Data Processing Agreement

Preamble

This Data Processing Agreement (“DPA”) forms part of the engagement between Schedars (“Processor”) and the client (“Controller”) that has signed a Master Services Agreement (“MSA”) with Schedars.

This DPA reflects Article 28 of the EU General Data Processing Regulation (GDPR) and is designed to also satisfy the equivalent requirements of the UK GDPR and the California Consumer Privacy Act (CCPA / CPRA) where it covers Service Providers.

This page is the template version of our DPA. The signed version applies to the specific engagement and may include carve-outs or jurisdictional addenda. Email legal@schedars.com to request the signed PDF.

1. Definitions

Capitalized terms have the meaning given in GDPR Art. 4 unless defined otherwise here:

• “Personal Data” — any information relating to an identified or identifiable natural person, processed by Schedars on behalf of the Controller under the MSA.
• “Data Subject” — the individual to whom Personal Data relates.
• “Processing” — any operation performed on Personal Data, automated or not.
• “Sub-processor” — any third party engaged by Schedars to process Personal Data on the Controller’s behalf.
• “Standard Contractual Clauses (SCCs)” — the EU Commission Implementing Decision (EU) 2021/914 SCCs.
• “Personal Data Breach” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Subject matter and duration

Schedars processes Personal Data on the Controller’s behalf for the duration of the MSA and any post-termination period required for orderly handover, deletion, or return of data (typically up to 30 days, extended where law requires longer retention).

3. Nature and purpose of processing

The nature of processing depends on the engagement and is described in the SOW. Typical activities include:

• Designing and developing software systems that store, transmit, or display Personal Data
• Running staging or QA environments containing Personal Data (with the Controller’s consent)
• Operating short-term debugging access to production systems where the SOW provides for it
• Migrating data between systems during a launch or platform change

4. Type of Personal Data and categories of Data Subjects

Specified in the relevant SOW. Typical categories:

Category	Example
Identity	Name, username, email
Contact	Phone, address
Account	Hashed password, MFA factors
Transactional	Order, subscription, payment metadata (no PAN)
Behavioral	Page views, feature use, app events
Special categories (Art. 9)	Only with explicit Controller authorization in the SOW

Categories of Data Subjects: typically the Controller’s customers, employees, and prospects.

5. Controller obligations

The Controller represents and warrants that:

• It has a lawful basis (Art. 6) and, where applicable, explicit consent (Art. 9) for the Personal Data it instructs Schedars to process
• The instructions it provides comply with applicable data protection law
• It will inform Data Subjects about Schedars’s role as Processor in its own privacy notice

6. Schedars (Processor) obligations

Per Art. 28(3), Schedars will:

1. Process only on documented instructions from the Controller — including transfers to third countries — except where required by law (in which case Schedars notifies the Controller before processing, unless that law forbids notice on important public-interest grounds).
2. Ensure persons authorized to process Personal Data have committed to confidentiality or are under appropriate statutory confidentiality obligations.
3. Implement appropriate technical and organizational measures as defined in Section 11 below.
4. Engage Sub-processors only in accordance with Section 7.
5. Assist the Controller in fulfilling Data Subject requests (Art. 12-22) — typically within 5 business days of receiving a forwarded request.
6. Assist the Controller in complying with Art. 32-36 obligations (security, breach notification, DPIA, prior consultation).
7. At the Controller’s choice, delete or return all Personal Data after the end of services, and delete existing copies (unless law requires retention).
8. Make available all information necessary to demonstrate compliance with these obligations and allow audits as defined in Section 12.

7. Sub-processors

The Controller grants Schedars general authorization to engage the Sub-processors listed in Annex A and to update that list with 30 days’ prior notice for material new Sub-processors.

If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties will discuss alternatives in good faith. If no resolution is found, the Controller may terminate the affected SOW with no further liability beyond fees due for work completed.

Schedars remains fully liable for Sub-processor compliance with this DPA.

8. Personal Data Breach notification

Schedars will notify the Controller without undue delay (target: 24 hours) after becoming aware of a Personal Data Breach. The notification will include, to the extent known:

• The nature of the breach (categories and approximate numbers of Data Subjects and records affected)
• The likely consequences
• The measures taken or proposed to address the breach
• The contact point for further information

Schedars will assist the Controller in its own breach notification obligations to supervisory authorities and Data Subjects.

9. Data Subject rights

Schedars will, on the Controller’s instruction:

• Provide reasonable assistance with access requests (Art. 15) within 5 business days
• Implement rectification (Art. 16), erasure (Art. 17), and restriction (Art. 18) instructions in production systems within timelines specified by the Controller
• Provide data in portable formats (Art. 20) where feasible
• Honour objection (Art. 21) by ceasing or restricting processing as instructed
• Forward Data Subject requests received directly by Schedars to the Controller without undue delay

10. International transfers

Where Schedars or its Sub-processors transfer Personal Data outside the EU/EEA or UK, transfers are made under:

• The EU-US Data Privacy Framework (where the recipient is certified)
• Standard Contractual Clauses (Module 2 — Controller to Processor, Module 3 — Processor to Sub-processor) for transfers not covered by DPF
• UK Addendum to the SCCs for UK-originated data
• Adequacy decisions where they apply

Schedars conducts and documents transfer impact assessments for new processors handling Personal Data subject to non-adequate jurisdictions.

11. Security measures

Schedars implements appropriate technical and organizational measures including:

Encryption

• TLS 1.2+ for all data in transit
• AES-256 (or equivalent) for data at rest where the underlying provider supports it

Access control

• Least-privilege principle — engineers receive only the access required for the engagement
• Multi-factor authentication on all production-bearing systems
• Cloudflare Access (Zero Trust) on the CMS admin interface
• Quarterly access review

Application security

• OWASP Top 10 review on every project before launch
• Dependency scanning in CI (npm audit, Snyk-equivalent)
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) on production
• No production secrets in source control; secrets only via Vercel/cloud-vendor secret managers

Operational security

• Backups for systems we operate on the Controller’s behalf — frequency per SOW
• Incident response process documented and tested
• Onboarding includes data protection training; offboarding revokes access within 24 hours

Audit and logging

• Application logs retained per SOW
• Audit logs for administrative actions on systems we control

12. Audit rights

The Controller may audit Schedars’s compliance with this DPA:

• Once per calendar year through written questions (Schedars responds within 30 days)
• On reasonable notice through a third-party auditor bound by confidentiality, at the Controller’s cost, during business hours, in a manner that doesn’t disrupt Schedars’s operations or violate the confidentiality of other clients

If a Personal Data Breach has occurred, the Controller may audit on shorter notice and at Schedars’s cost where the audit confirms breach.

13. Termination, return, deletion

On termination of the MSA or any SOW, Schedars will, at the Controller’s written instruction within 30 days of termination:

• Return all Personal Data to the Controller in a portable format, OR
• Delete all Personal Data, including backup copies (unless law requires retention)

Schedars will provide written confirmation of deletion within 14 days of completion.

Personal Data retained for legal reasons (e.g., tax records) is held under continued obligations of this DPA until lawful destruction.

14. Liability

The liability cap in the MSA applies to claims arising under this DPA. Where law (including GDPR Art. 82) prohibits limitation of liability for certain claims, those claims are not subject to the cap.

15. Conflict

If any provision of this DPA conflicts with the MSA, this DPA prevails for the conflicting provision. All other MSA provisions remain in effect.

16. Changes

Material changes to this DPA require written agreement of both parties. Schedars may update non-material details (e.g., the Sub-processor list per Section 7) with the notice procedure described there.

Annex A — Approved Sub-processors

Current list as of the “Last updated” date:

Sub-processor	Service	Location	Transfer mechanism
Vercel Inc.	Hosting, CDN, web analytics	United States	DPF + SCCs
Cloudflare Inc.	DNS, edge, Zero Trust Access	United States / global	DPF + SCCs
Hetzner Online GmbH	VPS hosting (CMS)	Germany (EU)	EU-only
Stripe, Inc. + Stripe Payments Europe Ltd	Payments	US / Ireland	DPF + SCCs
Resend / Postmark	Transactional email	United States	DPF + SCCs
Anthropic PBC	LLM API (engagement-specific)	United States	SCCs + AI-data addendum
OpenAI, L.L.C.	LLM API (engagement-specific)	United States	SCCs + AI-data addendum

17. Contact

• Legal / DPA requests: legal@schedars.com
• Privacy / Data Subject requests: privacy@schedars.com
• Security / breach reports: security@schedars.com

---

This document is the template Schedars DPA. The signed version applies to specific engagements and may differ. Request the signed PDF at legal@schedars.com.