Legal

Data Processing Agreement

This DPA forms part of the agreement between your business ("Data Controller") and Calenxo (Pty) Ltd ("Data Processor") for the provision of the Calenxo booking platform.

Last updated: March 2026

1

Definitions

The following terms have specific meanings within this agreement:

Personal Data

Any information relating to an identified or identifiable natural person processed through the Service.

Processing

Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.

Sub-processor

Any third party engaged by Calenxo to process Personal Data on behalf of the Data Controller.

Data Subject

An identified or identifiable natural person whose Personal Data is processed.

Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2

Scope & Purpose

Calenxo processes Personal Data solely for the purpose of providing the Service as instructed by the Data Controller. This includes:

  • Managing customer bookings, appointments, and schedules
  • Sending booking confirmations, reminders, and notifications
  • Providing analytics, reporting, and business insights to the Data Controller
  • Processing WhatsApp communications on behalf of the Data Controller
  • Maintaining customer records and service history

Calenxo will not process Personal Data for any purpose other than those specified in this DPA or as instructed by the Data Controller in writing.

3

Categories of Data Processed

The following categories of Personal Data are processed through the Service:

CategoryExamples
Identity dataCustomer names, phone numbers, email addresses
Booking dataAppointment history, service details, scheduling preferences
Communication dataWhatsApp messages, notification logs, consent records
Service preferencesNotes, preferred providers, service history
Consent recordsMarketing opt-in/out, communication preferences, timestamps

No special categories of data (health, biometric, etc.) are intentionally collected. Data Controllers should not include such data in free-text fields unless they have obtained explicit consent.

4

Obligations of the Data Processor

Calenxo shall:

  • Process Personal Data only on documented instructions from the Data Controller, unless required by law
  • Ensure that all persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures as described in Section 8
  • Not engage another sub-processor without prior written authorisation of the Data Controller
  • Assist the Data Controller in responding to Data Subject requests (access, correction, deletion, portability)
  • Assist the Data Controller in ensuring compliance with breach notification, data protection impact assessments, and prior consultation obligations
  • Delete or return all Personal Data upon termination of the Service, at the Data Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits
5

Obligations of the Data Controller

As the Data Controller, you are responsible for:

Lawful basis

Ensuring you have a valid legal basis for collecting and processing your customers' Personal Data

Transparency

Informing Data Subjects about the processing of their data, including the use of Calenxo as a processor

Data accuracy

Ensuring that Personal Data provided to Calenxo is accurate, relevant, and not excessive

Rights requests

Managing and responding to Data Subject rights requests, with assistance from Calenxo where needed

6

Sub-processors

Calenxo uses the following sub-processors to deliver the Service. Each sub-processor is bound by a data processing agreement:

Sub-processorPurposeLocation
HetznerInfrastructure hostingSouth Africa / EU
ResendTransactional email deliveryUnited States
StripePayment processingUnited States / Ireland
Meta (WhatsApp)Messaging platformUnited States / EU
Amazon S3File storage (encrypted at rest)EU

We will notify you at least 30 days before adding or replacing a sub-processor, giving you the opportunity to object. If you reasonably object and we cannot accommodate your concern, you may terminate the affected Service.

7

International Data Transfers

Where Personal Data is transferred outside of South Africa or the European Economic Area, Calenxo ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission, incorporated into agreements with all relevant sub-processors
  • POPI Act compliance: Transfers comply with Section 72 of the Protection of Personal Information Act
  • Adequacy assessments: We assess the data protection laws of recipient countries and implement supplementary measures where necessary
8

Security Measures

Calenxo implements the following technical and organisational measures to protect Personal Data:

Encryption

TLS 1.2+ for data in transit, AES-256 for data at rest, encrypted backups

Access controls

Role-based access with multi-tenant isolation ensuring strict data separation

Monitoring

Comprehensive audit logging of all data access and automated anomaly detection

Testing

Regular security audits, penetration testing, and vulnerability assessments

Data retention

Automated enforcement of configurable retention periods with secure deletion

Incident response

Documented incident response procedures with defined escalation paths

9

Data Breach Notification

In the event of a Personal Data breach, Calenxo will follow this notification procedure:

TimeframeAction
Within 72 hoursNotify the Data Controller of the breach, including its nature and scope
Initial reportCategories and approximate number of Data Subjects affected, likely consequences
Follow-upMeasures taken or proposed to address the breach and mitigate its effects
OngoingCooperate with the Data Controller and supervisory authorities as required

Calenxo will document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification to the supervisory authority is required.

10

Data Subject Rights

Calenxo provides built-in tools to assist Data Controllers in responding to Data Subject rights requests:

Access

Customer data export functionality to provide Data Subjects with a copy of their data

Rectification

Customer record editing to correct inaccurate or incomplete Personal Data

Erasure

Customer data deletion with cascading removal across all related records

Portability

JSON and CSV data export in structured, machine-readable formats

Restriction

Ability to restrict processing of specific customer records while retaining the data

Objection

Marketing consent withdrawal and communication preference management

Calenxo will assist the Data Controller in fulfilling requests within the legally required timeframe (30 days under GDPR, 30 days under POPIA).

11

Audits & Compliance

To demonstrate compliance with this DPA and applicable data protection laws:

  • Calenxo will make available all information reasonably necessary to demonstrate compliance with data processing obligations
  • The Data Controller may conduct audits, including inspections, with reasonable notice (at least 30 days) and during normal business hours
  • Audits shall be conducted no more than once per year unless a Data Breach or regulatory investigation necessitates an additional audit
  • Calenxo may provide an independent third-party audit report (e.g., SOC 2) as an alternative to on-site audits, at its discretion
12

Duration & Termination

This DPA remains in effect for the duration of the Service agreement. Upon termination:

Data return: Upon request, Calenxo will provide all Personal Data to the Data Controller in a structured, commonly used format (JSON or CSV).
Data deletion: All Personal Data will be securely deleted within 30 days of termination, unless retention is required by applicable law.
Confirmation: Calenxo will provide written confirmation of data deletion upon request.
13

Governing Law

This DPA is governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act (POPIA). Where applicable, the EU General Data Protection Regulation (GDPR) also applies.

In the event of a conflict between this DPA and the main Service agreement, this DPA shall take precedence with respect to the processing of Personal Data.

14

Contact & Download

For questions about this DPA or to exercise your rights under it:

Response time: We aim to respond to all DPA inquiries within 5 business days.

Download DPA

Download a PDF copy of this Data Processing Agreement for your records.

Related documents: Privacy Policy | Terms of Service