Data Processing Agreement

2.1 Categories of Data Subjects

Clients of the Customer's massage therapy, spa, or wellness business who book appointments or communicate with the business through the Service.

2.2 Categories of Personal Data

• Client name
• Client phone number
• Client email address (when provided)
• Appointment details (service, date, time, duration, price, status)
• Booking confirmation codes
• SMS message content and metadata (timestamps, delivery status)

2.3 Purpose of Processing

Skedron processes Customer Data solely to provide the Service as described in the Agreement, including:

• Scheduling and managing appointments
• Sending automated appointment notifications (confirmations, reminders, cancellations) via SMS
• Facilitating two-way SMS communication between Customer and Data Subjects
• Generating reports and analytics for Customer
• Providing the online booking widget for client self-service

2.4 Duration of Processing

Skedron will process Customer Data for the duration of the Agreement. Upon termination, Skedron will retain Customer Data for 90 days (to allow for data export), after which it will be permanently deleted.

3.1 Processing Instructions

Skedron will process Customer Data only on documented instructions from the Customer, as described in the Agreement and this DPA. Skedron will not process Customer Data for any purpose other than providing the Service, unless required by applicable law, in which case Skedron will inform the Customer before processing (unless prohibited by law from doing so).

If Skedron determines that a Customer instruction infringes applicable data protection law, Skedron will promptly inform the Customer and may suspend processing of the affected Customer Data until the Customer issues a lawful instruction.

3.2 Data Segregation and Minimization

Skedron maintains logical separation of Customer Data using unique organizational identifiers within a shared database infrastructure. Access controls within the application enforce that each Customer can only access, view, and manage its own data. Skedron will not intentionally combine, aggregate, or co-mingle Customer Data with data belonging to other customers or with Skedron's own data, except as necessary to provide the Service (e.g., infrastructure-level logs and error monitoring that may contain technical identifiers across tenants).

Skedron will limit processing of Customer Data to what is necessary, relevant, and proportionate to the purposes described in Section 2.3.

3.3 Confidentiality

Skedron ensures that all persons authorized to process Customer Data are bound by obligations of confidentiality, whether contractual or statutory, and have received appropriate training on data protection obligations.

3.4 Security Measures

Skedron implements and maintains appropriate technical and organizational measures to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including:

• Encryption of data in transit (TLS 1.2+) and at rest (Google Cloud default encryption)
• Database access restricted to application services only; no public internet exposure
• Authentication via short-lived JWT tokens with 30-day maximum session limits
• Role-based access controls within the application
• Security updates applied as part of regular deployment cycles
• Error monitoring without personally identifiable information (Sentry with PII disabled)
• Idempotency controls to prevent duplicate operations
• A2P 10DLC registration for SMS compliance
• Automated daily database backups with point-in-time recovery (Google Cloud SQL)

Skedron will review and update these measures as reasonably necessary to address evolving security threats and industry practices.

3.5 Sub-processors

Customer authorizes Skedron to engage the following Sub-processors:

• Google Cloud Platform — Cloud hosting and database (United States)
• Telnyx — SMS delivery (United States)
• Postmark — Transactional email delivery (United States)
• Sentry — Error tracking (PII disabled; United States)
• Stripe — Payment processing for subscription billing (United States)

Skedron will notify the Customer at least 30 days before engaging a new Sub-processor by updating the list above and sending notice to the email address associated with the Customer's account. If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Customer may notify Skedron in writing within 30 days. Skedron will make reasonable efforts to address the objection. If the objection cannot be resolved, the Customer may terminate the affected portion of the Service without penalty.

Skedron will impose data protection obligations on each Sub-processor through a written agreement that provides at least the same level of data protection as this DPA. Skedron remains responsible for the acts and omissions of its Sub-processors to the same extent Skedron would be liable if performing the services of each Sub-processor directly under this DPA, subject to the limitations of liability set forth in the Agreement.

6.1 Assistance

Skedron will provide reasonable assistance to the Customer in responding to Data Subject requests to exercise their rights under applicable data protection laws, including rights of access, correction, deletion, and data portability. Skedron will provide such assistance at no additional charge for requests that can be fulfilled using standard Service functionality (e.g., data export or deletion through the platform). For requests requiring significant manual effort beyond standard functionality, Skedron may charge reasonable fees based on time and resources, provided Skedron notifies the Customer of such fees in advance.

6.2 Direct Requests

If Skedron receives a request directly from a Data Subject regarding Customer Data, Skedron will promptly (and in no event later than 5 business days) redirect the Data Subject to the Customer and notify the Customer of the request. Skedron will not respond to Data Subject requests directly without Customer's authorization, unless required by law.

6.3 Deletion Requests

Upon receiving a verified deletion request from the Customer regarding a specific Data Subject, Skedron will delete the relevant Personal Data within 30 days, except where retention is required by applicable law. Skedron will confirm completion of the deletion in writing.

7.1 Notification

Skedron will notify the Customer of any confirmed Security Incident without undue delay and no later than 72 hours after becoming aware of the incident. Notification will include, to the extent reasonably known at the time:

• A description of the nature of the incident, including the attack vector if known
• The categories and approximate number of Data Subjects affected
• The categories of Personal Data affected
• The likely consequences of the incident
• Measures taken or proposed to address and mitigate the incident
• Contact information for further inquiries

If the full details are not available within 72 hours, Skedron will provide the information in phases without undue delay. Skedron will investigate suspected Security Incidents without undue delay and will not unreasonably delay confirming or denying whether a Security Incident has occurred.

7.2 Cooperation

Skedron will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Security Incident. Skedron will also provide reasonable assistance to the Customer in meeting the Customer's own breach notification obligations under applicable law.

7.3 Notification to Data Subjects

The Customer, as data controller, is responsible for determining whether and how to notify affected Data Subjects of a Security Incident. Skedron will not directly notify Data Subjects unless: (a) the Customer requests Skedron's assistance in doing so; (b) the Customer fails to respond to Skedron's Security Incident notification within 5 business days and applicable law requires notification to affected individuals; or (c) Skedron is independently required to do so by applicable law. In the case of (b), Skedron will make reasonable efforts to contact the Customer through alternative means before issuing any direct notification.

7.4 Unauthorized Disclosure Not a Security Incident

For clarity, an unsuccessful attempt or activity that does not compromise the security, confidentiality, or integrity of Customer Data is not a Security Incident (e.g., unsuccessful login attempts, pings, port scans, denial-of-service attacks that do not result in a breach).

8.1 Compliance Documentation

Skedron will, upon Customer's written request, provide reasonable documentation of its security practices and controls. If Skedron obtains third-party audit reports or certifications (such as SOC 2 Type II) in the future, Skedron will make such reports available to Customer subject to confidentiality obligations. Where such reports are available, they shall satisfy the Customer's audit rights under this Section for the period covered by the report.

8.2 Customer Audits

If compliance documentation does not address the Customer's reasonable concerns, Skedron will allow and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer, provided that:

• The Customer provides at least 30 days' written notice.
• Audits are conducted during normal business hours and no more than once per 12-month period.
• The auditor executes a confidentiality agreement acceptable to Skedron and the audit does not unreasonably disrupt Skedron's operations or compromise the security or privacy of other customers.
• The Customer bears all costs associated with the audit unless the audit reveals a material breach of this DPA by Skedron.

10.1 During the Agreement

Customer may export or request deletion of Customer Data at any time during the term of the Agreement by contacting support@skedron.com. Skedron will provide data exports in a structured, commonly used, machine-readable format.

10.2 Upon Termination

Upon termination of the Agreement, Skedron will:

• Continue to make Customer Data available for export for 90 days following termination.
• Permanently delete all Customer Data from active systems within 90 days following termination. Customer Data contained in encrypted backups will be purged as backups cycle out of retention in the ordinary course of Skedron's infrastructure provider's backup schedule, unless retention is required by applicable law.
• Upon request, provide written certification of deletion within 10 business days of completing the deletion.

10.3 Legal Hold Exception

Notwithstanding Sections 10.1 and 10.2, Skedron may retain Customer Data beyond the stated retention periods when required by applicable law, valid legal process, litigation hold, law enforcement preservation request, or regulatory investigation. Skedron will notify the Customer of any such retention requirement to the extent legally permitted. Skedron will resume normal deletion obligations once the legal hold or preservation requirement expires.