T
Timeblu
Back to home

Data Processing Agreement (DPA)

Last updated: January 25, 2025

DATA PROCESSING AGREEMENT (DPA)

Version: 1.0

PREAMBLE

This Data Processing Agreement (hereinafter "DPA" or "Agreement") is entered into in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter "GDPR").

This DPA supplements and forms an integral part of the Timeblu Terms of Service.

1. PARTIES

1.1 DATA PROCESSOR

Contact email: dpa@timeblu.com

Hereinafter, the "Processor" or "Timeblu".

1.2 DATA CONTROLLER

The Customer who contracts the Timeblu service, whose identification data appears in their user account and in issued invoices.

Hereinafter, the "Controller" or the "Customer".

1.3 RELATIONSHIP BETWEEN THE PARTIES

  • The Controller (Customer) determines the purposes and means of processing personal data of their end clients
  • The Processor (Timeblu) processes personal data on behalf of the Controller, following their documented instructions
  • This DPA governs the conditions, rights, and obligations of both parties

2. SUBJECT MATTER AND DURATION OF PROCESSING

2.1 Subject Matter

The Processor agrees to process, on behalf of the Controller, the personal data necessary to provide the scheduling and client management software service described in the Terms of Service.

2.2 Duration

This DPA enters into force on the date of acceptance of the Terms of Service and remains in effect for the duration of the contractual relationship between the parties.

2.3 Termination

Data processing on behalf of the Controller will end when:

  • The Customer cancels their Timeblu account
  • The service agreement ends for any reason
  • The Controller requests data deletion

3. DESCRIPTION OF PROCESSING

3.1 Nature of Processing

The Processor will perform the following processing operations:

  • Storage of data in secure databases
  • Consultation and visualization of data by the Controller
  • Modification of data according to Controller's instructions
  • Organization and structuring of data
  • Retention through backups
  • Deletion when the Controller requests or at the end of service
  • Export of data in structured formats (CSV, JSON)

3.2 Purpose of Processing

Data is processed solely to:

  • Allow the Controller to manage their professional schedule
  • Store contact information for the Controller's clients
  • Organize appointments and events for the Controller
  • Provide search, filtering, and export functionalities

The Processor CANNOT use the Controller's data for any other purpose, including own marketing, aggregated analysis, AI model training, etc.

3.3 Categories of Data Subjects

The personal data processed corresponds to:

  • Controller's end clients: Natural persons whose data is entered by the Controller in Timeblu (their business clients, patients, users, etc.)

3.4 Types of Personal Data

The Controller may enter the following categories of data:

  • Identification data: Name, surname
  • Contact data: Phone, email, postal address
  • Commercial interaction data: Appointment dates, service history, notes about preferences or interactions (in free-text fields)

IMPORTANT - Prohibition of Special Category Data:

The Controller agrees NOT to enter special category data according to Article 9 of GDPR:

  • Health-related data
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data intended to uniquely identify a natural person
  • Data concerning sex life or sexual orientation

If the Controller enters special category data in Timeblu (especially in free-text note fields), they do so under their sole responsibility, having to obtain explicit consent from data subjects and comply with Article 9 GDPR requirements.

The Processor cannot control content entered in free-text fields, so it assumes no responsibility for the processing of special category data that the Controller may include.

4. PROCESSOR OBLIGATIONS

The Processor agrees to:

4.1 Processing According to Instructions

  • Process personal data only following the Controller's documented instructions, as established in this DPA and the Terms of Service
  • Not use the data for any own purpose
  • Immediately inform the Controller if it considers that an instruction violates GDPR or other data protection regulations

4.2 Confidentiality

  • Ensure that persons authorized to process personal data commit to respecting confidentiality
  • Ensure that staff with access to personal data have received adequate data protection training
  • Maintain data confidentiality even after service termination

4.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical measures:

  • Encryption: HTTPS for all communications, data encrypted in database (AES-256)
  • Pseudonymization: Separation of identifying data from metadata when possible
  • Access control: Robust authentication, two-factor authentication available
  • Data segregation: Multi-tenant architecture with Row Level Security (RLS), each Controller only accesses their data
  • Backups: Automatic daily backups, encrypted, with 30-day retention
  • Security testing: Periodic vulnerability reviews
  • Audit logs: Record of access and critical operations

Organizational measures:

  • Internal information security policies
  • Security incident management procedures
  • Access controls based on the principle of least privilege
  • Periodic review of staff access
  • Confidentiality agreements with employees

4.4 Assistance to Controller

The Processor will assist the Controller in:

a) Response to data subject rights exercise:

When a Controller's end client exercises their rights (access, rectification, erasure, portability, restriction, objection), the Processor will:

  • Redirect the data subject to the Controller if contact is made directly with Timeblu
  • Provide the Controller with tools for:
    • Access: Viewing all data subject's data
    • Rectification: Editing incorrect data
    • Erasure: Deleting individual or bulk records
    • Portability: Exporting data in CSV/JSON format
    • Restriction: Temporary blocking of processing (through deletion or marking)
  • Respond to Controller requests within a maximum of 7 business days

b) Security breach notification:

In case of a security breach affecting personal data processed on behalf of the Controller:

  • Notification to the Controller within a maximum of 36 hours from when the Processor becomes aware of the breach
  • The notification will include:
    • Description of the nature of the breach
    • Categories and approximate number of data subjects affected
    • Categories and approximate number of data records affected
    • Possible consequences of the breach
    • Measures taken or proposed to remedy the breach
    • Contact for the Processor's communication point
  • Assistance to the Controller in communicating to the supervisory authority and data subjects, if applicable

c) Impact assessments and prior consultations:

If the Controller is required to carry out a Data Protection Impact Assessment (DPIA) or prior consultation with the supervisory authority:

  • The Processor will provide information about security measures, sub-processors, international transfers
  • Will reasonably cooperate in conducting the assessment

4.5 Data Deletion or Return

At the end of service provision, the Processor, according to the Controller's instructions:

Option A - Deletion (default):

  • Will delete all personal data processed on behalf of the Controller
  • Will delete all backups containing such data (according to retention schedule, maximum 30 days)
  • Will certify in writing the destruction of data if the Controller requests

Option B - Return:

  • If the Controller requests before cancellation, the Processor will:
    • Provide complete export of all data in CSV/JSON format
    • Download link valid for 7 days
    • After confirmation of receipt by the Controller, will proceed with deletion

Exceptions:

  • The Processor may retain data if there is a legal obligation (invoices for 4 years, audit records according to security regulations)
  • Data retained due to legal obligation will be blocked for any processing except to comply with said obligation

4.6 Record of Processing Activities

The Processor maintains a record of all categories of processing activities carried out on behalf of the Controller, which includes:

  • Name and contact details of the Processor
  • Categories of processing carried out on behalf of each Controller
  • Data transfers to third countries (if any)
  • General description of technical and organizational security measures

This record is available for inspection by the supervisory authority.

4.7 Audits and Inspections

The Processor:

  • Will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR obligations
  • Will allow and contribute to audits, including inspections, by the Controller or an auditor authorized by them
  • Audits will be conducted upon request with at least 15 days advance notice
  • Not more than once a year unless there is reasonable indication of non-compliance
  • The Controller will bear audit costs
  • The Processor may provide third-party audit reports (SOC 2, ISO 27001, etc.) as an alternative to direct audits

5. SUB-PROCESSORS

5.1 General Authorization

The Controller authorizes the Processor to engage sub-processors for specific processing operations.

5.2 List of Sub-processors

Currently authorized sub-processors are:

Sub-processorService ProvidedLocationGuarantees
Supabase Inc.Database and backend hostingFrankfurt, Germany (EU)GDPR-compliant DPA, ISO 27001 Certification
Stripe, Inc.Payment processingEU servers + Standard Contractual ClausesGDPR-compliant DPA, PCI-DSS Level 1 Certification

Updated list: Available at https://timeblu.com/subprocessors

5.3 Sub-processor Obligations

The Processor guarantees that:

  • Each sub-processor is subject to the same data protection obligations as the Processor
  • There is a written contract with each sub-processor that includes Article 28 GDPR clauses
  • The Processor is fully liable to the Controller for the sub-processor's compliance with obligations

5.4 Changes in Sub-processors

Notification:

  • The Processor will inform the Controller of any planned changes in sub-processors (additions or removals) with at least 30 days advance notice
  • Notification will be made by email and by updating https://timeblu.com/subprocessors

Objection:

  • The Controller may object for reasoned and justified cause within 14 days from notification
  • If the Processor cannot replace the objected sub-processor, the Controller may:
    • Export their data
    • Cancel the service without penalty
    • Request pro-rated refund for unused period (if applicable)

6. INTERNATIONAL DATA TRANSFERS

6.1 Data Location

Personal data is stored on servers located in the European Union (Frankfurt, Germany).

6.2 Transfers Outside the EEA

Currently NO personal data transfers are made outside the European Economic Area (EEA).

If in the future data needs to be transferred outside the EEA:

  • The Processor will notify the Controller with at least 30 days advance notice
  • Appropriate safeguards will be implemented:
    • Standard Contractual Clauses approved by the European Commission, or
    • European Commission adequacy decisions, or
    • Recognized privacy certifications (EU-US Data Privacy Framework)
  • The Controller may object and cancel the service according to section 5.4

6.3 Exception - Stripe (payments)

Stripe Inc. may transfer payment data to US servers, but:

  • Only processes data strictly necessary for payment (name, email, last card digits)
  • Stripe is adhered to the EU-US Data Privacy Framework
  • Has Standard Contractual Clauses with additional guarantees
  • The Controller consents to this transfer when contracting a paid plan

7. CONTROLLER OBLIGATIONS

7.1 Processing Legitimacy

The Controller guarantees that:

  • Has valid legal basis for processing their end clients' data (consent, contract performance, legitimate interest, etc.)
  • Has adequately informed data subjects about processing according to Articles 13-14 GDPR
  • Has obtained necessary consents when the legal basis is consent
  • Complies with all GDPR principles (lawfulness, fairness, transparency, minimization, accuracy, storage limitation, integrity, confidentiality)

7.2 Instructions to Processor

The Controller:

  • Will provide clear and documented instructions to the Processor
  • Will not instruct the Processor to carry out processing that violates GDPR
  • Is responsible for the legality of provided instructions

7.3 Data Subject Rights

The Controller is responsible for:

  • Managing the exercise of rights by their end clients
  • Responding to access, rectification, erasure, etc. requests within legal deadlines
  • Using the tools provided by Timeblu to fulfill such rights

7.4 Prohibition of Sensitive Data

The Controller agrees to:

  • NOT enter special category data (Article 9 GDPR) unless obtaining explicit consent from the data subject
  • Assume full responsibility if entering sensitive data in Timeblu
  • Exempt the Processor from any liability arising from unauthorized introduction of special category data

8. LIABILITY AND INDEMNIFICATION

8.1 Joint Liability

According to Article 82 GDPR:

  • The Processor will only be liable for damages caused by processing when it has not complied with GDPR obligations specifically directed at processors or when it has acted outside or against the legal instructions of the Controller
  • In other cases, the Controller will be solely liable

8.2 Indemnification

By the Controller: The Controller will indemnify and hold harmless the Processor against any claim, fine, penalty, or damage arising from:

  • Controller instructions that violate GDPR
  • Lack of legal basis for processing by the Controller
  • Controller's failure to comply with information obligations to data subjects
  • Introduction of special category data without adequate consent

By the Processor: The Processor will indemnify the Controller for:

  • Data processing contrary to Controller's instructions
  • Failure to implement adequate security measures
  • Non-compliance with Article 28 GDPR obligations
  • Security breaches caused by Processor negligence

8.3 Limitation of Liability

Notwithstanding the above, the Processor's maximum liability will be limited as established in the Terms of Service.

9. COMMUNICATION BETWEEN PARTIES

9.1 Communication Channels

From Controller to Processor:

From Processor to Controller:

  • Email registered in the Controller's account
  • In-app notifications (for non-urgent matters)

9.2 Critical Notifications

For critical matters (security breaches, substantial changes in sub-processors, instructions that violate GDPR):

  • Immediate communication by email
  • Receipt confirmation required

10. TERM AND TERMINATION

10.1 Entry into Force

This DPA enters into force on the date of acceptance of the Terms of Service.

10.2 Duration

The DPA remains in effect while there is a contractual relationship between the parties.

10.3 Effects of Termination

Upon termination of this DPA:

  • The Processor will return or delete data according to Controller's instructions (section 4.5)
  • Confidentiality obligations survive termination
  • Liability, indemnification, and applicable law clauses survive termination

11. DPA MODIFICATIONS

11.1 Updates

The Processor may modify this DPA to:

  • Comply with regulatory changes
  • Reflect changes in security measures or sub-processors
  • Improve offered protections

11.2 Notification

Substantial changes will be notified with 30 days advance notice by email and by updating the version date at https://timeblu.com/dpa

11.3 Acceptance

Continued use of the service after the modifications enter into force implies acceptance of the updated DPA.

If the Controller does not accept the modifications, they may cancel the service according to the Terms and Conditions.

12. GENERAL PROVISIONS

12.1 Entire Agreement

This DPA, together with the Terms of Service and Privacy Policy, constitutes the complete agreement between the parties regarding personal data processing.

12.2 Precedence

In case of conflict between this DPA and the Terms of Service, this DPA will prevail regarding personal data protection.

12.3 Severability

If any provision of this DPA is declared null or unenforceable, the remaining provisions will remain in force.

12.4 Assignment

Neither party may assign their rights or obligations under this DPA without prior written consent from the other party.

13. GOVERNING LAW AND JURISDICTION

13.1 Applicable Law

This DPA is governed by European Union data protection law and Regulation (EU) 2016/679 (GDPR).

13.2 Dispute Resolution

The parties commit to amicably resolve any dispute arising from this DPA.

If no agreement is reached, disputes will be submitted to the Courts of Madrid, Spain, waiving any other jurisdiction that may apply.

14. DPA ACCEPTANCE

The Controller accepts this DPA by checking the corresponding box during Timeblu registration and by accepting the Terms of Service.

A copy of this DPA is available at all times at: https://timeblu.com/dpa

15. CONTACT

For any questions about this DPA:

Data Processor (Timeblu):
Email: dpa@timeblu.com
Web: https://timeblu.com

Applicable regulations:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
  • EDPB Guidelines and Recommendations