Data Processing Agreement (DPA)

1. Parties and Incorporation

This Data Processing Agreement ("DPA") forms part of and is incorporated by reference into the master service agreement, terms of service, order form, or other contract for Dermabot services between the parties (the "Agreement").

Controller (Customer): The entity identified in the Agreement ("Controller").

Processor: Dermabot, a SaaS business operated by Samer Alhaiek as an Einzelunternehmer (sole proprietor) based in Germany, with principal place of business at [Your Business Address] ("Processor" or "Dermabot").

This DPA applies automatically whenever Processor processes Personal Data on behalf of Controller in connection with the Dermabot services.

2. Definitions

Capitalised terms not defined in this DPA have the meaning given in the Agreement or applicable Data Protection Laws.

"Data Protection Laws" means the UK GDPR, the EU GDPR (where applicable), the Data Protection Act 2018, and any national implementing laws.

"UK GDPR" means the retained EU General Data Protection Regulation (EU) 2016/679 as incorporated into UK law.

"EU GDPR" means Regulation (EU) 2016/679.

"Personal Data" has the meaning in the Data Protection Laws.

"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

"Sub-processor" means a third party engaged by Processor to process Personal Data on behalf of Controller.

"Instructions" means documented directions issued by Controller to Processor regarding the processing of Personal Data. Oral instructions must be confirmed in writing without undue delay.

3. Subject Matter, Duration, and Nature of Processing

Processor will process Personal Data on behalf of Controller solely to provide the Dermabot services described in the Agreement, which include automated website chat, SMS/WhatsApp follow-up, optional voice call handling, and appointment booking automation for MedSpas. Processing operations include collection, recording, structuring, storage, retrieval, transmission, and deletion of Personal Data necessary to deliver these services.

This DPA remains in force for the term of the Agreement and until all Personal Data has been returned or securely deleted in accordance with Section 9 (Return and Deletion).

4. Categories of Data and Data Subjects

Personal Data (typical): name, phone number, email address, preferred appointment times, treatment interests, booking metadata, and non-sensitive notes voluntarily provided by the data subject.

Data subjects: Controller's customers and prospective customers, and Controller's authorised personnel.

Special categories: We do not intend to process special-category data (e.g., health). If such data is submitted inadvertently, Processor will process it only as strictly necessary to detect, block, and delete it, then promptly purge it from all systems and Sub-processors. It is not retained or used for analytics or training.

Notification. Processor will notify Controller without undue delay of any material incident involving special-category data that may reasonably pose risk to data subjects or require Controller action. Immaterial incidents that are auto-deleted within minutes and not propagated to downstream systems will be logged and included in a daily summary.

5. Roles and Responsibilities

5.1 Controller Obligations

Controller shall:

• ensure a lawful basis for the Personal Data provided to Processor;
• provide data subjects with required privacy notices;
• obtain and manage any required consents for direct marketing communications;
• provide accurate and up-to-date Instructions; and
• not instruct Processor to process special category data.

5.2 Processor Obligations

Processor shall:

• Instructions & purpose limitation. Process Personal Data only on documented Instructions from Controller and notify Controller if any Instruction appears to infringe Data Protection Laws.
• Confidentiality. Ensure personnel authorised to process Personal Data are subject to confidentiality obligations.
• Security. Implement and maintain the technical and organisational measures ("TOMs") described in Annex II and ensure a level of security appropriate to the risk.
• Model training. Processor will not use Personal Data to train, fine-tune, or otherwise improve any general models or services, except as expressly instructed by Controller in writing.
• Sub-processing. Use only the Sub-processors listed in Annex III and follow the change notification process in Section 6.
• Data subject rights. Assist Controller, insofar as possible, with requests under Chapter III of the UK GDPR (access, rectification, erasure, restriction, portability, objection).
• Personal Data Breach. Notify Controller without undue delay and, in any case, within 24 hours of becoming aware of a Personal Data Breach. Provide details as they become available and cooperate in remediation.
• Assistance & DPIAs. Provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to Processor.
• Records & audits. Maintain records required by Data Protection Laws and make available information necessary to demonstrate compliance. See Section 8 (Audit).
• Return & deletion. Return or delete Personal Data at the end of the services as set out in Section 9.
• Government requests. Promptly notify Controller of any legally binding request from a public authority for disclosure of Personal Data unless legally prohibited; review the legality of the request and disclose only the minimum required.

6. Sub-processors

6.1 Authorised Sub-processors

Controller authorises Processor to engage the Sub-processors listed in Annex III (as updated from time to time in accordance with this Section).

6.2 Changes to Sub-processors

Processor will notify Controller of any intended addition or replacement of Sub-processors by email to Controller's designated admin contact(s) at least 10 business days before the change takes effect. Controller may object on reasonable, data-protection-related grounds within that period. If the parties cannot resolve the objection in good faith, Controller may terminate the affected services (if separable) by written notice before the effective date. Continued use after the notice period constitutes acceptance of the change.

Processor remains fully liable for the performance of each Sub-processor.

7. International Transfers

Where Processor or a Sub-processor processes Personal Data outside the UK or EEA in a country not benefiting from an adequacy decision, the parties will rely on appropriate safeguards:

• For UK transfers, the UK ICO International Data Transfer Addendum (version B1.0, 21 March 2022) to the EU SCCs applies.
• For EEA transfers, the EU Commission 2021 Standard Contractual Clauses (Decision (EU) 2021/914) apply: Module 2 (Controller → Processor) and, where relevant, Module 3 (Processor → Processor).

Annex I and Annex II of this DPA serve as the Annexes I and II/Appendix to the SCCs/Addendum.

Processor will implement supplementary measures (e.g., encryption in transit and at rest, access controls) as described in Annex II.

By entering into this DPA, the parties are deemed to have executed the EU SCCs and UK Addendum as required for such transfers.

8. Audit and Compliance

Upon 30 days' written notice, and no more than once per 12-month period (unless required by a competent authority or following a material Personal Data Breach), Controller may request: (a) a copy of Processor's security overview and relevant third-party reports or certifications (if any); and (b) a remote audit (document review and Q&A). Any on-site audit must be mutually agreed, limited to what is necessary, conducted during normal business hours, and subject to confidentiality and security policies. Controller shall bear its own costs and any reasonable costs incurred by Processor.

9. Return and Deletion

Within 30 days after expiry or termination of the Agreement (or earlier upon request), Processor will, at Controller's choice, return all Personal Data (in a commonly used, machine-readable format) and/or securely delete Personal Data, unless retention is required by law. Secure deletion will follow NIST SP 800-88 or an equivalent industry-standard method. Where deletion is not possible, Processor will ensure appropriate protections and cease all processing except for storage for as long as required by law.

10. Liability

The liability provisions of the Agreement apply to this DPA. Nothing in this DPA limits either party's liability to the extent such limitation is prohibited by Data Protection Laws. Administrative fines imposed by a supervisory authority shall be borne by the party whose conduct gave rise to the fine, to the extent permitted by law. Neither party is liable for indirect or consequential damages arising from this DPA, except to the extent such limitation is not permitted by law.

11. Order of Precedence; Updates

If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding data protection. Processor may update this DPA to reflect changes in law, services, or Sub-processors. Processor will notify Controller at least 30 days before material changes take effect. If Controller reasonably objects to a material change that would materially degrade privacy or security, the parties will work in good faith to resolve the concern; failing that, Controller may terminate the affected services before the effective date.

12. Governing Law and Jurisdiction

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it are governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

Questions about this DPA: support@dermabotai.com

Annex I – Details of Processing

• Subject matter: Provision of AI-assisted web chat, SMS/WhatsApp follow-up, optional voice handling, and appointment booking services.
• Duration: Term of the Agreement plus the return/deletion window in Section 9.
• Nature and purpose: Messaging and booking automation to facilitate customer communications and scheduling.
• Types of Personal Data: As set out in Section 4.
• Categories of data subjects: As set out in Section 4.
• Controller's Instructions: Process Personal Data only as necessary to provide the services, in accordance with the Agreement and this DPA.

Annex II – Technical and Organisational Measures (TOMs)

• Encryption. TLS 1.2+ in transit; AES-256 at rest (where supported) for hosting and databases; encrypted backups. Connections to Sub-processors use TLS 1.2+.
• Access control. Role-based least-privilege access; MFA for all admin accounts; unique credentials; session management; periodic access reviews.
• Environment segregation. Separation of production and non-production environments; non-production uses anonymised or synthetic data.
• Monitoring & logging. Centralised logging with retention ≥ 30 days; alerting on anomalous access; integrity monitoring.
• Backups & continuity. Backups containing Personal Data are for operational continuity only and are overwritten or securely purged within 60 days of a deletion event.
• Incident response. Documented playbook including triage, containment, eradication, recovery, and post-incident review; breach notification per Section 5.2(6).
• Data minimisation & retention. Collect and store only fields essential to booking and follow-up; retention aligned to Controller's Instructions.
• Staff training. Initial and annual security and GDPR training for all personnel with access to Personal Data.
• Vulnerability management. Routine scans; timely patching; dependency management; security review prior to major changes.
• Penetration testing. Periodic third-party testing of production systems with remediation tracking.
• Standards & governance. Security program aligned with ISO/IEC 27001 principles and industry best practices; regular policy reviews.

Annex III – Authorised Sub-processors

(Primary data location is UK/EU where available; otherwise processing may occur in the US with appropriate safeguards.)

Notice of changes to Sub-processors will be provided under Section 6.2.