Slotsy
147 / 250 claimed Claim a seat

Legal · DPA (GDPR)

Data Processing Agreement

LAST UPDATED · 2026-05-12 · PLAIN-ENGLISH SUMMARIES IN grey

Stub · Slotsy-adapted draft of the Bonterms free open-source DPA (CC BY 4.0). Pending solicitor review.

§01 Parties & scope

You're the Controller of your members' data, we're the Processor. We follow your instructions.

This DPA applies between you ("Controller") and Slotsy ("Processor") regarding personal data of your members processed through the Slotsy platform. It is incorporated into the Slotsy Terms of Service.

§02 Subject & duration

Subject: scheduling, calendar sync, confirmation + reminder emails, webhook delivery, payment processing through your Stripe key. Duration: for as long as your Slotsy account is active, plus the wind-down window in §08.

§03 Categories of data subjects

  • Your members / clients / customers who book through your Slotsy page.
  • Your employees or contractors whose calendars are connected to your Slotsy account (Agency tier).

§04 Categories of personal data

  • Identifying: name, email.
  • Scheduling: meeting time, duration, time zone, notes.
  • Optional intake-form fields you defined.
  • Payment metadata (not card numbers — held by Stripe).

§05 Processor obligations

  • Process personal data only on documented instructions from you.
  • Ensure persons authorised to process the data have committed to confidentiality.
  • Implement appropriate technical and organisational measures (see §07).
  • Engage sub-processors only with prior general authorisation (see §06).
  • Assist with DSARs and supervisory-authority enquiries.
  • Notify you without undue delay (within 72 hours) of any personal-data breach.

§06 Sub-processors

You authorise the following:

  • Cloudflare — hosting, edge database, file storage, CDN — EU regional hint.
  • Paddle — merchant-of-record for Slotsy subscriptions — UK/EU.
  • Resend — transactional email — EU region available.
  • Plausible — analytics, server-side, no cookies — EU.

Slotsy notifies you of any change to sub-processors at least 30 days in advance. You may object and terminate within that window.

§07 Security measures

  • Data encrypted in transit (TLS 1.2+) and at rest (Cloudflare D1 + R2 encryption).
  • OAuth tokens encrypted with AES-256-GCM using a per-tenant key.
  • Access to production data restricted to the founder, logged, reviewed quarterly.
  • Session cookies: HttpOnly, SameSite=Lax, 30-day sliding TTL.
  • Password hashing: bcrypt cost 12.
  • Webhook signatures: HMAC-SHA256.
  • Annual security review including OWASP Top-10 coverage check.

§08 Return & deletion

On termination, you may export all personal data via the in-app JSON export. Slotsy deletes all personal data within 90 days of account closure, except where retention is required by law.

§09 Audit

You may, on 30 days' notice and no more than annually, request a copy of our most recent security review report. On-site audits are available for Agency-tier accounts at the requestor's cost.

§10 International transfers

Where transfers outside the EU occur, Standard Contractual Clauses (Module 2 — Controller to Processor) apply, supplemented by additional safeguards where required.

§11 Contact

DPA questions, DSARs, breach notifications: [email protected].

Questions? [email protected] · Privacy / DSAR: [email protected]