Data Processing Addendum

1. Defined Terms

The following definitions are used in this DPA.

1.1 "Authorized Personnel" means (a) bookcall's employees or operators who have a need to know or otherwise access Personal Data for the purposes of performing applicable services; and (b) bookcall's contractors, agents, and auditors who have a need to know or otherwise access Personal Data to enable bookcall to perform its obligations under the Agreement and this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this DPA.

1.2 "CCPA" means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100–1798.199.100, as amended, including by the California Privacy Rights Act of 2020 and its implementing regulations.

1.3 "Customer Data" means information, data, and other content, in any form or medium, that is submitted, posted, or otherwise transmitted by you or on your behalf as a customer or a user through the Services or by or on behalf of your prospects, customers, or other end users of the Services who access the Services for purposes of interacting with you and your users.

1.4 "Data Protection Laws" means all applicable federal, state, and foreign data protection, privacy, and data security laws, as well as applicable regulations and formal directives intended by their nature to have the force of law, all as amended from time to time, including, without limitation, the EU Data Protection Laws, UK Data Protection Laws, the Swiss Data Protection Laws, and the CCPA, but excluding consent decrees.

1.5 "Data Subject" means the individual or consumer to whom Personal Data relates.

1.6 "EU Data Protection Laws" means GDPR together with any applicable implementing legislation or regulations, as well as European Union or Member State laws, as amended from time to time.

1.7 "GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

1.8 "Personal Data" means any Customer Data relating to an identified or identifiable natural person that is Processed by bookcall on behalf of Customer in connection with providing the Services to Customer, when such information is protected as "personal data" or "personal information" or a similar term under Data Protection Law(s).

1.9 "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.10 "Security Breach" means a confirmed breach of bookcall's information security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data covered by this DPA.

1.11 "Services" means the services provided by bookcall to you under the Agreement.

1.12 "Standard Contractual Clauses" or "SCCs" means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.13 "Swiss Data Protection Laws" means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in Switzerland, including the Federal Act on Data Protection of June 19, 1992 and its ordinances, and the revised Swiss Federal Act on Data Protection dated 25 September 2020 (collectively, "FADP").

1.14 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018, Version B1.0, in force 21 March 2022.

1.15 "UK Data Protection Laws" means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the United Kingdom GDPR and the Data Protection Act 2018.

1.16 "UK GDPR" means the United Kingdom General Data Protection Regulation, as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.17 The terms "Processor" and "Controller" shall have the meanings given to them under the applicable Data Protection Law. Any capitalized terms herein that are not defined in this DPA shall have the meanings associated with them in the Agreement and are hereby adopted by reference in this Addendum.

2. Processing and Transfer of Personal Data

2.1 Customer Obligations. Customer is the Controller of Personal Data and shall (a) determine the purpose and essential means of the Processing of Personal Data in accordance with the Agreement; (b) be responsible for the accuracy of Personal Data; and (c) comply with its obligations under Data Protection Laws, including, when applicable, ensuring Customer has a lawful basis to collect Personal Data, providing Data Subjects with any required notices, and/or obtaining the Data Subject's consent to process the Personal Data.

2.2 bookcall Obligations. bookcall is the Processor of Personal Data and shall (a) Process Personal Data on Customer's behalf in accordance with Customer's written instructions (unless waived in a written requirement) provided during the term of this DPA, and (b) comply with its obligations under Data Protection Laws. A description of the processing of Personal Data intended to be carried out under this DPA is set out in Annex 1 of Exhibit A attached hereto. The parties agree that the Agreement, including this DPA, together with Customer's use of the Services in compliance with the Agreement, constitute Customer's complete and final written instructions to bookcall in relation to the Processing of Personal Data, and additional instructions outside the scope of these instructions shall require a prior written and mutually executed agreement between Customer and bookcall. In the event bookcall reasonably believes there is a conflict with any Data Protection Law and Customer's instructions, bookcall will inform Customer promptly and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.

2.3 Data Use. bookcall shall not use Personal Data, except for usage of Personal Data pursuant to Customer's instructions, and as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under Data Protection Laws.

2.4 Location of Processing. The parties acknowledge and agree that Processing of Personal Data will occur in the European Union and may also occur in the United States and other jurisdictions outside the residence of a Data Subject through the use of sub-processors listed in Annex III. Customer shall comply with all notice and consent requirements for such transfer and processing to the extent required by Data Protection Laws.

2.5 Return or Destruction of Data. bookcall shall return or securely destroy Personal Data, in accordance with Customer's instructions, upon Customer's request or upon termination of Customer's account(s) unless Personal Data must be retained to comply with applicable law.

3. EU, Swiss and United Kingdom Data Protection Laws

This Section 3 shall apply with respect to Processing of Personal Data when such Processing is subject to the EU Data Protection Laws, Swiss Data Protection Laws, or UK Data Protection Laws.

3.1 Transfers of Personal Data. Customer acknowledges and agrees that certain sub-processors used by bookcall are located in the United States and that Customer's provision of Personal Data from the European Economic Area ("EEA"), Switzerland, or the United Kingdom to bookcall may result in onward transfers of Personal Data to the United States through these sub-processors. All transfers of Customer Personal Data out of the EEA ("EU Personal Data"), Switzerland ("Swiss Personal Data"), or the United Kingdom ("UK Personal Data") to the United States shall be governed by the Standard Contractual Clauses, and the UK Addendum as applicable, as follows:

(a) For such transfers of EU Personal Data or transfers containing Swiss Personal Data that are subject to both EU Data Protection Laws and Swiss Data Protection Laws, Module 2 of the SCCs for Controller to Processor transfers, together with Annexes set out in Exhibit A to this DPA, shall apply and are incorporated into this DPA, and the parties agree that the following terms apply: (i) Clause 7 shall not apply; (ii) Option 2 of Clause 9(a) shall apply with a time period of 30 days in advance; (iii) the optional language in Clause 11(a) shall not apply; (iv) the governing law shall be that of Germany in Clause 17; (v) disputes shall be resolved by the courts of Frankfurt am Main, Germany in Clause 18; and (vi) the annexes are completed in Exhibit A to this DPA.

(b) For such transfers of only Swiss Personal Data, Module 2 of the SCCs for Controller to Processor transfers, together with Annexes set out in Exhibit A to this DPA, shall apply and are incorporated into this DPA, and the parties agree that the following terms apply: (i) Clause 7 shall not apply; (ii) Option 2 of Clause 9(a) shall apply with a time period of 30 days in advance; (iii) the optional language in Clause 11(a) shall not apply; (iv) the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner; (v) the governing law shall be that of Switzerland in Clause 17; (vi) disputes shall be resolved by the courts of Switzerland in Clause 18; (vii) the annexes are completed in Exhibit A to this DPA; and (viii) any references to the GDPR are to be understood as references to the FADP.

(c) For transfers of Swiss Personal Data subject to Sections 3.1(a) and 3.1(b) of this DPA, the term "member state" shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with Clause 18(c).

(d) For such transfers of UK Personal Data, Module 2 of the SCCs shall apply as set forth in subsection 3.1(a) above, and the UK Addendum as set out in Exhibit B to this DPA shall apply and is incorporated into this DPA.

3.2 GDPR and UK GDPR Obligations. bookcall shall: (a) assist Customer, to a reasonable extent, in complying with its obligations with respect to EU Personal Data pursuant to Articles 32 to 36 of GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); (b) maintain a record of all categories of Processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR (or their equivalent under UK Data Protection Laws for UK Personal Data); and (c) cooperate, on request, with an EU, German, or UK supervisory authority regarding the performance of the Services.

4. Sub-processors

4.1 Sub-processor List. Customer consents to bookcall's use of the sub-processors set out in Annex III of Exhibit A attached hereto. bookcall may update its list of sub-processors from time to time, and shall make available any updates to such list at https://bookcall.io/privacy.

4.2 Notification of Changes. bookcall shall provide Customer with at least 30 days' prior written notice of any intended addition or replacement of sub-processors, thereby giving Customer the opportunity to object to such changes. If Customer reasonably objects to a new sub-processor on data protection grounds, the parties shall discuss and attempt to resolve the concern in good faith. If the parties cannot reach a resolution, Customer may terminate the Agreement by providing written notice.

4.3 Sub-processor Obligations. bookcall shall ensure that any sub-processor it engages to Process Personal Data on its behalf agrees in writing to data protection obligations no less protective than those set forth in this DPA.

5. Customer Representation and Warranty

Customer represents and warrants on behalf of itself and its employees that the Personal Data provided to bookcall for processing under the Agreement and this DPA is collected and/or validly obtained and utilized by Customer and its employees in compliance with all Data Protection Laws, including without limitation the disclosure, informed affirmative consent, and targeted advertising provisions of Data Protection Laws, including without limitation Chapter II of the GDPR, and Customer shall defend, indemnify, and hold harmless bookcall from and against all loss, expense (including reasonable out-of-pocket attorneys' fees and court costs), damage, or liability arising out of any claim arising out of a breach of this Section 5.

6. Data Protection

6.1 Data Security. bookcall will utilize commercially reasonable efforts to protect the security, confidentiality, and integrity of the Personal Data transferred to it using reasonable administrative, physical, and technical safeguards. Notwithstanding the generality of the foregoing, bookcall shall: (a) employ reasonable administrative, physical, and technical safeguards to afford protection of the Personal Data in accordance with Data Protection Laws as would be appropriate based on the nature of the Personal Data; (b) utilize commercially reasonable efforts to keep the Personal Data reasonably secure and in an encrypted form, and use industry standard security practices and systems applicable to the use of Personal Data to prevent, and take prompt and proper remedial action against unauthorized access, copying, modification, storage, reproduction, display, or distribution of Personal Data; and (c) cease to retain documents containing Personal Data, or remove the means by which Personal Data can be associated with particular individuals, reasonably promptly after it is reasonable to assume that the specified purposes are no longer being served by bookcall's retention of Personal Data and retention is no longer necessary for legal or business purposes.

6.2 Authorized Personnel. bookcall shall ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with obligations at least as restrictive as those contained in this DPA.

6.3 Security Breaches. After confirmation of a Security Breach, (a) bookcall will promptly: (i) notify Customer of the Security Breach without undue delay and in any event within 72 hours of becoming aware of it; (ii) investigate the Security Breach; (iii) provide Customer with necessary details about the Security Breach as required by applicable law; and (iv) take reasonable actions to prevent a recurrence of the Security Breach; and (b) bookcall agrees to cooperate in Customer's handling of the matter by: (i) providing reasonable assistance with Customer's investigation; and (ii) making available relevant records and other materials related to the Security Breach's effects on Customer, as required to comply with Data Protection Laws.

7. Assistance

7.1 Processor Assistance. Upon Customer's written request, bookcall shall provide reasonable assistance to Customer as necessary in order to assist Customer with meeting its obligations under Data Protection Laws, including by providing information to bookcall about bookcall's technical and organizational security measures, and as needed to complete data protection impact assessments.

7.2 Data Subject Requests. bookcall shall reasonably assist Customer with the fulfilment of Customer's obligations to Data Subjects exercising rights afforded by Data Protection Laws, with respect to Personal Data in the event that Customer cannot act on such request without bookcall's assistance. If a Data Subject makes a request to bookcall to exercise a right with respect to his or her Personal Data of which Customer is the Controller, bookcall will promptly inform Customer of the request, and will advise the Data Subject to submit their request directly to Customer. Customer will be responsible for addressing such request.

8. Audits

Within thirty (30) days of Customer's written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement, bookcall shall make available to Customer (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate bookcall's compliance with the obligations set forth in this DPA.

9. Miscellaneous

9.1 Conflict. In the event of any conflict or inconsistency between this DPA and Data Protection Laws, Data Protection Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the Processing of Personal Data.

9.2 Amendments. This DPA shall not be modified except in accordance with the terms set out in the Agreement for modification. To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with Data Protection Laws or changes to Data Protection Laws, Customer and bookcall agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with all Data Protection Laws.

9.3 Liability. Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the "DPA" means this DPA including its exhibits and appendices.

9.4 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, without regard to its conflict of law provisions, unless a different governing law is mandated by applicable Data Protection Laws (in which case that law shall apply to the extent required).

9.5 Entire Agreement. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. This DPA, together with the Agreement, is the final, complete, and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.

Exhibit A: Standard Contractual Clauses

This Annex forms part of the Standard Contractual Clauses.

Annex I

A. List of Parties

Data exporter:

The data exporter is Customer. Address: the Customer's address set out in the Agreement. Contact person's name, position, and contact details: the Customer's contact details as set out in the Agreement or account registration. Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Agreement. Signature and date: Customer is deemed to have signed this Annex I by accepting bookcall's Terms of Use.

Data importer:

The data importer is bookcall. Address: Bethmannstr. 8, 60311 Frankfurt, Germany. Contact person: Christian Schulze, Data Protection Contact, privacy@bookcall.io. Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Agreement. Signature and date: bookcall is deemed to have signed this Annex I by publishing this DPA.

B. Description of Transfer

Categories of data subjects whose personal data is transferred:

Data exporter may submit Personal Data to bookcall, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

• The data exporter's end users, including employees, contractors, representatives, business partners, collaborators, and customers.
• Persons with whom data exporter is scheduling appointments through use of data importer's Services, which may include its representatives, business partners, collaborators, customers, and potential customers ("Guests").

Categories of personal data transferred:

• First and last name
• Email address
• Phone number (if provided via booking form)
• Company or organization name
• Job title or role
• Calendar availability data (event titles, times, and durations synced from connected calendars)
• Booking and scheduling data (meeting times, meeting types, booking form responses)
• Video call metadata (meeting links, call duration, connection data)
• Booking page analytics data (page views, link clicks, visitor metadata)
• IP address and browser/device information
• Communication data (booking confirmations, reminders, notification content)
• Any additional data provided by the data exporter or Guests through custom booking form fields

Sensitive data transferred (if applicable): None anticipated. Customer shall not submit sensitive or special category data unless expressly agreed in writing.

The frequency of the transfer: Continuous, for the duration of the Agreement.

Nature of the processing: The processing may include collection, storage, retrieval, consultation, use, erasure or destruction, disclosure by transmission, dissemination, or otherwise making available data exporter's data as necessary to provide the Services in accordance with the data exporter's instructions, including related internal purposes (such as quality control, troubleshooting, and product improvement).

Purpose(s) of the data transfer and further processing:

• Providing and maintaining the scheduling and booking platform
• Sending booking confirmations, reminders, and notifications
• Syncing with connected calendars and video conferencing tools
• Providing booking page analytics
• Providing customer support
• Ensuring the proper functioning and security of the Services

Period of retention: Personal data is retained for so long as is reasonably necessary to fulfil the purposes for which the data was collected, to perform our contractual and legal obligations, and for any applicable statute of limitations periods for the purposes of bringing and defending claims. Upon termination of the Agreement, Personal Data shall be deleted or returned in accordance with Section 2.5 of this DPA.

For transfers to sub-processors, also specify subject matter, nature, and duration of the processing: The subject matter and nature of the processing by sub-processors is as set out in Annex III to this DPA. The duration of the processing by sub-processors shall be for so long as data importer provides the Services under the Agreement to data exporter.

C. Competent Supervisory Authority

Where the EU GDPR applies, the competent supervisory authority shall be the Hessischer Beauftragter für Datenschutz und Informationsfreiheit (Hessian Data Protection Commissioner), Germany. Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner's Office (ICO).

Annex II: Technical and Organizational Measures

bookcall maintains the following technical and organizational measures for the protection of the security, confidentiality, and integrity of Personal Data:

• Encryption in transit: All data transmitted between users and bookcall's services is encrypted using TLS 1.2 or higher.
• Encryption at rest: Customer data stored in our database (Supabase) is encrypted at rest.
• Access controls: Access to production systems and Personal Data is restricted to Authorized Personnel on a need-to-know basis.
• Authentication: User accounts are secured via authentication services provided by Supabase, with support for secure password policies.
• Infrastructure security: The application is hosted on Cloudflare, which provides DDoS protection, WAF (Web Application Firewall), and CDN services. Database services are provided by Supabase with enterprise-grade infrastructure security.
• Sub-processor diligence: bookcall maintains contractual relationships with sub-processors and relies on their compliance programs, privacy policies, and contractual obligations to protect data.
• Incident response: bookcall maintains procedures for detecting, investigating, and responding to security incidents, including breach notification processes as described in Section 6.3 of this DPA.
• Data minimization: bookcall collects and processes only the minimum Personal Data necessary to provide the Services.
• Confidentiality obligations: All personnel with access to Personal Data are bound by confidentiality obligations.

Annex III: Sub-processors

By entering into this DPA, the Customer has authorized the use of the following sub-processors:

Additional sub-processors may be used for optional third-party integrations activated by Customer, including Google (Calendar, Meet), Microsoft (Outlook, Teams), Apple (iCloud Calendar), and Zoom. These are only engaged when Customer explicitly connects the relevant integration.

An up-to-date list of sub-processors is maintained at https://bookcall.io/privacy.

Exhibit B: UK Addendum

Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018.

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses.

VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Table 2: Selected SCCs, Modules, and Selected Clauses

The version of the Approved EU SCCs which this Addendum is appended to is as set out in Exhibit A of this DPA (Module 2: Controller to Processor).

Table 3: Appendix Information

• Annex 1A (List of Parties): As set out in Annex I of Exhibit A
• Annex 1B (Description of Transfer): As set out in Annex I of Exhibit A
• Annex II (Technical and organisational measures): As set out in Annex II of Exhibit A
• Annex III (List of Sub-processors): As set out in Annex III of Exhibit A

Table 4: Ending this Addendum when the Approved Addendum Changes

Which Parties may end this Addendum as set out in Section 19: Importer and Exporter.

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Contact

For questions about this DPA or to exercise any rights under it, please contact:

bookcall — Data Protection
Christian Schulze
Bethmannstr. 8
60311 Frankfurt, Germany
Email: privacy@bookcall.io