Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service ("Agreement") between the customer entity that has accepted the Agreement ("Controller" or "Customer") and Respondo ("Processor"). This DPA governs the processing of personal data by Respondo on behalf of the Customer in connection with the provision of the Respondo platform and related services (the "Service").

1. Parties

This DPA is entered into between:

• Data Controller: the Customer — the service business (salon, spa, clinic, or similar establishment) that has subscribed to Respondo and determines the purposes and means of processing personal data in connection with its own business operations.
• Data Processor: Respondo — the company that operates the Respondo platform and processes personal data solely on the documented instructions of the Controller for the purpose of delivering the Service.

This DPA supplements and is subject to the Agreement. In the event of a conflict between this DPA and the Agreement with respect to data protection matters, this DPA shall prevail.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

• "Personal Data"means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) of the GDPR.
• "Data Subject"means the natural person to whom Personal Data relates, including the Customer's end-clients, patients, and members of staff.
• "Sub-processor" means any third party engaged by Respondo to process Personal Data on behalf of the Controller.
• "Supervisory Authority" means the competent data protection authority in the relevant jurisdiction, including the Agencia Española de Protección de Datos (AEPD) in Spain.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR and its national implementing legislation, and any successor legislation thereto.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR.

3. Scope and Purpose of Processing

Respondo processes Personal Data solely for the purpose of providing the Service to the Customer and in accordance with the Customer's documented instructions as set out in the Agreement and this DPA. The subject matter and nature of the processing activities include:

• Client management: storing and managing contact records for the Customer's end-clients and patients.
• Appointment scheduling: creating, updating, and tracking appointment data on behalf of the Customer.
• SMS and voice communications: transmitting automated and manual SMS messages and managing call forwarding on behalf of the Customer.
• AI-assisted clinical notes and summaries: where the Customer has enabled this feature, generating and storing clinical notes and AI-produced summaries from session data provided by the Customer.
• Platform administration: user authentication, billing management, and related operational tasks necessary to deliver the Service.

Duration: Respondo will process Personal Data for the duration of the Agreement between the parties, unless otherwise required by applicable law or agreed in writing.

Respondo shall not process Personal Data for any purpose other than those specified in this DPA without prior written consent of the Controller. Respondo shall promptly inform the Controller if, in its opinion, an instruction given by the Controller infringes any applicable Data Protection Laws.

4. Types of Personal Data Processed

Depending on how the Customer uses the Service, Respondo may process the following categories of Personal Data:

• Contact information: full names, email addresses, telephone numbers.
• Appointment data: dates, times, service types, and appointment history.
• Communication content: SMS message bodies, call recordings (where enabled by the Customer), and messaging history.
• Clinical notes: session notes, follow-up instructions, AI-generated summaries of appointments — only where the Customer has activated the clinical notes feature and is responsible for ensuring appropriate legal basis under Article 9 GDPR for any health-related data.
• Billing references: subscription identifiers and limited payment metadata as required for invoicing and account management (full payment card data is processed exclusively by our payment Sub-processor, Stripe, and never stored by Respondo).

5. Categories of Data Subjects

The Personal Data processed by Respondo under this DPA relates to the following categories of Data Subjects:

• Customer's employees and staff: practitioners, therapists, front-desk personnel, and other individuals employed or engaged by the Customer who access or are referenced within the Service.
• Customer's end-clients and patients: individuals who are or have been clients or patients of the Customer's business and whose data is entered into the Service by the Customer.

6. Obligations of the Processor (Respondo)

Respondo, in its capacity as Data Processor, undertakes the following obligations:

• Process only on instructions: process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
• Confidentiality: ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures: implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR (see Section 10 of this DPA).
• Sub-processor obligations: impose on any Sub-processor the same data protection obligations as set out in this DPA before engaging them to process Personal Data on behalf of the Controller.
• Assistance with Data Subject Rights: taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR.
• Assistance with compliance obligations: assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Respondo.
• Breach notification: notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach (see Section 11 of this DPA).
• Deletion or return of data: at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data (see Section 15 of this DPA).
• Audit cooperation: make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller (see Section 14 of this DPA).

7. Obligations of the Controller (Customer)

The Controller, in its use of the Service, undertakes the following obligations:

• Lawful basis: ensure that it has a valid lawful basis for each processing activity it instructs Respondo to carry out, and that such basis is documented and maintained throughout the term of the Agreement.
• Consent for special category data: where the Customer enables features that involve the processing of special categories of Personal Data under Article 9 GDPR (including health and clinical data), the Customer is solely responsible for obtaining and maintaining the explicit consent of the relevant Data Subjects, or for establishing and documenting another applicable legal basis.
• Transparency to Data Subjects: provide clear and transparent privacy information to Data Subjects in accordance with Articles 13 and 14 of the GDPR, including information about the use of Respondo as a data processor.
• Instructions: provide clear, lawful, and documented instructions to Respondo regarding the processing of Personal Data. The Customer shall not instruct Respondo to process Personal Data in a manner that would infringe Data Protection Laws.
• Notification of restrictions: promptly notify Respondo of any restrictions or special requirements applicable to the processing of specific Personal Data that Respondo needs to be aware of.
• Accuracy: ensure that Personal Data entered into the Service is accurate and kept up to date, and that Data Subjects are informed of their right to request rectification.

8. Sub-processors

The Controller grants Respondo general written authorisation to engage Sub-processors to assist in the provision of the Service. Respondo shall impose appropriate data protection obligations on each Sub-processor and shall remain liable to the Controller for the acts and omissions of its Sub-processors to the extent that Respondo would itself be liable under this DPA.

An up-to-date list of authorised Sub-processors is maintained at /legal/sub-processors. The current authorised Sub-processors are:

• Clerk — User authentication and identity management. Registered in the United Kingdom.
• Supabase — Database hosting and storage. Data hosted in the EU (Dublin, Ireland, AWS eu-west-1).
• Stripe — Payment processing and subscription billing. Headquartered in the United States.
• Twilio — SMS messaging and voice communications. Headquartered in the United States.
• Anthropic — AI language model inference for clinical note generation and summaries. Headquartered in the United States.
• OpenAI — Audio transcription services (Whisper API). Headquartered in the United States.
• Vercel — Application hosting and edge network. Infrastructure in the United States and the European Union.

Respondo shall give the Controller at least 30 days' advance written notice of any intended changes to this list, whether by adding or replacing Sub-processors. The Controller may object to such changes on reasonable grounds relating to data protection by notifying Respondo in writing within the 30-day notice period. If the Controller objects and Respondo is unable to accommodate the objection, the Controller may terminate the Agreement on written notice, subject to the terms of the Agreement.

9. International Data Transfers

Some of the Sub-processors listed in Section 8 are established outside the European Economic Area ("EEA"). Where Respondo transfers Personal Data to a Sub-processor located in a country that has not been the subject of an adequacy decision by the European Commission under Article 45 of the GDPR, Respondo ensures that such transfers are subject to appropriate safeguards pursuant to Article 46 of the GDPR, specifically:

• Standard Contractual Clauses (SCCs): transfers are governed by the Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR (Commission Implementing Decision (EU) 2021/914 or any successor decision).
• Sub-processor obligations: Respondo requires all Sub-processors processing Personal Data outside the EEA to maintain appropriate supplementary technical and organisational safeguards consistent with the European Data Protection Board's recommendations on measures that supplement transfer tools.

The Controller acknowledges and accepts that use of the Service requires the international transfers described above and instructs Respondo to carry out such transfers. The Controller may request copies of the applicable SCCs by contacting Respondo at privacy@hectormoyanovelez.com.

10. Security Measures (Annex II)

Respondo implements and maintains the following technical and organisational security measures in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk:

• Encryption in transit: all data transmitted between clients and Respondo's infrastructure is encrypted using TLS 1.3 or higher. Unencrypted HTTP connections are automatically redirected to HTTPS.
• Encryption at rest: all Personal Data stored at rest is encrypted using AES-256 encryption at the database and storage layer.
• Access controls: role-based access control (RBAC) limits employee access to Personal Data to those with a legitimate need. Multi-factor authentication (MFA) is enforced for all internal administrative access to production systems.
• Tenant isolation: Respondo employs Row Level Security (RLS) policies at the database layer to ensure strict data isolation between Customer tenants. No Customer can access another Customer's data through the application.
• Regular backups: Personal Data is backed up on a regular schedule with point-in-time recovery capabilities. Backups are encrypted and stored in geographically redundant locations.
• Incident response: Respondo maintains a documented incident response procedure, including detection, containment, eradication, and recovery processes, as well as breach notification obligations as set out in Section 11.
• Employee training and confidentiality: all Respondo personnel with access to Personal Data receive data protection training and are bound by contractual confidentiality obligations.
• Vulnerability management: Respondo regularly reviews dependencies for known vulnerabilities and applies security patches on a risk-based prioritisation basis.
• Logging and monitoring: access to production systems is logged and monitored for anomalous activity. Logs are retained for a minimum of 90 days.

Respondo reviews and updates these measures periodically and in response to changes in the threat landscape or processing activities.

11. Data Breach Notification

In the event that Respondo becomes aware of a Personal Data breach affecting Personal Data processed on behalf of the Controller, Respondo shall:

• Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
• Provide the Controller, to the extent known at the time, with the following information:
  • the nature of the Personal Data breach, including the categories and approximate number of Data Subjects concerned;
  • the categories and approximate number of Personal Data records concerned;
  • the name and contact details of Respondo's data protection contact;
  • the likely consequences of the Personal Data breach;
  • the measures taken or proposed to be taken by Respondo to address the breach, including to mitigate its possible adverse effects.
• Cooperate with the Controller and take such reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each such breach.

Where it is not possible to provide all of the above information in the initial notification, Respondo shall provide it in phases without further undue delay. Notification of a breach by Respondo shall not be construed as an acknowledgement of fault or liability.

The Controller is solely responsible for determining whether it is required to notify the relevant Supervisory Authority or affected Data Subjects and for making any such notifications in accordance with applicable Data Protection Laws.

12. Data Subject Rights

Respondo shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

• Right of access (Article 15): the right to obtain a copy of Personal Data held by the Controller.
• Right to rectification (Article 16): the right to have inaccurate Personal Data corrected.
• Right to erasure (Article 17): the right to have Personal Data deleted ("right to be forgotten").
• Right to data portability (Article 20): the right to receive Personal Data in a structured, commonly used, machine-readable format.
• Right to restriction of processing (Article 18): the right to restrict how Personal Data is processed.
• Right to object (Article 21): the right to object to the processing of Personal Data.

Where a Data Subject submits a request directly to Respondo, Respondo shall promptly forward the request to the Controller. The Controller is responsible for responding to Data Subject requests within the timeframes required by applicable Data Protection Laws. Respondo will provide reasonable technical assistance to the Controller in responding to verified requests within a mutually agreed timeframe.

13. Data Protection Impact Assessments

Where the Controller determines, or Respondo reasonably believes, that a particular processing activity is likely to result in a high risk to the rights and freedoms of natural persons, Respondo shall provide reasonable assistance to the Controller in carrying out a Data Protection Impact Assessment ("DPIA") pursuant to Article 35 of the GDPR.

Respondo acknowledges that the processing of clinical and health-related data (including session notes and AI-generated summaries) may constitute high-risk processing and will proactively cooperate with the Controller in any DPIA process relating to such processing. This includes providing relevant information about its processing activities, security measures, Sub-processors, and data flows upon request.

Where a DPIA indicates that processing would result in a high residual risk that cannot be mitigated, and consultation with the Supervisory Authority is required under Article 36 of the GDPR, Respondo shall cooperate with the Controller in that consultation process.

14. Audit Rights

The Controller, or an independent third-party auditor mandated by the Controller, may audit Respondo's compliance with the obligations set out in this DPA, subject to the following conditions:

• The Controller shall provide Respondo with at least 30 days' prior written notice of any intended audit, specifying the scope and purpose.
• Audits shall be conducted during normal business hours, in a manner that minimises disruption to Respondo's business operations, and no more than once per calendar year unless a confirmed security incident justifies additional review.
• Any auditor appointed by the Controller must be bound by appropriate confidentiality obligations and must not be a competitor of Respondo.
• As an alternative to an on-site audit, Respondo may satisfy the Controller's audit rights by providing relevant third-party audit reports, including SOC 2 Type II reports or equivalent certifications, subject to appropriate confidentiality undertakings.
• The Controller shall bear all costs associated with any audit it initiates unless the audit reveals a material breach of this DPA by Respondo.

15. Term and Termination

This DPA shall remain in effect for the duration of the Agreement between the parties. Upon termination or expiry of the Agreement for any reason, Respondo shall, at the Controller's written election:

• Delete all Personal Data processed under this DPA within 30 calendar days of the termination date; or
• Return all Personal Data to the Controller in a structured, machine-readable format, and thereafter securely delete all copies, within the same 30-day period.

Notwithstanding the above, Respondo may retain Personal Data for longer periods where required by applicable EU or Spanish law (including tax, accounting, or regulatory obligations), provided that Respondo shall continue to protect such retained data in accordance with this DPA and shall not process it for any other purpose.

Respondo shall provide the Controller with written confirmation of deletion upon request.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Spain. Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of Madrid, Spain.

Nothing in this clause shall limit the rights of any Data Subject to bring a claim before the competent Supervisory Authority, including the Agencia Española de Protección de Datos (AEPD), or before the courts of the member state in which the Data Subject has their habitual residence.

17. Contact

For any questions, requests, or notices relating to this DPA, including requests to exercise Data Subject rights, breach notifications, or audit enquiries, please contact Respondo at:

Email: privacy@hectormoyanovelez.com

Respondo will acknowledge all DPA-related enquiries within 5 business days and provide a substantive response within the timeframes required by applicable Data Protection Laws.