Legal & Compliance/Data Processing Addendum

Data Processing Addendum

Effective June 18, 2025

This Data Processing Addendum ("DPA") is incorporated into and forms part of the BookMyService Terms of Service. It governs how EverExpanse Technologies LLC processes personal data on behalf of merchants in connection with the BookMyService platform. No separate signature is required — by accepting the Terms of Service, you agree to this DPA.

1. Purpose & Incorporation

This DPA establishes the terms under which EverExpanse Technologies LLC ("BookMyService," "Processor," "we," or "us") processes personal data on behalf of merchants ("Controller," "you," or "your") in connection with the BookMyService platform. It applies to the personal data of your end customers — the clients who book appointments through your storefront.

This DPA is governed by U.S. federal and applicable state privacy frameworks, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and applicable state privacy statutes including Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and Oregon (OCPA).

2. Definitions

  • Personal Information / Personal Data — any information that identifies or could reasonably be linked to an individual, as defined under applicable U.S. state privacy laws
  • Controller — the merchant who determines the purposes and means of processing their clients' personal data
  • Processor — EverExpanse Technologies LLC / BookMyService, which processes personal data on behalf of the Controller
  • Sub-Processor — a third-party vendor engaged by BookMyService to assist in processing personal data
  • Processing — any operation performed on personal data, including collection, storage, use, disclosure, or deletion
  • Security Incident — any confirmed unauthorized access to, disclosure of, or loss of personal data
  • Cardholder Data — payment card numbers, CVV/CVC codes, and expiration dates as defined under PCI DSS. Cardholder data is not processed by BookMyService; it is handled exclusively within gateway partners' PCI-certified environments.

3. Roles of the Parties

You (Merchant) are the Controller of your clients' personal data. You determine what information is collected from your clients, how it is used, and for how long it is retained.

BookMyService is the Processor. We process your clients' personal data solely as instructed by you through your use of the Platform — to provide booking, scheduling, customer management, and communication features.

EverExpanse may independently act as a Controller for data used in fraud prevention, platform security, legal compliance, and aggregate analytics. Such independent processing is governed by our Privacy Policy.

4. Processing Instructions

BookMyService processes your clients' personal data solely for the following purposes, as configured by you:

  • Creating and managing client booking records and appointment history
  • Sending booking confirmations, reminders, and follow-up communications to your clients on your behalf
  • Storing client contact information (name, email, phone number) in your customer management dashboard
  • Displaying client history and notes to authorized staff members
  • Generating reports and analytics on your business performance
  • Processing online payments through approved gateway partners (payment card data does not pass through BookMyService systems)

We will not process personal data for any purpose beyond what is described above without your explicit instruction, except where required by applicable law.

5. Confidentiality

All BookMyService personnel with access to personal data processed under this DPA are bound by confidentiality obligations. Access to personal data is restricted on a need-to-know basis and is not disclosed to any third party except as described in the Sub-Processors section or as required by law.

6. Security Measures

BookMyService implements and maintains the following technical and organizational security measures:

  • TLS 1.2+ encryption for all data in transit between users and our servers
  • AES-256 encryption for personal data stored at rest
  • Multi-factor authentication (MFA) enforced for all internal administrative access
  • Role-based access controls limiting data access to authorized personnel only
  • AWS cloud infrastructure with SOC 2-aligned security controls in U.S. data centers
  • Regular vulnerability assessments and security reviews
  • Documented incident response procedures aligned with NIST SP 800-61
  • Annual review of security controls and sub-processor agreements

Payment cardholder data is never transmitted to or stored on BookMyService infrastructure. All card data flows directly to and remains within gateway partners' PCI-certified systems.

7. Sub-Processors

You authorize BookMyService to engage the following categories of sub-processors to assist in providing the Platform services:

  • Cloud infrastructure — Amazon Web Services (AWS) for hosting and data storage in U.S. data centers
  • Payment gateway partners — PayArc, NMI, and other approved gateways for payment processing (cardholder data is processed exclusively within their PCI-certified environments)
  • Email delivery providers — for sending booking confirmations and notifications to your clients on your behalf
  • Analytics providers — for aggregate, de-identified platform usage analytics

All sub-processors are bound by contractual data protection obligations no less protective than those in this DPA. We will provide at least thirty (30) days' advance notice of any material changes to our sub-processor list. You may object to a new sub-processor by contacting us at info@bookmyservice.us; if we cannot accommodate the objection, you may terminate your account.

8. Assistance Obligations

BookMyService will assist you with your obligations under applicable privacy laws by:

  • Implementing security measures described in Section 6 to protect personal data
  • Providing tools in the merchant dashboard to export your client data in a machine-readable format
  • Assisting you in responding to data subject rights requests (access, deletion, correction) from your clients upon your written instruction
  • Notifying you of security incidents as described in Section 9
  • Providing documentation of our processing activities and security practices upon reasonable written request

9. Security Incidents & Breach Notification

In the event of a confirmed security incident involving your clients' personal data, BookMyService will:

  • Notify you within 72 hours of confirming the incident
  • Provide available information about the nature of the incident, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed
  • Cooperate with your breach response and assist in notifications to affected individuals as required by applicable law
  • Provide a post-incident report within 10 business days of resolution

You, as the Controller, are solely responsible for determining whether notification obligations to affected individuals or regulatory authorities apply under applicable law, and for making any such notifications.

10. Data Retention & Deletion

BookMyService retains your clients' personal data for as long as your merchant account is active and as needed to provide the Platform services. Upon account closure:

  • Your data and your clients' data remains available for export via the merchant dashboard for 90 days after account closure
  • After 90 days, data is deleted from active systems
  • Certain records may be retained in encrypted backup archives for up to 7 years as required by financial regulations (BSA, IRS), after which they are permanently deleted

You may request deletion of personal data at any time by contacting info@bookmyservice.us. We will complete deletion within 30 days, subject to legal retention requirements.

11. Audit & Compliance Verification

Upon your written request with at least 60 days' advance notice, BookMyService will provide:

  • Documentation of our security practices and sub-processor agreements
  • Summaries of applicable compliance certifications (SOC 2, AWS security attestations)
  • Answers to a reasonable privacy/security questionnaire

On-site audits are permitted once per year with 60 days' advance notice, subject to reasonable confidentiality agreements and scheduling constraints.

12. CCPA / CPRA Service Provider Provisions

For purposes of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), BookMyService acts as a Service Provider when processing personal information on your behalf. BookMyService:

  • Processes personal information only for the business purposes specified in this DPA and as directed by you
  • Does not sell or share your clients' personal information
  • Does not retain, use, or disclose personal information outside the direct business relationship with you
  • Does not combine personal information received from you with personal information from other sources for purposes outside this DPA
  • Cooperates with your obligations to respond to verifiable consumer requests under CCPA/CPRA

13. Compliance with U.S. State Privacy Laws

BookMyService operates as a Processor or Service Provider under the following U.S. state privacy laws, as applicable to your business:

  • California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
  • Virginia Consumer Data Protection Act (CDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Texas Data Privacy and Security Act (TDPSA)
  • Oregon Consumer Privacy Act (OCPA)
  • Montana Consumer Data Privacy Act (MCDPA)
  • Other applicable state privacy statutes as they take effect

14. Liability

You, as the Controller, are responsible for the accuracy, lawfulness, and completeness of the personal data you provide to the Platform, and for ensuring you have a lawful basis for processing your clients' data.

BookMyService's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. Each party will indemnify the other for damages caused by its own failure to comply with applicable data protection laws.

15. Term & Termination

This DPA is effective for the duration of your merchant account and terminates automatically upon account closure. The following provisions survive termination: confidentiality, breach notification obligations, data retention and deletion, audit rights, liability, and governing law.

16. Governing Law & Order of Precedence

This DPA is governed by the laws of the State of California. In the event of a conflict between this DPA and the Terms of Service on matters of data processing, this DPA controls.

17. Contact & DPA Execution

No separate signature is required. This DPA is automatically incorporated into the Terms of Service upon account registration. For questions or to request DPA documentation: