data only to what is strictly necessary to provide the Services and in accordance with the Agreement, and BookedSolid will prohibit the sub-processor from processing the Personal Data for any other purpose. BookedSolid imposes contractual data protection obligations, including appropriate technical and organisational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Client Data to the standard required by Applicable Data Protection Legislation. BookedSolid will remain liable and accountable for any breach of this DPA that is caused by an act or omission of its sub-processors. |
This Data Processing Agreement was last updated on 09/01/2026.