Data Processing Agreement

Version 1.0 · Effective 8 May 2026 · Required by GDPR Art. 28(3)

This DPA forms part of the Terms of Service between Booki7 (Processor) and the Booki7 customer (Controller). By accepting the Terms, the Controller accepts this DPA. Both documents together constitute the written agreement required by Art. 28(3) GDPR.

1. Parties and roles

• Controller: the Booki7 customer (the business identified by the account).
• Processor: Booki7 (and where Booki7 itself acts under instructions, our sub-processors listed at /legal/sub-processors).

Processing is carried out only on the Controller's documented instructions. The Terms of Service and the Booki7 product configuration constitute those instructions, as updated by the Controller from their admin panel.

2. Subject-matter, nature, purpose, duration

• Subject-matter: provision of an AI receptionist service for the Controller's customers and prospects.
• Nature of processing: collection, storage, transmission, automated analysis (AI inference), routing, deletion.
• Purpose: to handle inbound conversations, capture bookings and contact requests, and notify the Controller.
• Duration: for the term of the Terms of Service plus a 90-day data retention window.

3. Categories of data subjects and personal data

• Data subjects: end-visitors of the Controller's website / Facebook page / WhatsApp / phone number.
• Categories of data: name, email, phone, message content, IP address, browser/device string, page URL, booking details (service, date, time), notes the visitor provides.
• No special-category data: the Controller agrees not to process Art. 9 GDPR data (health, biometrics, etc.) without prior written notice.

4. Processor obligations

1. Process personal data only on documented instructions from the Controller (Art. 28(3)(a)).
2. Ensure persons authorised to process the data are subject to confidentiality (Art. 28(3)(b)).
3. Implement appropriate technical and organisational measures (Art. 32) — see Section 7 below.
4. Engage sub-processors only with prior authorisation and a written contract imposing equivalent obligations (Art. 28(2), 28(4)).
5. Assist the Controller in responding to data-subject requests (Art. 28(3)(e)).
6. Assist the Controller with security, breach notification, DPIAs, and consultation with the supervisory authority (Art. 28(3)(f)).
7. At the Controller's choice, delete or return all personal data at the end of processing, save copies required by law (Art. 28(3)(g)).
8. Make available all information necessary to demonstrate compliance and allow audits (Art. 28(3)(h)).

5. Sub-processors

The Controller authorises Booki7 to use the sub-processors listed at /legal/sub-processors. Booki7 will give at least 30 days' notice by email of any intended addition or replacement. The Controller may object on reasonable data-protection grounds, in which case the Controller may terminate without penalty for the affected service.

6. International transfers

Some sub-processors are located outside the EU/EEA (notably the United States). Where this is the case, transfers are based on the European Commission's Standard Contractual Clauses (Module 3, processor-to-processor or Module 2, controller-to-processor as appropriate), supplemented by the technical and organisational measures listed in Section 7. Booki7 has performed a transfer impact assessment for each US sub-processor in the list.

7. Technical and organisational measures (Art. 32)

• Encryption in transit: TLS 1.2+ enforced on all public endpoints; HSTS; signed WebSocket origin checks.
• Encryption at rest: host-provided full-disk encryption on the production server.
• Access control: per-tenant scoped admin tokens; per-agent tokens; super-admin token in environment-only; SSH key-based admin access; least-privilege on the application database.
• Logging: every super-admin action against tenant data is recorded in the audit log with actor, action, target, IP, user-agent and timestamp.
• Backups: daily automated backup with 30-day rotation, in the same EU region as production.
• Resilience: process supervisor (PM2) auto-restart, health endpoint, structured error logging.
• Vulnerability management: monthly dependency review; security patches applied within 30 days of vendor release for high-severity issues.
• Data minimisation: only the data the AI needs for its task is sent to inference sub-processors; sub-processors do not train on customer data (see Sub-processors page for vendor-specific commitments).

8. Personal data breach

Booki7 will notify the Controller of any personal data breach affecting their data without undue delay and within 72 hours of becoming aware, and will provide the information required by Art. 33(3) (nature, categories, numbers, likely consequences, measures taken). The Controller is responsible for any onward notification to the supervisory authority and to data subjects.

9. Audit

The Controller may, on 30 days' written notice and no more than once per calendar year, request a written description of Booki7's controls or a copy of the most recent third-party security report (if any). On-site audits require the Controller to bear reasonable costs and may be replaced, at Booki7's discretion, by a SOC 2 / ISO 27001 / penetration test report once available.

10. Liability

Liability under this DPA is subject to the limitation in the Terms of Service.

11. Termination, return and deletion

On termination of the Agreement, Booki7 will, at the Controller's choice, return or delete all personal data within 90 days, except where law requires retention. The Controller may export their data at any time from Settings → My Data.

12. Order of precedence

If there's a conflict between the Terms and this DPA on data-protection matters, the DPA prevails.

13. Governing law

This DPA is governed by Irish law and forms a binding part of the Terms.