Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the EquaSched Terms of Service (the "Agreement") between EquaSched (Timur Kharenkov, an Irish sole trader, "EquaSched") and the Customer that has accepted the Agreement ("Customer"). It applies whenever EquaSched processes personal data on Customer's behalf in connection with the Service, regardless of Customer's location. Part A contains common provisions; Part B (US State Privacy Addendum) applies to US customers and imposes CPRA and equivalent service-provider obligations; Part C (EU / UK Annex) applies where the processing is subject to the EU GDPR, UK GDPR, or other laws requiring a written processor agreement. By accepting the Agreement, Customer is deemed to have entered into this DPA with EquaSched.

A.1 Definitions

Terms not defined here have the meaning given in the Agreement or in applicable privacy law. "Personal data," "processing," "controller," "processor," "service provider," "business," "sub-processor," "data subject," and "consumer" have the meanings given in the EU GDPR, UK GDPR, the California Consumer Privacy Act as amended by the CPRA, and other applicable laws, as the context requires. "Standard Contractual Clauses" or "SCCs" means Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller-to-Processor).

A.2 Roles and Scope

Customer is the controller / business of personal data submitted to the Service (including clinic staff names, work emails, job roles, qualifications, shift assignments, and scheduling preferences). EquaSched processes such personal data solely on Customer's behalf, for the purposes set out in Annex I.B, and only on Customer's documented instructions (which include the Agreement, this DPA, and configuration choices made by Customer's administrators).

A.3 Common Processor Obligations

EquaSched shall:

• process personal data only on Customer's documented instructions;
• ensure that persons authorized to process personal data have committed to confidentiality;
• implement the technical and organizational measures described in Annex II;
• engage sub-processors only as permitted under Section A.5;
• assist Customer in responding to data-subject / consumer rights requests, taking into account the nature of processing;
• assist Customer with security, breach notification, data-protection impact assessments, and prior consultation where applicable;
• at Customer's choice, delete or return personal data after the end of the provision of services (subject to A.7);
• make available to Customer the information reasonably necessary to demonstrate compliance with this DPA and applicable law.

A.4 Data-Subject / Consumer Requests

Where a data subject or consumer contacts EquaSched directly with a rights request, EquaSched will, without undue delay, forward the request to Customer and will not respond directly except on Customer's documented instruction. EquaSched will, by appropriate technical and organizational measures and to the extent possible, assist Customer in fulfilling such requests.

A.5 Sub-processors

Customer provides general authorization for EquaSched to engage the sub-processors listed in Annex III. EquaSched will notify Customer of any intended addition or replacement of sub-processors at least thirty (30) days in advance by updating Annex III and emailing the account's administrator. Customer may object on reasonable data-protection grounds within fifteen (15) days; if the parties cannot reach an agreed solution, Customer may terminate the affected portion of the Service for convenience. EquaSched remains fully liable to Customer for the performance of each sub-processor's obligations.

A.6 PHI / Consumer Health Data Restrictions

The Service is not designed to receive Protected Health Information (PHI) as defined by HIPAA (45 C.F.R. § 160.103) or "consumer health data" under Washington's My Health My Data Act (RCW 19.373) or similar laws, and EquaSched is not a HIPAA Business Associate unless a separate written BAA has been executed. Customer warrants that it will not submit such data, as further set out in Section 4 of the Agreement. EquaSched's automated PHI-pattern detection operates without human review of detected content (see Privacy Policy, "Operational enforcement"). To the extent any PHI is incidentally created, received, or maintained, EquaSched will use it only to enforce Section 4 of the Agreement and will promptly delete or irreversibly de-identify it.

A.7 Return and Deletion

Following expiry or termination of the Agreement, Customer may export personal data per Section 6 of the Agreement. Within ninety (90) days after the later of (a) account deletion or (b) the close of the 30-day post-termination export window, EquaSched will delete personal data from active systems. Encrypted backups are rotated and overwritten within an additional 90 days. EquaSched may retain personal data to the extent and for the duration required by applicable law (including tax and accounting retention of up to seven (7) years), continuing to protect it under this DPA.

A.8 Audit and Records

EquaSched will make available to Customer, on reasonable request and subject to confidentiality, the information necessary to demonstrate compliance with this DPA, including a description of the measures in Annex II and, where available, relevant third-party certifications or audit reports of EquaSched or its sub-processors. Audit format. Verification ordinarily takes the form of (i) a written security questionnaire response and (ii) review of available third-party reports. Given EquaSched's present scale, on-site audits of EquaSched's own systems are not generally available; EquaSched will, on no more than annual basis and on 30 days' notice, complete a reasonable remote audit questionnaire from Customer at Customer's expense. The parties may agree alternative audit arrangements in writing for enterprise customers.

A.9 Breach Notification

EquaSched will notify Customer's designated administrator without unreasonable delay, and in any event within seventy-two (72) hours, after becoming aware of a personal-data breach affecting personal data processed under this DPA. The notification will include, to the extent then known, the information required by applicable law. EquaSched will reasonably assist Customer with breach-notification obligations to data subjects, consumers, supervisory authorities, attorneys general, and consumer reporting agencies as applicable under EU GDPR Arts. 33–34, UK GDPR, CCPA / CPRA, and US state breach laws including Cal. Civ. Code §1798.82, NY Gen. Bus. Law §899-aa (SHIELD Act), Tex. Bus. & Com. Code §521.053, and similar.

A.10 Conflict and Order of Precedence

In the event of conflict: (1) the SCCs (where they apply); (2) Part C (EU / UK Annex) for EEA/UK processing; (3) Part B (US State Privacy Addendum) for US customers; (4) the rest of this DPA; (5) the Agreement.

A.11 Term and Liability

This DPA takes effect on the earlier of (a) the date Customer first uses the Service in a manner that involves processing of personal data subject to this DPA, or (b) the date Customer signs or otherwise accepts the Agreement, and remains in effect for as long as EquaSched processes such personal data. The liability provisions of the Agreement (Section 8 of the Terms of Service) apply to claims arising under this DPA, except where applicable law requires otherwise.

B.1 CPRA Service-Provider Certification

EquaSched certifies that it understands the restrictions in CPRA §1798.140(ag) and will comply with them. EquaSched shall not:

• sell or share personal information disclosed to it by Customer;
• retain, use, or disclose personal information for any purpose other than the business purposes specified in the Agreement or as otherwise permitted by the CPRA;
• retain, use, or disclose personal information outside the direct business relationship with Customer; or
• combine personal information received from Customer with personal information received from another source, except as permitted under CPRA §1798.140(ag)(2) to perform a business purpose for Customer or as permitted by the CPRA.

EquaSched shall provide the same level of privacy protection required by the CPRA, shall notify Customer promptly if it determines it can no longer meet these obligations, and shall permit Customer (on reasonable notice) to take steps to stop and remediate unauthorized use of personal information. Customer may take reasonable and appropriate steps to ensure EquaSched's processing remains consistent with Customer's obligations under applicable US State Privacy Laws, including reasonable technical and organizational reviews, security questionnaires, and instructions to stop or remediate processing.

B.2 Equivalent Processor Obligations (CO / CT / VA / TX)

For processing subject to the Colorado, Connecticut, Virginia, or Texas privacy laws, EquaSched will: (i) follow Customer's instructions; (ii) maintain duty of confidentiality; (iii) assist Customer with consumer rights requests, security, and data-protection assessments; (iv) provide the information necessary to demonstrate compliance with applicable laws; (v) engage sub-processors only under written contracts imposing equivalent obligations; and (vi) delete or return personal data at the end of the provision of services, subject to legal retention exceptions. These obligations satisfy Colo. Rev. Stat. §§6-1-1304(6) and 6-1-1305, Conn. Gen. Stat. §42-520(e), Va. Code §59.1-581, Tex. Bus. & Com. Code §541.104, and equivalent processor-contract provisions of Oregon (OCPA), Tennessee (TIPA), Indiana (INCDPA), Maryland (MODPA), Delaware (DPDPA), Iowa (ICDPA), and Montana (CDPA).

B.3 No Sale; No Targeted Advertising; No Significant Profiling

EquaSched does not sell personal information for money. EquaSched does not engage in cross-context behavioral advertising or targeted advertising. EquaSched does not use staff scheduling data for automated decision-making producing legal or similarly significant effects on individuals without human review. EquaSched honors opt-out preference signals (including Global Privacy Control) as set out in the Privacy Policy.

B.4 Sensitive Personal Information

EquaSched limits its use and disclosure of sensitive personal information (CPRA §1798.121) to the purposes necessary to provide the Service and security, and will not use SPI to infer characteristics about consumers. EquaSched does not knowingly collect sensitive personal information other than account login credentials used for authentication.

B.5 Washington Consumer Health Data

EquaSched does not intentionally collect "consumer health data" as defined by Washington's My Health My Data Act (RCW 19.373). EquaSched does not sell consumer health data, does not use geofencing around healthcare facilities, and does not use any data EquaSched processes for advertising. If Customer or its users inadvertently transmit information that may constitute consumer health data, the operational restrictions in Section A.6 apply.

B.6 Cooperation with US State Authorities

EquaSched will reasonably cooperate with Customer's response to inquiries or investigations by US state Attorneys General, the California Privacy Protection Agency (CPPA), and similar regulators concerning personal information processed under this DPA.

C.1 Article 28 GDPR Compliance

In addition to the obligations in Part A, EquaSched will comply with the obligations applicable to processors under Article 28 GDPR, including: ensuring confidentiality undertakings; engaging sub-processors only under a written contract imposing equivalent obligations; assisting Customer with Articles 32 to 36 GDPR; and making available all information necessary to demonstrate compliance with Article 28 and allowing for audits, subject to Section A.8.

C.2 International Data Transfers (SCCs / IDTA)

For transfers from the EEA, UK, or Switzerland to a third country without an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module 2, Controller-to-Processor), Commission Implementing Decision (EU) 2021/914, hereby incorporated by reference and completed as follows:

• Clause 7 (docking): not included.
• Clause 9(a) (sub-processors): Option 2 (general written authorization), notice period 30 days, as in Section A.5.
• Clause 11(a): not included.
• Clause 17 (governing law): Ireland.
• Clause 18 (forum): courts of Ireland, without prejudice to data-subject rights under Clause 18(c).
• Annex I.A, I.B, II, III: as set out below.

For UK transfers, the UK International Data Transfer Addendum to the EU Commission SCCs (UK Addendum, version B1.0) applies. For Switzerland, references to GDPR / EU supervisory authorities are deemed to refer to the Swiss FADP and the FDPIC.

EquaSched will conduct a Transfer Impact Assessment (TIA) in accordance with EDPB Recommendations 01/2020 on Customer's written request and prior to commencing transfers of Customer's EEA / UK personal data. A summary will be provided on request.

Annex I — Details of the Processing

A. List of Parties

Data exporter / Controller / Business: the Customer that has accepted the Agreement.

Data importer / Processor / Service Provider: EquaSched, operated by Timur Kharenkov (Irish sole trader; Delaware LLC successor entity in formation), 5 Keegans Flats, 20 North Parade, Gorey, Co Wexford, Y25VY73, Ireland. Contact: hello@equasched.com.

B. Description of Processing

• Categories of data subjects / consumers: Customer's clinic employees, contractors, and authorized users.
• Categories of personal data / personal information: names, work email addresses, job roles and qualifications, shift assignments, scheduling preferences, login credentials (email + hashed password), session and usage logs, IP address and device identifiers.
• Sensitive data / SPI: account login credentials, used only for authentication. No HIPAA PHI, no consumer health data, no special-category data under Art. 9 GDPR intentionally processed.
• Frequency: continuous for the duration of the Agreement.
• Nature of processing: hosting, generation of proposed staff schedules, operational notifications, support, security monitoring, automated PHI-pattern detection.
• Purpose: provision of the EquaSched workforce-scheduling Service.
• Retention: as set out in Section A.7 of this DPA and Section 5 of the Privacy Policy.

C. Competent Supervisory Authority

For EU / UK processing, the Irish Data Protection Commission (DPC), dataprotection.ie. For US state processing, the relevant state Attorney General and (for California) the California Privacy Protection Agency.

Annex II — Technical and Organizational Measures

The measures below describe EquaSched's target architecture and controls as of the DPA effective date. They are illustrative and do not constitute a guarantee of any particular standard, certification, or outcome. EquaSched maintains safeguards appropriate to the risk, which may change with technology and the threat landscape.

• Encryption in transit: TLS 1.2+ for client-server and inter-service communication.
• Encryption at rest: AES-256 (or equivalent) for primary databases and backups via underlying cloud providers.
• Access control: role-based access (RBAC) in the Service; row-level security (RLS) policies in the database; principle of least privilege for personnel.
• Authentication: email + password with hashed passwords; bot protection (Cloudflare Turnstile) on signup.
• Logging and monitoring: security and audit logs retained for 12 months; anomaly monitoring on authentication and admin operations.
• Backups: regular encrypted backups; rotated and overwritten on a defined schedule (Section A.7).
• Vulnerability management: regular patching of dependencies; review of upstream security advisories.
• Personnel: confidentiality obligations for all personnel with access to personal data; need-to-know access.
• PHI prevention: automated pattern detection at write time, zero human review of detected content, hash-only logging (see Section A.6).
• Sub-processor due diligence: each sub-processor in Annex III is engaged under a written data-processing agreement (or in good-faith pending execution per Annex III notes).
• Reasonable safeguards standard: these measures are intended to satisfy the reasonable safeguards standard under New York General Business Law §899-bb (SHIELD Act) and analogous US state laws.

Annex III — Approved Sub-processors

Contact

Questions about this DPA, requests for SCCs in signed PDF form, TIA summaries, or service-provider certifications may be sent to hello@equasched.com with the subject line "DPA Request."