Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Cal ID, Inc. ("Processor") and the customer ("Controller") who uses the Cal.id scheduling platform. This DPA sets out the terms under which the Processor will process personal data on behalf of the Controller, in accordance with applicable data protection laws including the General Data Protection Regulation (GDPR).

For the purposes of this DPA:

• "Controller" means the customer entity that determines the purposes and means of processing personal data.
• "Processor" means Cal ID, Inc., which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom personal data relates.
• "Sub-processor" means any third party appointed by the Processor to process personal data on behalf of the Controller.
• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data, including GDPR, CCPA, and other applicable legislation.

The Processor shall process personal data only on documented instructions from the Controller, for the purpose of providing the Cal.id scheduling and booking services described in the main service agreement. The subject matter, duration, nature, and purpose of processing, the types of personal data, and categories of data subjects are as follows:

• Subject matter: Scheduling, booking, and calendar management services.
• Duration: For the term of the service agreement, and thereafter as required by law.
• Nature: Collection, storage, use, and transmission of personal data to facilitate bookings.
• Types of data: Names, email addresses, phone numbers, calendar availability, meeting metadata.
• Data subjects: The Controller's customers, clients, and employees who use the scheduling platform.

The Processor agrees to:

1. Process personal data only on the documented instructions of the Controller, unless required to do so by applicable law.
2. Ensure that persons authorised to process personal data are committed to confidentiality or are under appropriate statutory obligations.
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, and access controls.
4. Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, objection).
5. Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation.
6. Delete or return all personal data to the Controller at the end of the service agreement, and delete existing copies unless retention is required by law.
7. Make available all information necessary to demonstrate compliance with obligations and allow for audits.

The Controller agrees to:

1. Ensure that it has a lawful basis for processing personal data and for instructing the Processor to process such data.
2. Provide all necessary privacy notices to data subjects and obtain any required consents prior to providing personal data to the Processor.
3. Ensure the personal data provided to the Processor is accurate and up to date.
4. Comply with all applicable data protection laws in its use of the Cal.id platform.

The Controller grants the Processor general authorisation to engage sub-processors to assist in providing the services. The Processor shall:

• Inform the Controller of any intended changes to sub-processors by providing at least 14 days' prior notice.
• Impose the same data protection obligations on sub-processors as set out in this DPA.
• Remain fully liable to the Controller for the performance of the sub-processor's obligations.

Current sub-processors include infrastructure and cloud hosting providers, email delivery services, and analytics tools. A current list is available upon request at support@cal.id.

Taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity, the Processor shall implement appropriate technical and organisational security measures including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
• Ongoing confidentiality, integrity, availability, and resilience of processing systems.
• The ability to restore access to personal data in a timely manner in the event of an incident.
• Regular testing and evaluation of the effectiveness of technical and organisational measures.
• Role-based access controls and least-privilege principles for internal access to personal data.

In the event of a personal data breach, the Processor shall:

1. Notify the Controller without undue delay, and where feasible, no later than 72 hours after becoming aware of the breach.
2. Provide sufficient information to allow the Controller to meet any breach notification obligations, including the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
3. Cooperate with the Controller and take such reasonable steps as the Controller directs to assist in the investigation and remediation of the breach.

Breach notifications should be sent to the Controller's registered contact email. The Controller is responsible for notifying the relevant supervisory authority and data subjects where required.

Where personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure that such transfers are made in accordance with Chapter V of the GDPR. Appropriate safeguards include:

• Standard Contractual Clauses (SCCs) as approved by the European Commission.
• Transfers to countries that benefit from an adequacy decision by the European Commission.

The Controller may request details of the transfer mechanisms in place by contacting support@cal.id.

The Processor shall make available all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or its mandated auditor. The Controller shall provide reasonable advance notice (no less than 30 days) of any intended audit and shall conduct such audits during business hours, minimising disruption to the Processor's operations. Audit costs shall be borne by the Controller unless the audit reveals material non-compliance by the Processor.

This DPA shall remain in force for the duration of the service agreement between the Controller and the Processor. Upon termination or expiry of the service agreement, the Processor shall, at the Controller's election, delete or return all personal data processed under this DPA within 30 days, and certify in writing that it has done so, unless applicable law requires continued retention.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement. Where a party has paid compensation for damage caused by a breach of data protection law, it may recover from the other party that part of the compensation corresponding to the other party's responsibility for the damage.

For any questions relating to this DPA or to exercise any rights under this agreement, please contact:

OneHash, Inc.
Email: support@cal.id