Template — Not a Signed Agreement

This document is a template provided by Rendevy for your convenience. It is not a legally executed Data Processing Agreement. Before signing or relying on this document:

  • Review the document with your qualified legal counsel.
  • Fill in every field marked with [SQUARE BRACKETS].
  • Confirm that all details are accurate and current before execution.
  • Retain a signed copy for your records.
Section 01

Parties and Definitions

This Data Processing Agreement ("DPA") is entered into between the parties identified below and forms part of the Service Agreement between them. This DPA governs the processing of personal data by Rendevy on behalf of the Customer in connection with the provision of Rendevy's appointment booking and management services.

Data Controller (Customer)

Legal business name:
[Full Legal Business Name]

Trade licence number:
[Trade Licence No.]

Registered address:
[Full Registered Address]

Represented by:
[Authorised Representative Name], [Title]

Contact email:
[Email Address]

Data Processor (Rendevy)

Legal name:
Rendevy Platform

Jurisdiction:
United Arab Emirates

Contact:
privacy@curiousstack.co

Represented by:
Its authorised representative

1.2 Definitions

Personal Data
Any information relating to an identified or identifiable natural person, as defined under the UAE PDPL and/or GDPR.
Processing
Any operation performed on personal data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
Data Subject
The natural person to whom the personal data relates; in this context, the Controller's clients or patients who interact with the booking service.
UAE PDPL
Federal Decree-Law No. 45 of 2021 on Personal Data Protection, as amended or supplemented from time to time.
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, where applicable.
Sub-processor
Any third party engaged by the Processor to carry out processing activities on behalf of the Controller in connection with the services.
Security Incident
Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Service Agreement
The subscription or services agreement between the parties governing the Customer's use of the Rendevy platform, of which this DPA forms a part.
Controller / Customer
The party identified above as Data Controller; the clinic, salon, or business entity that determines the purposes and means of processing.
Processor / Rendevy
Rendevy Platform, which processes personal data on behalf of and under the instruction of the Controller.
Section 02

Subject Matter and Duration

2.1 Subject Matter

The Processor provides the Controller with a Software-as-a-Service (SaaS) appointment booking and management platform that enables the Controller's clients and patients to book, reschedule, and cancel appointments via WhatsApp, and enables the Controller to manage its schedule, staff, and client records.

In connection with providing these services, the Processor will process personal data on behalf of and under the documented instructions of the Controller.

2.2 Processing Activities

The processing activities covered by this DPA include: storage and retrieval of client and patient personal data; transmission of appointment reminders and notifications via WhatsApp and email; processing of booking requests by the AI-powered conversational agent; and maintenance of audit and access logs.

2.3 Duration

This DPA is effective from [Effective Date] and remains in force for the duration of the Service Agreement between the parties. Upon expiry or termination of the Service Agreement, this DPA remains effective solely to the extent required to govern the Processor's obligations during the data return and deletion period described in Section 6.9.

Section 03

Nature and Purpose of Processing

3.1 Nature of Processing

The Processor carries out the following types of processing operations: collection, storage, retrieval, transmission, and deletion of personal data.

3.2 Purpose

The Processor processes personal data for the sole purpose of providing the appointment booking, scheduling, reminder, and management services as described in the Service Agreement. The Processor will not process personal data for any other purpose, including its own commercial interests, advertising, or analytics, unless expressly authorised in writing by the Controller.

Instruction limitation: The Processor acts only on documented instructions from the Controller. The Service Agreement, this DPA, and any written instructions provided by the Controller constitute the complete set of processing instructions. If the Processor believes any instruction violates applicable law, it will notify the Controller immediately in writing.
Section 04

Categories of Personal Data and Data Subjects

4.1 Data Subjects

The personal data processed under this DPA relates to clients and patients of the Controller who interact with the appointment booking service, including individuals who initiate contact via the WhatsApp chatbot and individuals whose appointments are created or managed by the Controller's staff.

4.2 Categories of Personal Data

  • Full name
  • WhatsApp phone number (used as the primary identifier within the platform)
  • Email address (where provided voluntarily)
  • Appointment history (dates, times, assigned staff member, location)
  • Preferred language
  • Consent records (timestamp and version of consent given)

4.3 Special Categories — Health Data

Where the Controller operates a medical clinic, physiotherapy practice, mental health service, or other health-related business, appointment data may constitute health data as defined under UAE Federal Law No. 2 of 2019 on using information and communication technology in health fields.

Controller warranty: The Controller warrants that it holds a valid and documented lawful basis for processing health data and for sharing such data with the Processor. The Controller further warrants that it has provided appropriate notice to data subjects and, where required, obtained their consent for processing health-related information.

4.4 No Processing of Sensitive Data by Default

The Processor's platform is designed for appointment scheduling only. The Processor does not intentionally collect clinical notes, diagnoses, treatment records, financial account details, or other sensitive personal data beyond the categories listed in Section 4.2. The Controller is responsible for instructing its clients not to share such information via the chatbot.

Section 05

Controller Obligations

The Controller represents, warrants, and undertakes that:

  1. Lawful basis. It has established and documented a valid lawful basis under the UAE PDPL (and GDPR where applicable) for processing the personal data and for sharing it with the Processor.
  2. Transparency. It has provided data subjects with all information required by the UAE PDPL regarding the nature of processing, including the involvement of the Processor, prior to introducing their personal data into the platform.
  3. Data minimisation. It provides only accurate, adequate, and necessary personal data to the Processor, and will not submit categories of data beyond those listed in Section 4.2 without first notifying and agreeing terms with the Processor.
  4. DPA precedence. It will execute this DPA before introducing any personal data to the platform.
  5. Data subject rights. It will notify the Processor in writing within 48 hours of receiving any data subject rights request (access, erasure, portability, restriction, objection, or rectification) that requires the Processor's assistance.
  6. Authorised access. It will ensure that only appropriately authorised staff access the Processor's admin panel, and that such staff use the platform only for legitimate business purposes in accordance with the Service Agreement.
  7. Credential security. It will maintain the security of admin account credentials and notify the Processor promptly in the event of any suspected unauthorised access to its admin account.
  8. Regulatory changes. It will promptly notify the Processor of any changes in applicable data protection law that the Controller reasonably believes require amendments to this DPA.
Section 06

Processor Obligations

The Processor agrees to the following obligations in connection with processing personal data on behalf of the Controller. These obligations are aligned with the requirements of the UAE PDPL and GDPR Article 28.

6.1 Process Only on Controller's Instructions

The Processor will process personal data only on documented instructions from the Controller. This DPA, the Service Agreement, and any subsequent written instructions constitute such documentation. The Processor will notify the Controller immediately and in writing if it believes any instruction infringes applicable data protection law, and may suspend processing of the affected data pending clarification.

6.2 Confidentiality

The Processor will ensure that all personnel authorised to process personal data under this DPA are subject to binding confidentiality obligations and have received appropriate data protection training. Access to personal data is granted on a strict need-to-know basis and is limited by role and location using the platform's role-based access control (RBAC) system.

6.3 Security Measures

The Processor implements the following technical and organisational security measures, consistent with its obligations under Article 32 GDPR and the UAE PDPL's security requirements:

  • Encryption in transit: All data is transmitted using TLS/HTTPS. Unencrypted transmission is not permitted.
  • Encryption at rest: All personal data stored in Azure CosmosDB is encrypted using Azure-managed encryption keys.
  • Role-based access control (RBAC): Admin panel access is scoped by role (admin, staff) and by location. Staff members can only access records relevant to their assigned location.
  • Audit logging: All access to, and modifications of, personal data records are logged with timestamp and actor identity. Audit logs are retained for a minimum of five years.
  • Secrets management: All API keys, credentials, and secrets are stored in Azure Key Vault and are never embedded in application code or configuration files.
  • Session controls: Admin sessions expire automatically after a period of inactivity. Authentication is required for all admin panel access.
  • Regular security assessments: The Processor conducts periodic reviews of its security posture and addresses identified vulnerabilities in a risk-proportionate manner.
  • Incident response: The Processor maintains documented procedures for detecting, responding to, and notifying affected parties of Security Incidents.

6.4 Sub-processors

The Controller provides general written authorisation for the Processor to engage the sub-processors listed in Schedule 1 (annexed). The Processor will:

  • Impose data protection obligations on all sub-processors that are no less protective than those set out in this DPA;
  • Provide the Controller with at least 14 days' written notice prior to adding or replacing any sub-processor;
  • Remain fully liable to the Controller for the acts and omissions of its sub-processors in relation to personal data.

The Controller may object to the engagement of a new sub-processor within 14 days of receiving notice by notifying the Processor in writing with reasons. If the parties cannot resolve the objection within a further 14 days, the Controller may terminate the Service Agreement without penalty.

6.5 Data Subject Rights Assistance

The Processor will assist the Controller in fulfilling its obligations to respond to data subject rights requests under the UAE PDPL and GDPR, including rights of access, rectification, erasure, portability, restriction, and objection. The Processor provides the following mechanisms for this purpose:

  • Data export: GET /api/clients/<id>/export — returns a structured, machine-readable record of a client's personal data.
  • Data erasure: DELETE /api/clients/<id> — permanently deletes a client record, subject to any legal retention obligations.

The Processor will respond to Controller requests for data subject rights assistance within 5 business days.

6.6 Security Incident Notification

Upon becoming aware of a Security Incident affecting the Controller's personal data, the Processor will:

  1. Notify the Controller without undue delay, with a target of within 24 hours of becoming aware of the incident;
  2. Provide, to the extent then known, the following information: (a) the nature of the incident; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate number of personal data records affected; (d) the likely consequences of the incident; (e) the measures taken or proposed to address the incident and mitigate its effects;
  3. Cooperate with the Controller on any required notification to the UAE Data Office (target: within 72 hours of awareness) and, where applicable, to affected data subjects.

The Processor's obligation to notify does not constitute an admission of fault or liability. The Controller remains responsible for its own regulatory notification obligations.

6.7 Data Protection Impact Assessments

Where required by applicable law, the Processor will provide reasonable assistance to the Controller in conducting data protection impact assessments (DPIAs) relating to the processing activities covered by this DPA, including by making available relevant technical and security documentation.

6.8 Audit Rights

The Controller may, upon at least 30 days' prior written notice and no more than once per calendar year, audit or commission an independent third-party audit of the Processor's compliance with this DPA. Such audits shall be conducted during normal business hours, at the Controller's expense, and in a manner that does not unreasonably disrupt the Processor's operations.

As an alternative to an on-site audit, the Controller may request and rely upon the Processor's then-current security documentation, compliance certifications, and third-party audit reports (e.g. SOC 2 Type II, ISO 27001) as evidence of compliance.

6.9 Data Return and Deletion

Upon termination or expiry of the Service Agreement, the Processor will, at the Controller's written election and within the timeframes below:

  1. Return: Provide all Controller personal data in a structured, machine-readable format (JSON or CSV) within 30 days of the termination date; or
  2. Delete: Securely and irreversibly delete all Controller personal data within 60 days of the termination date.

The Processor may retain personal data beyond these periods where retention is required by applicable UAE law (including health record retention obligations under UAE Federal Law No. 2 of 2019), for the minimum legally required period only, after which such data will be deleted. The Processor will provide written confirmation of deletion upon the Controller's request.

Section 07

International Transfers

7.1 Primary Data Location

The Processor stores Controller personal data primarily in the Azure UAE North data centre, which is located within the UAE. The Processor implements Azure's data residency controls to minimise the movement of personal data outside this region.

7.2 Cross-Border Processing by Sub-processors

Some processing operations necessitate the involvement of sub-processors located outside the UAE, as detailed in Schedule 1. These include WhatsApp messaging delivery (Twilio, United States), AI language processing (Azure OpenAI, UAE North / US inference endpoints), and calendar scheduling (Google, United States / global).

7.3 Safeguards for Cross-Border Transfers

For all transfers of personal data outside the UAE, the Processor ensures that appropriate safeguards are in place, including:

  • Data Processing Agreements with all sub-processors imposing obligations equivalent to those in this DPA;
  • Standard contractual clauses or equivalent transfer mechanisms where required for transfers to non-adequate third countries;
  • Technical safeguards including encryption in transit (TLS) and at rest.

7.4 Health Data — Additional Obligations

For personal data constituting health data under UAE Federal Law No. 2 of 2019, the Processor will take additional steps to minimise cross-border processing. Where cross-border processing is unavoidable (e.g. for AI language model inference), the Processor will notify the Controller in advance and document the safeguards applied.

Section 08

Liability

8.1 General Liability Cap

Each party's total liability under or in connection with this DPA (whether in contract, tort, or otherwise) is subject to the limitations and exclusions set out in the Service Agreement.

8.2 Apportionment

Where a party is held responsible for a breach of this DPA or applicable data protection law, it shall be liable only for the portion of any resulting loss or damage that is attributable to its own fault. Where both parties contributed to a breach, liability shall be apportioned accordingly.

8.3 Controller Indemnity

The Controller shall indemnify and hold harmless the Processor against any claims, fines, penalties, damages, costs, and expenses (including reasonable legal fees) arising from or in connection with: (a) the Controller's failure to establish a valid lawful basis for processing personal data; (b) the Controller's failure to fulfil its transparency obligations to data subjects; or (c) the Controller's breach of any warranty, obligation, or representation under this DPA.

8.4 Processor Indemnity

The Processor shall indemnify and hold harmless the Controller against any claims, fines, penalties, damages, costs, and expenses (including reasonable legal fees) arising from the Processor's breach of its obligations under this DPA, to the extent such breach is attributable to the Processor's fault.

Section 09

Term and Termination

9.1 Term

This DPA is effective for the duration of the Service Agreement and, in respect of the data return and deletion obligations in Section 6.9, for the period thereafter as described in that section.

9.2 Termination for Breach

Either party may terminate this DPA by giving 30 days' written notice to the other party if the other party materially breaches any obligation under this DPA and fails to remedy such breach within 14 days of receiving written notice specifying the breach in reasonable detail.

9.3 Effect of Termination

Upon termination of this DPA, the Processor will carry out the data return or deletion obligations described in Section 6.9. Termination of this DPA does not automatically terminate the Service Agreement, nor does termination of the Service Agreement automatically terminate this DPA except as set out in Section 2.3.

9.4 Survival

The following provisions survive termination or expiry of this DPA: Section 6.9 (data return and deletion), Section 8 (liability), and Section 10 (governing law and disputes).

Section 10

Governing Law and Disputes

10.1 Governing Law

This DPA and any non-contractual obligations arising out of or in connection with it are governed by and construed in accordance with the laws of the United Arab Emirates, including the UAE PDPL (Federal Decree-Law No. 45 of 2021) and applicable federal laws.

10.2 Dispute Resolution

Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of Dubai, UAE. The parties may alternatively agree in writing to refer any dispute to arbitration under mutually agreed arbitration rules.

10.3 Regulatory Authority

Both parties acknowledge the supervisory jurisdiction of the UAE Data Office established under the UAE PDPL. Either party may refer a matter concerning compliance with the UAE PDPL to the UAE Data Office where required by law or regulation.

UAE Data Office

Website: www.uaedataoffice.gov.ae

Section 11

Signatures

By signing below, each party confirms that it has read, understood, and agrees to be bound by this Data Processing Agreement.

On behalf of the Controller (Customer)
Full legal name
[Full Name]
Title / Position
[Title]
Business name
[Business Name]
Date
[DD / MM / YYYY]
Signature
On behalf of the Processor (Rendevy)
Full legal name
[Full Name]
Title / Position
[Title]
On behalf of
Rendevy Platform
Date
[DD / MM / YYYY]
Signature
Execution note: This agreement may be executed electronically (e-signature) or by wet ink signature. Electronic execution via a qualified electronic signature platform (e.g. DocuSign, Adobe Sign) is acceptable and has equivalent legal effect. Each party should retain a signed copy.
Annexure
Schedule 1 — Approved Sub-processors
As of April 2026
Schedule 01

Approved Sub-processors

The following sub-processors are approved by the Controller (general authorisation) for use in connection with the services. The Processor will notify the Controller at least 14 days in advance of any changes to this list, in accordance with Section 6.4.

Sub-processor Service Location DPA Reference
Microsoft Azure
CosmosDB		 Database storage — client records, appointment data, session checkpoints UAE North (primary) Microsoft Online Services DPA
Microsoft Azure OpenAI AI language model inference for conversational booking agent UAE North / United States (inference) Microsoft Online Services DPA
Twilio Inc. WhatsApp messaging delivery and inbound webhook processing United States Twilio DPA
Google LLC
Calendar API		 Staff calendar scheduling — appointment slot availability United States / Global Google Cloud DPA
SendGrid
(Twilio)		 Email appointment reminders and notifications United States Twilio / SendGrid DPA
Microsoft Azure Monitor Application performance monitoring, error logging, and telemetry UAE North (primary) Microsoft Online Services DPA
Sub-processor DPAs: DPAs with each sub-processor are maintained by the Processor and are available on request. The sub-processors' own DPAs are publicly accessible at their respective legal/privacy pages. The Controller may request links to current sub-processor DPAs by emailing privacy@curiousstack.co.

Change Notification Procedure

When the Processor intends to add a new sub-processor or replace an existing one, it will email the Controller's designated contact at least 14 days before the change takes effect. The Controller may object in writing within 14 days. If no objection is received, the updated sub-processor list takes effect on the notified date.