Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Solteka (KVK: 98993402), operating as Niyon ("Processor", "we", "us"), and the business or individual using Niyon's services ("Controller", "you").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

"Data Subject" means the individual whose Personal Data is processed (e.g., your customers who book appointments).

"Controller" means the entity that determines the purposes and means of Processing (you, the business owner).

"Processor" means the entity that processes Personal Data on behalf of the Controller (Niyon/Solteka).

"Sub-processor" means a third party engaged by the Processor to process Personal Data.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and purpose

This DPA applies to all Processing of Personal Data by Niyon on your behalf in connection with providing the booking and scheduling services described in our Terms of Service.

Purpose of processing

Managing bookings and appointments on your behalf

Sending transactional emails (confirmations, reminders, cancellations)

Sending marketing emails on your behalf (if you use email campaigns)

Syncing appointments to your calendar (if connected)

Providing analytics and reporting on your booking activity

3. Types of personal data processed

The following categories of Personal Data may be processed:

Contact information: Name, email address, phone number

Booking information: Service booked, appointment date/time, booking status

Communication records: Emails sent, confirmation status

Customer notes: Any notes you add about customers

Reviews: Customer feedback and ratings

4. Categories of data subjects

Your customers who book appointments through your Niyon booking page

Individuals you add manually to your customer list

5. Duration

This DPA remains in effect for the duration of your use of Niyon's services. Upon termination of your account, we will delete or return Personal Data as described in Section 11.

6. Processor obligations

Niyon agrees to:

Process Personal Data only on your documented instructions, unless required by law

Ensure that persons authorized to process Personal Data have committed to confidentiality

Implement appropriate technical and organizational security measures

Assist you in responding to Data Subject requests (access, rectification, erasure, etc.)

Assist you in ensuring compliance with security, breach notification, and impact assessment obligations

Delete or return Personal Data upon termination, at your choice

Make available information necessary to demonstrate compliance with this DPA

7. Controller obligations

As the Controller, you agree to:

Ensure you have a lawful basis for collecting and processing customer Personal Data

Provide appropriate privacy notices to your customers

Respond to Data Subject requests (with our assistance as needed)

Not use email campaigns for unsolicited marketing without proper consent

Ensure your instructions to us comply with applicable data protection laws

8. Sub-processors

You authorize us to engage the following Sub-processors to assist in providing services:

We will notify you of any intended changes to Sub-processors by updating this page. You may object to a new Sub-processor by contacting us within 14 days of notification.

9. Security measures

We implement appropriate technical and organizational measures to protect Personal Data, including:

Encryption of data in transit (TLS/HTTPS)

Encryption of sensitive data at rest (OAuth tokens, etc.)

Access controls and authentication for authorized personnel

Regular backups and disaster recovery procedures

Rate limiting and abuse prevention on public endpoints

Secure credential management (payment data handled entirely by Stripe)

10. Data breach notification

In the event of a Personal Data breach affecting your customer data, we will:

Notify you without undue delay (and within 72 hours where feasible) after becoming aware of the breach

Provide information about the nature of the breach, categories of data affected, and likely consequences

Describe the measures taken or proposed to address the breach

Cooperate with you in notifying supervisory authorities and Data Subjects as required

11. Data deletion and return

Upon termination of your Niyon account, or upon your request, we will:

Delete all customer Personal Data within 30 days, unless retention is required by law

Provide you with an export of your data upon request before deletion

Confirm deletion in writing upon request

12. Data subject rights

If we receive a request from a Data Subject (your customer) regarding their Personal Data, we will:

Promptly notify you of the request (unless prohibited by law)

Not respond directly to the Data Subject unless authorized by you or required by law

Assist you in fulfilling your obligation to respond to such requests

13. International transfers

Some of our Sub-processors are located outside the European Economic Area (EEA). Where Personal Data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

EU Standard Contractual Clauses (SCCs) with Sub-processors

Sub-processor certifications (e.g., SOC 2, ISO 27001) where applicable

14. Audit rights

Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may request an audit no more than once per year, with reasonable advance notice.

15. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

16. Contact

For questions about this DPA or to exercise your rights, contact us:

• Company: Solteka
• KVK Number: 98993402
• VAT Number: NL005096921B54
• Email: [email protected]
• Phone: +370 628 89714