Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Yoga Bible ApS ("Processor", "BOOKING BIBLE") and the studio operator ("Controller", "Operator") using the Booking Bible platform.

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the individual whose Personal Data is being processed (typically the Operator's members and staff).

2. Scope of Processing

Subject Matter

Processing of member and staff personal data to provide the BOOKING BIBLE studio management platform.

Duration

Processing continues for the term of the Operator's subscription plus a 30-day data retention period after termination.

Categories of Data Subjects

• Studio members and customers
• Studio staff and instructors
• Guest visitors and leads

Types of Personal Data

• Identity data (name, email, phone, date of birth)
• Booking and attendance records
• Payment references (Stripe customer IDs, transaction records)
• Health questionnaire responses (special category data)
• Communication preferences and engagement data
• Technical data (IP addresses, device information)

3. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by EU or member state law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organizational security measures as described in Section 5.
• Not engage another processor (sub-processor) without prior written authorization of the Controller, as detailed in Section 6.
• Assist the Controller in responding to Data Subject requests.
• Assist the Controller in ensuring compliance with obligations regarding data breach notification, data protection impact assessments, and prior consultation.
• At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or member state law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Obligations of the Controller

The Controller shall:

• Ensure that its instructions for the processing of Personal Data comply with applicable data protection laws.
• Obtain all necessary consents from Data Subjects for the processing of their data, particularly for special category data (health questionnaires).
• Maintain appropriate privacy notices for its members and staff.
• Notify the Processor promptly of any Data Subject requests that require the Processor's assistance.

5. Security Measures

The Processor implements the following technical and organizational measures:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access control: Role-based access with row-level security (RLS) enforcing organization data isolation.
• Authentication: Secure authentication via Supabase Auth with support for MFA.
• Audit logging: All administrative actions are logged with user, timestamp, and change details.
• Backup: Automated daily backups with point-in-time recovery.
• Monitoring: Error tracking (Sentry) and uptime monitoring.
• Incident response: Defined incident response procedure with 72-hour breach notification.

6. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 14 days.

Current Sub-processors

For sub-processors located outside the EU/EEA, appropriate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include:

• The nature of the breach, including categories and approximate number of data subjects affected.
• The name and contact details of the data protection officer or other contact point.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach.

8. International Transfers

Where Personal Data is transferred to sub-processors outside the EU/EEA, the Processor ensures that such transfers are subject to appropriate safeguards in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (Module 3: Processor to Sub-processor) and supplementary measures where required.

9. Audits

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall cooperate with such audits and provide reasonable access to relevant facilities, systems, and documentation. Audits shall be conducted with reasonable advance notice (minimum 30 days) and shall not unreasonably disrupt the Processor's operations.

10. Governing Law

This DPA is governed by the laws of Denmark and subject to the jurisdiction of the City Court of Copenhagen (Københavns Byret).

11. Contact

For questions about this DPA or to request changes, contact:

Data Protection Officer
Yoga Bible ApS
Torvegade 66
1400 Copenhagen K, Denmark
Email: dpo@bookingbible.com