Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and Magpie Meetings ("Processor," "we," "us," or "our"). This DPA complies with the EU General Data Protection Regulation (GDPR) and governs our processing of personal data on your behalf.

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person that we process on your behalf through the Service.
• "Data Controller" means you, the customer who uses Magpie Meetings to schedule appointments and manage bookings. You determine the purposes and means of processing personal data.
• "Data Processor" means Magpie Meetings, which processes personal data on behalf of the Data Controller.
• "Data Subject" means individuals whose personal data is processed (your meeting attendees, invitees, contacts).
• "Sub-processor" means third-party service providers we engage to assist in providing the Service.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.

2. Scope and Applicability

2.1 Data Processing

This DPA applies to our processing of personal data on your behalf when you use Magpie Meetings to:

• Schedule and manage appointments
• Store contact information of meeting invitees
• Send booking confirmations and reminders
• Sync with external calendars
• Create video meeting links

2.2 Roles and Responsibilities

You (Data Controller) are responsible for:

• Determining what personal data to collect and for what purposes
• Ensuring you have a legal basis for processing (consent, contract, legitimate interest)
• Providing privacy notices to data subjects
• Obtaining necessary consents from data subjects
• Responding to data subject requests (with our assistance)

We (Data Processor) are responsible for:

• Processing personal data only according to your documented instructions
• Implementing appropriate technical and organizational security measures
• Assisting you in responding to data subject requests
• Assisting you with data breach notifications
• Deleting or returning personal data when the agreement ends

3. Data Processing Details

3.1 Nature and Purpose of Processing

We process personal data to provide the scheduling and appointment management Service, including:

• Storing and managing appointment bookings
• Sending email notifications and reminders
• Syncing with external calendar services
• Generating video meeting links
• Detecting scheduling conflicts
• Providing analytics and reporting features

3.2 Types of Personal Data

We may process the following categories of personal data on your behalf:

• Names and email addresses of meeting invitees
• Phone numbers (if provided for SMS reminders)
• Appointment details (date, time, duration, subject)
• Meeting notes or custom fields you configure
• Calendar event metadata
• IP addresses and usage logs

3.3 Categories of Data Subjects

Data subjects whose personal data we process include:

• Individuals who book appointments with you
• Your contacts and invitees
• Meeting attendees and participants

3.4 Duration of Processing

We process personal data for as long as:

• Your account is active
• Necessary to provide the Service
• Required by law or for legitimate business purposes

Upon account deletion, we will delete or anonymize personal data within 30 days, except where retention is required by law.

4. Processor Obligations

4.1 Processing Instructions

We will process personal data only on your documented instructions, which include:

• Providing the Service as described in our Terms of Service
• Complying with your configuration and settings within the Service
• Following your instructions via support requests or account settings

If we believe an instruction violates GDPR or other data protection laws, we will inform you immediately.

4.2 Confidentiality

We ensure that all personnel who access personal data:

• Are subject to confidentiality obligations
• Receive appropriate training on data protection
• Access personal data only to the extent necessary for their role

4.3 Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and vulnerability testing
• Incident detection and response procedures
• Regular backups and disaster recovery plans

For details, see our Security page.

5. Sub-processors

5.1 Authorized Sub-processors

We may engage third-party sub-processors to assist in providing the Service. You authorize us to engage the sub-processors listed on our Sub-processors page.

5.2 Sub-processor Obligations

We ensure that all sub-processors:

• Agree to data protection obligations equivalent to those in this DPA
• Implement appropriate security measures
• Process personal data only for the purposes specified

We remain liable for the acts and omissions of our sub-processors.

5.3 Changes to Sub-processors

We will notify you of any new or replacement sub-processors by updating our Sub-processors page at least 30 days before engagement. If you object to a new sub-processor, you may terminate the agreement in accordance with the Terms of Service.

6. Data Subject Rights

6.1 Assistance with Requests

We will assist you in responding to data subject requests to exercise their rights under GDPR, including:

• Access: Provide data subjects with a copy of their personal data
• Rectification: Correct inaccurate or incomplete personal data
• Erasure: Delete personal data ("right to be forgotten")
• Restriction: Limit processing of personal data
• Portability: Export personal data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests

6.2 Response Timeframe

If we receive a data subject request directly, we will forward it to you within 48 hours. We will provide reasonable assistance to help you respond within the GDPR-required timeframe (typically 30 days).

7. Data Breaches

7.1 Notification Obligation

If we become aware of a personal data breach affecting your data, we will:

• Notify you without undue delay, and in any case within 72 hours of discovery
• Provide details of the nature of the breach, affected data, and potential consequences
• Describe the measures we have taken or propose to take to address the breach
• Provide contact details for further information

7.2 Cooperation

We will cooperate with you and provide reasonable assistance to help you comply with your obligation to notify supervisory authorities and data subjects under GDPR Articles 33 and 34.

8. Data Protection Impact Assessments and Audits

8.1 Assistance with DPIAs

Upon request, we will provide reasonable assistance and information to help you conduct Data Protection Impact Assessments (DPIAs) required under GDPR Article 35.

8.2 Audits

We will make available to you all information necessary to demonstrate compliance with this DPA and allow for audits or inspections. Audit requests must be:

• Made with reasonable advance notice (at least 30 days)
• Conducted no more than once per year (unless required by a supervisory authority)
• Conducted during business hours and in a manner that does not disrupt our operations
• Subject to confidentiality obligations

9. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure that all international transfers comply with GDPR requirements through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission (where applicable)
• Other appropriate safeguards as permitted by GDPR

For details on sub-processor locations, see our Sub-processors page.

10. Data Return and Deletion

10.1 Upon Termination

Upon termination of your account or the agreement, we will:

• At your choice, delete or return all personal data to you
• Delete existing copies of personal data (except where required by law)
• Provide confirmation of deletion upon request

10.2 Retention Exceptions

We may retain personal data to the extent required by applicable law, legal holds, or to establish, exercise, or defend legal claims.

11. Limitation of Liability

Our liability under this DPA is subject to the limitations of liability set out in our Terms of Service. This DPA does not limit either party's liability for violations of GDPR.

12. Term and Termination

This DPA takes effect on the date you first use the Service and continues until the termination of your account or the Terms of Service, whichever is earlier.

13. Governing Law

This DPA is governed by the same law as the Terms of Service. For GDPR compliance matters, the GDPR and applicable EU member state laws shall apply.

14. Contact Us

For questions about this Data Processing Agreement or GDPR compliance, contact us at:

• Legal Inquiries: legal@magpiemeetings.com
• Privacy Inquiries: privacy@magpiemeetings.com

For all contact options, visit our Contact page.