Data Processing Addendum

Last updated: 2026-05-27

This Data Processing Addendum (“DPA”) forms part of the agreement between Koalendar (“Processor”, “we”, “us”) and the customer entity that uses Koalendar (“Customer”, “Controller”, “you”) and applies to the extent Koalendar processes Personal Data on behalf of Customer in the course of providing the Koalendar service (the “Service”).

This DPA is incorporated by reference into our Terms of Service. By creating an account or using the Service, you agree to this DPA.

For a high-level overview of how Koalendar supports GDPR-related requirements, see our GDPR page.

1. Definitions

Unless defined here, terms in this DPA have the meanings given in the GDPR, the CCPA, or our Terms.

• “CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
• “GDPR” means Regulation (EU) 2016/679.
• “Personal Data” means any information relating to an identified or identifiable natural person processed on behalf of Customer.
• “Processing” has the meaning given in the GDPR.
• “Subprocessor” means a third party appointed by Koalendar to process Personal Data on behalf of Customer.

2. Roles and scope

• Customer is the Controller of Personal Data submitted to or collected via the Service for appointment scheduling (for example invitee and booking data).
• Koalendar is the Processor of that Personal Data and will process it only in accordance with Customer’s documented instructions as described in this DPA and the Service’s functionality.

This DPA does not apply to:

• Data that Koalendar processes as an independent controller (for example account administration, billing, and marketing where applicable).
• Third-party services that Customer enables at its option (for example Zoom or calendar providers). Those providers act as independent third parties under their own terms and privacy policies.

3. Details of processing (Article 28(3))

The details of processing are described in Annex 1 (subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of data subjects).

4. Processor obligations

Koalendar will:

• Process on instructions. Process Personal Data only on documented instructions from Customer, as implemented through the Service’s functionality, including with regard to transfers of Personal Data to a third country or an international organisation, unless required by applicable law (in which case we will inform Customer unless prohibited).
• Confidentiality. Ensure persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security. Implement appropriate technical and organisational measures to protect Personal Data (see Annex 1 for a high-level summary).
• Subprocessors. Use Subprocessors only as set out in Section 5.
• Assist Customer. Provide reasonable assistance to Customer for responding to requests from data subjects and complying with GDPR obligations, as set out in Section 7.
• Breach notification. Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, as set out in Section 8.
• Deletion or return. Delete or return Personal Data at the end of the provision of services, as set out in Section 9.
• Information and audits. Make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 10.

5. Subprocessors

5.1 Authorised Subprocessors

Customer authorises Koalendar to engage Subprocessors to process Personal Data on Customer’s behalf. A list of current Subprocessors is provided in Annex 2.

5.2 Subprocessor obligations

Koalendar will:

• Impose data protection terms on Subprocessors that are no less protective than those in this DPA, including appropriate confidentiality and security obligations.
• Remain responsible for the performance of Subprocessors’ obligations to the extent required by applicable law.

5.3 Changes to Subprocessors

Koalendar may update Subprocessors from time to time. If we add or replace a Subprocessor, we will update Annex 2. If Customer has a reasonable objection related to data protection, Customer may notify us promptly and, if the parties cannot resolve the issue, Customer may stop using the affected part of the Service or terminate the affected part of the Service or the Service in accordance with the Terms.

6. International data transfers

Customer acknowledges that some Subprocessors may process Personal Data outside the EEA, the UK, or Switzerland.

Where GDPR requires a transfer mechanism for such transfers, the parties agree that:

• Koalendar will ensure an appropriate transfer mechanism applies (for example the EU Standard Contractual Clauses (Module Two, controller to processor) and, where applicable, the UK Addendum).
• If required, Koalendar will implement supplementary measures appropriate to the transfer risk.

7. Assistance with data subject requests and GDPR/CCPA obligations

Taking into account the nature of processing and the information available to Koalendar, we will provide reasonable assistance to Customer with:

• Responding to data subject requests (access, rectification, erasure, restriction, portability, objection) under the GDPR and similar laws.
• Responding to consumer requests under the CCPA (Right to Know, Right to Delete, Right to Correct) where Koalendar processes Personal Data on Customer’s behalf.
• Security, breach notification, and data protection impact assessments where applicable.

Customer remains responsible for responding to data subject and consumer requests. Requests should be submitted to dpo@koalendar.com with sufficient details to identify the relevant account and booking page.

8. Personal Data Breach

Koalendar will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably available about:

• The nature of the breach
• Likely consequences
• Measures taken or proposed to address the breach

9. Data retention, deletion, and return

Customer can delete data through the Service (where available) or by requesting deletion at dpo@koalendar.com.

Upon termination or expiry of the Service, Koalendar will delete or return Customer Personal Data in accordance with the Service’s standard retention and deletion practices, unless applicable law requires storage of the Personal Data.

10. Audits and compliance information

Koalendar will make available information reasonably necessary to demonstrate compliance with this DPA. If Customer requires an audit, Customer must provide reasonable advance notice and the audit must:

• Be limited to information relevant to Customer Personal Data
• Not unreasonably interfere with Koalendar’s operations
• Be subject to appropriate confidentiality obligations

Where possible, Koalendar may satisfy audit requests by providing third-party certifications, audit reports, or summaries.

11. Miscellaneous

• Order of precedence. If there is a conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA will control.
• Liability. The liability provisions in the Terms apply to this DPA to the maximum extent permitted by law.

Annex 1: Processing details

A. Subject matter

Provision of the Service, including appointment scheduling workflows and communications.

B. Duration

The duration of Customer’s use of the Service, plus any limited retention periods required for security, backups, dispute resolution, or legal compliance.

C. Nature and purpose of processing

• Create and manage booking pages and appointments
• Send booking-related notifications (email and SMS where configured)
• Provide customer support
• Prevent abuse and fraud
• Provide service analytics and improve performance

D. Categories of data subjects

• Customer’s end users (invitees and other participants)
• Customer’s users and administrators

E. Types of Personal Data

Depending on Customer configuration and how the Service is used:

• Identity and contact data (name, email address, phone number)
• Booking and scheduling metadata (appointment time, duration, event name, responses to booking form questions)
• Technical data (IP address, device and browser metadata, logs)
• Integration metadata (for example calendar event IDs and conferencing links, if enabled)

Customer should not submit special categories of data (as defined by GDPR Article 9) unless strictly necessary and configured by Customer at its own responsibility.

F. Security measures (summary)

Koalendar maintains a security program designed to protect Personal Data, including measures such as:

• Encryption in transit (TLS) and encryption at rest for customer data stored in Koalendar databases
• Access controls for production systems
• Role-based access controls and multi-factor authentication for privileged access
• Logging and monitoring
• Secure development and change management practices

Security measures may be updated from time to time in accordance with industry standards.

Annex 2: Subprocessors

Koalendar may use the following Subprocessors to provide the Service. Processing locations listed below are typical, and some vendors may process data in additional regions depending on configuration and operational needs.