Data Processing Addendum

1. Definitions

2. Roles and Scope

Booko acts as a data processor for Client-controlled data and as an independent data controller for platform operations including fraud prevention, security, billing, and aggregated analytics. Where Booko processes PHI on behalf of a Covered Entity or Business Associate, Booko acts as a Business Associate under HIPAA and the terms of a separately executed Business Associate Agreement ("BAA") shall apply.

3. Data Processing Details

4. Security Measures

Booko implements technical and organizational measures appropriate to the risk presented by the processing, including:

• Encryption in transit: TLS 1.2+ for all data in transit between clients, servers, and third-party services
• Encryption at rest: AES-256 encryption for data at rest in cloud databases and storage services
• Credential encryption: AES-256-GCM encryption for stored integration credentials (API keys, OAuth tokens) with key material managed separately from ciphertext
• API key security: API keys stored as irreversible hashes; encrypted copies available only for authorized display; keys include scoped permissions and expiration dates
• Access controls: Role-based access control (Owner, Admin, Member, Viewer) enforced at application and database layers; row-level security policies on sensitive tables; least-privilege access for all staff
• Authentication: OAuth 2.0 for web sessions; JWT-based authentication for mobile and API access; multi-tenancy isolation with organization-scoped data access
• Webhook security: HMAC signature verification on inbound webhooks (e.g., Stripe, MindBody); HMAC signing on outbound webhook deliveries
• Secret management: Integration credentials stored in Google Cloud Secret Manager; application secrets managed via environment-level configuration
• Audit logging: Immutable audit logs for data modifications including before/after snapshots; ingestion batch lineage tracking; incentive change logs with override justification
• Vulnerability management: Dependency scanning, error monitoring via Sentry, and logging appropriate to the platform
• Network security: Rate limiting on API endpoints; request throttling on external API integrations

5. HIPAA Compliance

Where Client is a Covered Entity or Business Associate under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, the following additional terms apply:

• Business Associate Agreement: Client and Booko shall execute a BAA prior to Booko receiving or processing any PHI. The BAA incorporates the requirements of 45 CFR Part 160 and Subparts A and E of Part 164. The terms of the BAA shall supersede any conflicting terms in this DPA with respect to PHI.
• Permitted uses and disclosures: Booko will use and disclose PHI only as permitted by the BAA, the minimum necessary standard, and applicable law. Booko will not use or disclose PHI for marketing or sell PHI without express written authorization from Client.
• Safeguards: Booko implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR Part 164, Subpart C), including access controls, audit controls, integrity controls, transmission security, and workforce training.
• Breach notification: Booko will report to Client any Breach of Unsecured PHI (as defined in 45 CFR 164.402) without unreasonable delay and no later than thirty (30) calendar days after discovery, including the information required under 45 CFR 164.410(c) to the extent reasonably available.
• Subcontractors: Booko will ensure that any subcontractor or sub-processor that creates, receives, maintains, or transmits PHI on behalf of Booko agrees to substantially the same restrictions and conditions that apply to Booko under the BAA.
• Individual rights: Booko will make PHI available to Client as necessary for Client to respond to individuals exercising their rights under HIPAA, including rights of access, amendment, and accounting of disclosures.
• Applicability: The HIPAA provisions in this section apply to Clients whose use of Booko involves processing PHI, such as healthcare, wellness, and medical spa businesses using integrated electronic health record (EHR) systems (e.g., DrChrono). Clients who do not process PHI through Booko are not required to execute a BAA.

6. SOC 2 Compliance

Booko maintains controls aligned with the AICPA Trust Services Criteria:

• Security: Logical and physical access controls, encryption, vulnerability management, and incident response procedures as described in Section 4.
• Availability: Cloud-hosted infrastructure with monitoring, health checks, and alerting; pricing engine deployed on Google Cloud Run with automated health validation during deployment.
• Processing integrity: Audit logs capturing data state before and after modifications; ingestion pipeline lineage tracking with batch-level error and warning reporting; incentive change logs with model version provenance; ML model runs tracked with training configuration, validation metrics, and artifact checksums.
• Confidentiality: Encryption of sensitive credentials, role-based access control, multi-tenancy data isolation, and row-level security policies restricting cross-tenant data access.
• Privacy: Data collection limited to what is necessary for the Services; consent management for SMS communications; data subject access and deletion capabilities; sub-processor transparency.

Upon request, Booko will provide Client with reasonable documentation of its security controls, subject to mutual confidentiality obligations.

7. Sub-Processors

Booko engages the following categories of sub-processors. Booko will notify Client of material changes to this list via the Booko website or email at least thirty (30) days before engaging a new sub-processor. Client may object to a new sub-processor by contacting Booko in writing within that notice period.

Tier definitions. Tier 1 = critical / hosting / data plane. Tier 2 = important / telemetry / AI. Tier 3 = supporting.

Audit-rights flow-down. Booko maintains contractual audit rights against each sub-processor with which Booko holds a direct commercial relationship (typically via DPF, SCCs, or vendor-specific MSAs) and will share relevant third-party attestations (SOC 2 reports, ISO 27001 certificates) with Client on request under NDA. For Customer-provisioned sub-processors (e.g., Databricks workspaces where the Customer holds the commercial agreement and provisions Booko's service-principal credentials), audit rights flow from the Customer's own contract with that provider; Booko will reasonably assist the Customer in exercising those rights but does not independently hold them.

Client-directed integrations: Where Client configures an integration with a third-party booking platform (e.g., MindBody, Mariana Tek, DrChrono), that platform acts as a separate controller or processor under Client's own agreement with that platform. Booko processes data received from these platforms solely to perform the Services.

Specific sub-processors engaged depend on the Services used by Client. Enterprise customers may request a current list of sub-processors applicable to their engagement at any time.

8. Enterprise Integration Data Processing

For enterprise Clients using Booko's dynamic pricing integration, Booko additionally processes data from connected booking platforms. This includes:

• Schedule ingestion: Class and appointment schedules, instructor assignments, location data, and capacity information pulled from Client's booking platform via authenticated API connections
• Inventory tracking: Real-time and point-in-time booking counts, waitlist sizes, fill rates, and occupancy snapshots at regular intervals
• Attendance and redemption: Member identifiers, attendance records, credit redemptions, and fulfillment status received via webhooks or API polling
• Demand forecasting: Historical occupancy aggregates, no-show rates, and late cancellation patterns used to train machine learning models for demand prediction
• Incentive computation: Predicted occupancy, pricing factors, and contextual features used to compute dynamic incentive values and generate promo codes

Integration credentials (API keys, OAuth tokens) are encrypted using AES-256-GCM and stored separately from application data. Raw payloads from external platforms are retained for data integrity verification and are subject to the retention schedule in Section 10.

9. Machine Learning and Automated Decision-Making

Booko uses machine learning models to provide demand forecasting and dynamic pricing recommendations. The following applies to this processing:

• Training data: Models are trained on historical class occupancy data, booking patterns, and temporal features. Training datasets are derived from Client data and are scoped to the Client's organization.
• Model artifacts: Trained model files are stored in Google Cloud Storage with version tracking, checksums, and performance metrics (MAE, RMSE, R-squared).
• Outputs: Model outputs (predicted occupancy, incentive recommendations) are used to inform pricing decisions. Clients retain the ability to override automated incentive values with manual adjustments, which are logged in the incentive change audit trail.
• Model training scope: Model training scope and data isolation are governed by the applicable services agreement between Booko and the Client.
• Third-party foundation models: Where Booko uses third-party large language model APIs (e.g., OpenAI, Anthropic) for the purposes described in Section 7, Booko does not perform additional training, reinforcement learning, or fine-tuning on those foundation models. The applicable vendors' commercial API terms exclude API inputs and outputs from training of their foundation models.
• Human oversight: Enterprise administrators can review, override, and configure all automated pricing decisions through the Booko dashboard. Control group support is available for A/B testing incentive effectiveness.

10. Data Retention

11. International Transfers

Booko processes data primarily in the United States. Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States, Booko relies on the EU-U.S. Data Privacy Framework (and the UK and Swiss extensions) as applicable, and Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum as a supplementary transfer mechanism.

Booko pre-executes Standard Contractual Clauses (SCCs) with each sub-processor with which Booko holds a direct commercial relationship, as a contractual fallback so Booko is not solely dependent on the DPF (acknowledging contested DPF legal status post-Schrems II). Customer-provisioned sub-processors (e.g., Databricks workspaces) operate under the Customer's own SCC arrangements with those providers; Booko's role is processor under credentials issued by the Customer. DPF certification IDs are maintained for each DPF-relying sub-processor at the public DPF registry (dataprivacyframework.gov/list) and refreshed on Booko's vendor-review cadence (Tier 1 annual; Tier 2 and 3 biennial). The current DoC ID snapshot is available to Client on request under NDA. Transfer Impact Assessments (TIAs) are maintained for Tier 1 sub-processors with which Booko holds a direct commercial relationship and reviewed annually; for Customer-provisioned sub-processors, transfer-mechanism assessment rests with the Customer's contract with that provider.

12. Assistance, DPIAs, and Audits

Booko will assist Client with reasonable data subject access, rectification, erasure, and portability requests. Booko will provide reasonable assistance with data protection impact assessments ("DPIAs") and prior consultations with supervisory authorities where required by law. Client may conduct or commission reasonable audits of Booko's data processing practices, subject to confidentiality, reasonable scheduling, and scope limitations. Booko may satisfy audit requests by providing its security controls documentation or equivalent third-party attestation.

Booko maintains an annual vendor due-diligence cadence: Tier 1 sub-processors with which Booko holds a direct commercial relationship reviewed annually; Tier 2 and Tier 3 reviewed biennially or on material change. For Customer-provisioned sub-processors (e.g., Databricks workspaces), vendor due diligence rests with the Customer's contract with that provider; Booko reviews the operational integration on the same cadence and will share its review findings with Client on request under NDA.

13. Incident Response

Booko will notify Client without undue delay, and in any event within forty-eight (48) hours, upon becoming aware of a confirmed personal data breach affecting Client data. Notification will include, to the extent reasonably available: the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the breach. Where the breach involves PHI subject to a BAA, Booko will comply with the breach notification requirements specified in the BAA and HIPAA (45 CFR 164.410).

14. Return and Deletion

Upon termination of the Services or upon Client's written request, Booko will delete or return all Personal Data within thirty (30) days, subject to the retention exceptions in Section 10, deletion-authority limits for Customer-provisioned sub-processors (e.g., Databricks workspaces where deletion rights rest with the Customer's contract with that provider), and any applicable legal obligations. Booko will provide written confirmation of deletion upon request. For enterprise Clients, deletion includes removal of organization data, integration credentials, ingestion records, model artifacts, and audit logs (except where retention is required by law).

15. Order of Precedence

If there is a conflict between this DPA and the Terms of Service or Privacy Policy, this DPA controls for the processing of Client Personal Data. If there is a conflict between this DPA and a BAA with respect to PHI, the BAA controls.

16. Contact

For questions about this DPA or to exercise data protection rights, contact Booko at founders@bookoapp.com.