GDPR / Data Processing Agreement (DPA) for clients
DATA PROCESSING AGREEMENT (DPA)
Last updated: 2024-06-23
This Data Processing Agreement (“Agreement”) is entered into between:
EasyAutomation, hereinafter referred to as the “Processor”, and
You, the customer who uses our review automation services, hereinafter referred to as the “Controller”.
This Agreement ensures that the Processor will process personal data on behalf of the Controller in accordance with the General Data Protection Regulation (GDPR – EU 2016/679).
---
### 1. Purpose of Processing
The Processor provides automation and communication services, including review requests, booking reminders, and AI support tools. To do this, we process customer contact information (e.g. names, emails, phone numbers) on your behalf.
---
### 2. Scope & Purposes
Processor supports:
Missed-call text-back (service notifications, two-way messaging)
Booking links / reminders / post-visit review requests
Social messaging consolidation and operational reporting
No medical/health data, diagnoses, treatment notes, social security numbers or journal information may be processed in the platform.- Controller (You): Owns the customer data and decides how it is used.
- Processor (Us): Processes customer data only as instructed by the Controller and only for the purpose of delivering our services.
---
### 3. Types of Data Processed
- Customer names
- Phone numbers
- Email addresses
- Public review content
---
### 4. Subprocessors
The Processor uses trusted third-party platforms that are also GDPR-compliant:
- GoHighLevel (LeadConnector, GHL, USA)
- Twilio (SMS messaging)
- Mailgun / LC Email (Email delivery infrastructure)
- Migadu (optional email domain provider)
All subprocessors follow strict data protection standards and only access data needed to deliver services.
---
### 5. Data Location
Data may be processed or stored outside the EU, but always in compliance with GDPR, using standard contractual clauses (SCCs) or equivalent safeguards.
---
### 6. Data Security
We implement strong technical and organizational measures to protect personal data, including:
- Encrypted communication (SSL/TLS)
- Role-based access controls
- Regular backups
---
### 7. Data Retention and Deletion
Upon termination of your subscription or written request, we will delete all customer data unless required by law to retain it.
---
### 8. Breach Notification
If a data breach occurs, the Processor will notify the Controller within 72 hours, providing details and mitigation steps.
---
### 9. Term and Termination
This Agreement is valid as long as the Controller uses our services. It automatically ends when the service ends and all data is deleted.
### 10. Article 28 GDPR – Mandatory Clauses
Documented Instructions – Processor shall process personal data only on documented instructions from Controller, including regarding international transfers.
Confidentiality – Processor ensures confidentiality obligations for all authorised personnel.
Security – Processor implements appropriate technical and organisational measures under Article 32 GDPR.
Sub-processors – Processor may engage sub-processors (e.g., hosting, messaging, email). Controller provides general prior authorisation; Processor will notify changes and allow objections before replacement/addition.
Assistance – Processor assists Controller with data subject requests (Arts. 15–22), security, breach notifications, and DPIA/consultation (Arts. 32–36) where applicable.
Audits – Processor makes available information necessary to demonstrate compliance and contributes to audits/inspections conducted by Controller or an appointed auditor.
Return/Deletion – At the end of the provision of services, Processor shall delete or return personal data (at Controller’s choice) and delete existing copies unless EU or Member State law requires storage.
Records & Cooperation – Processor maintains records of processing and cooperates with supervisory authorities upon request.
Sub-processors & International Transfers
Processor uses selected sub-processors (categories: cloud hosting, SMS, email, analytics, payments). Where data is transferred outside the EU/EEA, Processor relies on EU-US Data Privacy Framework (DPF) participation (where applicable) or Standard Contractual Clauses (SCC) with supplementary measures. A current list of sub-processor categories and transfer mechanisms is maintained and made available to the Controller.
Data Categories & Retention
Data subjects: end-customers of the Controller, staff users.
Categories: identification and contact details, communication metadata, booking metadata, consent logs; no special categories processed by design.
Retention: contact/account data retained for the term of the account + 12 months; consent logs 24 months after withdrawal; invoicing data 7 years (local accounting law). Upon termination, data is deleted or returned per Controller’s choice.
Breach Notification
Processor notifies Controller without undue delay after becoming aware of a personal data breach and provides relevant details to support Controller’s assessment and potential notification to authorities/data subjects.
Lawful Basis & Marketing (Controller Responsibilities)
Controller is responsible for ensuring a lawful basis (e.g., consent or applicable soft opt-in under e-privacy rules) for any direct marketing by SMS/email, and for providing a clear opt-out mechanism in each message (e.g., reply “STOP”). Processor can store consent logs where provided by Controller.
Deletion & Backups
Upon deletion requests or termination, live data is deleted as instructed; immutable backups are overwritten on regular cycles. Residual copies are not actively processed and are purged automatically when backup lifecycles expire.
---
### 11. Contact
If you have questions about this Agreement or your data, contact us at:
🌐 Easyautomation.se
---
By checking the GDPR consent box during onboarding, the Controller confirms agreement with this DPA.