Data Processing Agreement
Last updated: May 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between PagerSchedule and business or enterprise customers where PagerSchedule processes personal data on their behalf. To execute this DPA for your organisation, email us at legal@pagerschedule.com.
1. Introduction and Scope
This DPA applies when PagerSchedule acts as a data processor on behalf of enterprise and business customers (the “Controller”) in connection with the PagerSchedule scheduling service. It sets out the terms under which we process personal data on your behalf in accordance with UK GDPR and EU GDPR Article 28.
This DPA supplements and is incorporated into the PagerSchedule Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data processing matters.
2. Definitions
- Controller: The enterprise or business customer — you — who determines the purposes and means of processing personal data
- Processor: PagerSchedule, who processes personal data on behalf of the Controller
- Data subjects: The individuals whose personal data is processed, including your employees, team members, and meeting attendees
- Personal data: Any information relating to an identified or identifiable natural person, including names, email addresses, and meeting information
- Processing: Any operation performed on personal data, such as storing, accessing, transmitting, or deleting it
- Sub-processor: Any third party engaged by PagerSchedule to process personal data in connection with the Service
- GDPR: UK GDPR and/or EU General Data Protection Regulation 2016/679
3. Processing Details
| Subject matter | Provision of online scheduling and booking services |
| Duration | For the duration of the subscription agreement, plus any retention periods specified in this DPA |
| Nature of processing | Storing, retrieving, displaying, transmitting, and deleting booking information and user data |
| Purpose | Providing scheduling tools to enable the Controller's employees and clients to book meetings |
| Types of data | Names, email addresses, phone numbers (if provided), meeting titles and descriptions, meeting times, location or video call links, booking form responses |
| Categories of data subjects | Employees, clients, contractors, and any other meeting attendees whose data is entered into the Service |
4. PagerSchedule's Obligations as Processor
PagerSchedule agrees to:
- Process personal data only on documented instructions from the Controller (your use of the Service constitutes such instructions), unless required otherwise by applicable law
- Ensure that all personnel with access to personal data are subject to binding confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures as described in Section 6
- Assist the Controller in responding to data subject rights requests within 5 business days of notification
- Assist the Controller with data protection impact assessments (DPIAs) and prior consultations where requested
- Delete or return all personal data upon termination of the agreement, as described in Section 9
- Provide all information necessary to demonstrate compliance with this DPA and permit and contribute to audits conducted by the Controller or a mandated auditor
- Notify the Controller without undue delay (and within 72 hours) of becoming aware of a personal data breach affecting the Controller's data
- Not engage sub-processors without the Controller's prior general consent (which is granted by acceptance of this DPA, subject to the notification requirements in Section 5)
5. Sub-processors
The Controller provides general authorisation for PagerSchedule to engage the following sub-processors:
| Sub-processor | Location | Purpose | DPA |
|---|---|---|---|
| Vercel | EU / US | Hosting and deployment infrastructure | View DPA |
| Neon / Vercel Postgres | European Union | Primary database storage | View DPA |
| Resend | EU / US | Transactional email (confirmations, reminders) | View DPA |
| Sentry | EU / US | Error monitoring (may include limited request data) | View DPA |
| PostHog | European Union | Product analytics (anonymised usage data) | View DPA |
| Twilio | United States | SMS notifications and reminders | View DPA |
| Stripe | EU / US | Payment processing (billing data only) | View DPA |
| OpenAI | United States | AI scheduling assistance features | View DPA |
| UptimeRobot | EU / US | Uptime monitoring (no personal data processed) | View Policy |
PagerSchedule will notify the Controller at least 30 days before adding any new sub-processor. The Controller may object to new sub-processors within that period. If a reasonable objection cannot be resolved, the Controller may terminate the agreement.
6. Technical and Organisational Security Measures
Technical Measures
- Encryption of personal data in transit using TLS 1.2 or higher
- Encryption of personal data at rest using AES-256
- Passwords and credentials stored using one-way bcrypt hashing
- Access control mechanisms including role-based permissions
- Multi-factor authentication available for all accounts
- Regular automated database backups with encrypted storage
- Audit logging of administrative actions
- Rate limiting and DDoS protection
- Regular security updates applied to all system components
Organisational Measures
- Access to personal data limited to personnel who need it to perform their duties
- All staff subject to confidentiality obligations
- Security awareness training for all personnel
- Documented incident response procedures
- Regular review of access controls and permissions
- Vendor risk assessments for all sub-processors
7. Data Subject Rights
PagerSchedule will assist the Controller in responding to data subject rights requests. When we receive a request directly from a data subject that relates to your organisation's data, we will forward it to you within 2 business days. We will provide technical assistance to fulfil such requests within 5 business days of your instruction.
Controllers can manage much of this directly: account holders can export or delete their data from Settings, or request assistance from legal@pagerschedule.com.
8. Data Breach Notification
In the event of a personal data breach affecting your data, PagerSchedule will:
- Notify you without undue delay, and within 72 hours of becoming aware of the breach
- Provide a description of the nature of the breach including the categories and approximate number of data subjects and records affected
- Provide the name and contact details of our data protection contact
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach
You are responsible for notifying your relevant supervisory authority and affected data subjects as required by applicable law.
9. Data Deletion on Termination
Upon termination of the agreement (whether by either party, or upon expiry), PagerSchedule will:
- Cease all processing of your personal data
- Delete all personal data within 30 days of termination
- Provide written confirmation of deletion upon request
- Ensure sub-processors also delete relevant data
Certain data may be retained for longer periods where required by applicable law (e.g. financial records). We will inform you of any such retention.
10. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, subject to any mandatory provisions of applicable data protection law.
11. How to Execute This DPA
To receive a countersigned DPA for your organisation, email legal@pagerschedule.com with your company name and registered address. We will respond with a signed copy within 5 business days.