Data Processing Addendum (DPA) & International Transfers
Comprehensive data protection framework for controllers and processors
Owner & Contact
Owner/Operator: Spyface Tech Company, LLC (d/b/a "ClinicBooking")
Address: 30 N Gould St Ste N, Sheridan, WY 82801, USA
On This Page
Applicability & Roles
- This DPA is incorporated by reference into the agreement between ClinicBooking and the customer entity using our platform (the "Controller" or "Customer") when we process Personal Data on the Customer's documented instructions.
- Role split: For core marketplace and appointment tools, ClinicBooking acts as a Processor to the Customer (e.g., Clinics) with respect to patient/lead data they input. For our own analytics, fraud-prevention, platform security, marketing and product improvement, ClinicBooking acts as an independent Controller (see Privacy Policy).
- HIPAA/PHI boundary: This DPA is not a HIPAA Business Associate Agreement. We do not agree to receive, create, maintain, or transmit PHI unless a separate signed BAA is in place. Customers must not upload PHI unless a BAA has been executed.
Key Definitions
- Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach have the meanings in the GDPR. For UK and Swiss scope, read as per UK GDPR/Swiss FADP.
- Consumer Health Data (CHD): has the meaning under applicable U.S. state laws (e.g., WA MHMDA). If we process CHD as a processor, Customer remains responsible for obtaining consents and honoring state-specific requirements.
- Standard Contractual Clauses (SCCs): refers to EU Commission Decision (EU) 2021/914 (Modules 2 & 3), including UK IDTA Addendum and Swiss Addendum as applicable.
Annex A — Details of Processing
Item
Subject matter
Description
Provision of ClinicBooking platform (lead capture, messaging, appointment scheduling, payments facilitation), and related support.
Item
Duration
Description
For the term of the underlying service agreement and any data retention period required by law or explicitly instructed by Customer.
Item
Nature & purpose
Description
Hosting, storage, transmission, display and processing of Personal Data strictly as needed to provide the services; security monitoring; fraud prevention; troubleshooting; service analytics as Processor to Customer.
Item
Data subjects
Description
Patients/consumers; prospective patients/leads; Customer's staff and providers; Customer's administrators; ClinicBooking support contacts.
Item
Personal data categories
Description
Identification & contact data; account/profile data; appointment & inquiry details; communications metadata and content sent via platform; device/usage identifiers (IP, user agent); location approximations; limited payment identifiers (token/last4; no full PAN stored by ClinicBooking); optional health-related details that Customer inputs.
Item
Special categories
Description
Health-related information may be processed as instructed by Customer. No PHI unless a separate BAA is executed.
Item
Processor role
Description
ClinicBooking acts on Customer's documented instructions (see §4) and uses Subprocessors listed in this DPA (see §7 and §15).
| Item | Description |
|---|---|
| Subject matter | Provision of ClinicBooking platform (lead capture, messaging, appointment scheduling, payments facilitation), and related support. |
| Duration | For the term of the underlying service agreement and any data retention period required by law or explicitly instructed by Customer. |
| Nature & purpose | Hosting, storage, transmission, display and processing of Personal Data strictly as needed to provide the services; security monitoring; fraud prevention; troubleshooting; service analytics as Processor to Customer. |
| Data subjects | Patients/consumers; prospective patients/leads; Customer's staff and providers; Customer's administrators; ClinicBooking support contacts. |
| Personal data categories | Identification & contact data; account/profile data; appointment & inquiry details; communications metadata and content sent via platform; device/usage identifiers (IP, user agent); location approximations; limited payment identifiers (token/last4; no full PAN stored by ClinicBooking); optional health-related details that Customer inputs. |
| Special categories | Health-related information may be processed as instructed by Customer. No PHI unless a separate BAA is executed. |
| Processor role | ClinicBooking acts on Customer's documented instructions (see §4) and uses Subprocessors listed in this DPA (see §7 and §15). |
Controller Instructions
- ClinicBooking will process Personal Data only on documented instructions from Customer, including with respect to international transfers, unless required by law (in which case we will inform Customer unless legally prohibited).
- Customer is responsible for having a lawful basis, notices, consents, and for the accuracy of data it inputs.
- Customer shall not instruct ClinicBooking to process PHI without a signed BAA.
Personnel & Confidentiality
- ClinicBooking ensures personnel with access to Personal Data are subject to confidentiality obligations and receive appropriate privacy/security training.
Annex B — Security Measures
Control area
Organization & governance
Measures
Security program; risk assessments; access approvals; least privilege; background checks where permitted; vendor risk management.
Control area
Physical & infrastructure
Measures
Data centers with industry certifications (via cloud providers); redundant power/network; physical access controls.
Control area
Logical access
Measures
MFA for privileged accounts; strong auth; role-based access; session management; logging and monitoring.
Control area
Data protection
Measures
Encryption in transit (TLS 1.2+); encryption at rest for primary stores; key management by reputable cloud KMS; secure deletion routines.
Control area
Development & change
Measures
Secure SDLC; code review; dependency management; secrets management; staging segregation; CI/CD controls.
Control area
Vulnerability & incident
Measures
Automated scanning; patching SLAs; third-party testing as needed; incident response plan; breach notification (§10).
Control area
Business continuity
Measures
Backups; tested restores; documented DR procedures.
Control area
Privacy by design
Measures
Data minimization; purpose limitation; retention controls; audit logs; DSR tooling support.
| Control area | Measures |
|---|---|
| Organization & governance | Security program; risk assessments; access approvals; least privilege; background checks where permitted; vendor risk management. |
| Physical & infrastructure | Data centers with industry certifications (via cloud providers); redundant power/network; physical access controls. |
| Logical access | MFA for privileged accounts; strong auth; role-based access; session management; logging and monitoring. |
| Data protection | Encryption in transit (TLS 1.2+); encryption at rest for primary stores; key management by reputable cloud KMS; secure deletion routines. |
| Development & change | Secure SDLC; code review; dependency management; secrets management; staging segregation; CI/CD controls. |
| Vulnerability & incident | Automated scanning; patching SLAs; third-party testing as needed; incident response plan; breach notification (§10). |
| Business continuity | Backups; tested restores; documented DR procedures. |
| Privacy by design | Data minimization; purpose limitation; retention controls; audit logs; DSR tooling support. |
Annex C — Subprocessors & Change Management
- Customer authorizes ClinicBooking to engage Subprocessors to support the services. We remain responsible for their performance.
- We will maintain a public list of current Subprocessors (§15) and provide prior notice of material changes. Customer may object on reasonable grounds related to data protection; if unresolved, Customer may terminate affected services without penalty.
- We impose written data protection terms on Subprocessors no less protective than this DPA.
International Transfers & SCCs/UK Addendum/Swiss Addendum
- Where Personal Data is transferred internationally, ClinicBooking implements appropriate safeguards, including the EU SCCs (Modules 2 and/or 3), the UK IDTA Addendum, and the Swiss Addendum, as applicable.
- Annexes to SCCs: this DPA (Annex A/B/C) forms the SCCs' Annex I/II/III. Governing law for SCCs: Ireland (for EU), England & Wales (for UK addendum), and Swiss law for Swiss Addendum.
- We conduct transfer risk assessments (TIAs) where required and implement supplementary measures (e.g., encryption, access controls).
Data Subject Requests (DSRs)
- ClinicBooking will, where feasible and legally permitted, assist Customer by appropriate technical and organizational measures to respond to access, deletion, correction, portability, objection and restriction requests.
- If we receive a DSR directly and can identify the Customer, we will notify the Customer and await instruction unless prohibited by law.
Security Incidents & Breach Notice
- ClinicBooking will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer data, and provide information as it becomes available: nature of breach, categories/approximate number of data subjects and records, likely consequences, and measures taken or proposed.
- Customer is responsible for regulatory notifications to authorities/data subjects unless otherwise agreed or required by law.
Return & Deletion
- Upon termination or at Customer's request, ClinicBooking will delete or return Personal Data (at Customer's choice) after reasonable retention needed for legal, audit, or dispute purposes. Backups roll off per standard cycles.
Assistance, Records & Audits
- ClinicBooking will make available information necessary to demonstrate compliance (e.g., summaries of audits/assessments, security overviews) and allow audits by Customer or a mutually agreed independent auditor, subject to reasonable notice, confidentiality, and frequency limits.
- We will reasonably assist with DPIAs and consultations with supervisory authorities related to the Services.
Liability & Allocation of Risk
- Each party's liability under this DPA is subject to the limitations and exclusions set out in the underlying agreement, except where prohibited by applicable law or the SCCs.
Term; Order of Precedence; Changes
- This DPA remains in effect for as long as ClinicBooking processes Personal Data on behalf of Customer.
- In case of conflict: SCCs (where applicable) > this DPA > main agreement.
- ClinicBooking may update this DPA to reflect legal or operational changes. Material changes will be notified in advance where required.
- Governing law for this DPA (outside SCCs): Wyoming, USA, unless the main agreement specifies otherwise.
Current Subprocessor List
Subprocessor
Amazon Web Services (AWS)
Purpose
Cloud hosting, storage, databases, KMS
Data categories
All data stored by platform
Primary processing location
USA/EU (region as configured)
Subprocessor
Cloudflare
Purpose
CDN, WAF, DDoS protection
Data categories
IP, request metadata, cached content
Primary processing location
Global
Subprocessor
Stripe
Purpose
Payment processing
Data categories
Payment tokens/last4, billing info (no full PAN by ClinicBooking)
Primary processing location
USA/EU
Subprocessor
Twilio
Purpose
SMS/voice routing
Data categories
Phone numbers, call/SMS metadata, recordings if enabled
Primary processing location
USA/EU
Subprocessor
Mailgun / SendGrid
Purpose
Transactional email
Data categories
Email, message metadata, limited content
Primary processing location
USA/EU
Subprocessor
Campaign Monitor / Iterable
Purpose
Marketing communications (where permitted)
Data categories
Contact data, subscription preferences
Primary processing location
USA/EU
Subprocessor
Trustpilot
Purpose
Service feedback collection
Data categories
Contact data for invitations, review metadata
Primary processing location
EU/Global
Subprocessor
Analytics providers (e.g., Google Analytics)
Purpose
Usage analytics, performance
Data categories
Device/usage data, IP (as configured)
Primary processing location
Global
Subprocessor
121BPO (or equivalent support vendor)
Purpose
Customer support overflow/NDA-bound ops
Data categories
Ticket metadata, limited contact/inquiry details
Primary processing location
As contracted
| Subprocessor | Purpose | Data categories | Primary processing location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, databases, KMS | All data stored by platform | USA/EU (region as configured) |
| Cloudflare | CDN, WAF, DDoS protection | IP, request metadata, cached content | Global |
| Stripe | Payment processing | Payment tokens/last4, billing info (no full PAN by ClinicBooking) | USA/EU |
| Twilio | SMS/voice routing | Phone numbers, call/SMS metadata, recordings if enabled | USA/EU |
| Mailgun / SendGrid | Transactional email | Email, message metadata, limited content | USA/EU |
| Campaign Monitor / Iterable | Marketing communications (where permitted) | Contact data, subscription preferences | USA/EU |
| Trustpilot | Service feedback collection | Contact data for invitations, review metadata | EU/Global |
| Analytics providers (e.g., Google Analytics) | Usage analytics, performance | Device/usage data, IP (as configured) | Global |
| 121BPO (or equivalent support vendor) | Customer support overflow/NDA-bound ops | Ticket metadata, limited contact/inquiry details | As contracted |
We will post updates to this list prior to onboarding a new Subprocessor or changing a processing location. To receive change notices, email privacy@clinicbooking.com with subject "Subscribe — Subprocessor Updates".
Contact
Privacy/DPA: privacy@clinicbooking.com
Address: Spyface Tech Company, LLC (ClinicBooking), 30 N Gould St Ste N, Sheridan, WY 82801, USA