Data Processing Agreement
This DPA is incorporated by reference into the OpenYourDiary subscription terms. By subscribing, the trader (Controller) and OpenYourDiary (Processor) agree to the following.
1. The parties
- Controller — the trader who subscribes to OpenYourDiary, identified by the account email at signup.
- Processor — OpenYourDiary, operated by Alex Elderfield, sole trader, United Kingdom. Contact: support@openyourdiary.com.
"Personal data", "processing", and "data subject" have the meanings given in the UK GDPR.
2. Subject matter and duration
The Processor operates the OpenYourDiary enquiry-form service on behalf of the Controller. Processing continues for the duration of the subscription and for the data retention periods set out in our privacy policy.
3. Nature and purpose of processing
The Processor handles personal data in order to: receive enquiries from the Controller's customers via a public web form; store those enquiries; notify the Controller by email and (if enabled) SMS; produce optional AI-generated summaries of the enquiry text; provide the Controller with a dashboard to read, acknowledge, and respond to enquiries.
4. Categories of data subjects
- The Controller's customers and prospective customers who submit enquiries.
5. Categories of personal data
- Identity data: name.
- Contact data: email address, phone number.
- Location data: postcode and free-text address provided by the customer.
- Enquiry data: the free-text message and any structured fields the Controller has configured on their form.
The Processor does not knowingly collect special-category data and asks Controllers not to configure forms in ways that solicit it.
6. Sub-processors
The Controller authorises the Processor's current list of sub-processors as published in the privacy policy. Each sub-processor is bound by data protection obligations equivalent to those in this DPA.
The Processor will give the Controller at least 14 days' notice by email before adding or replacing a sub-processor materially involved in processing customer personal data. The Controller may object on reasonable data-protection grounds; if no acceptable alternative can be agreed, the Controller may terminate the affected service.
7. International transfers
Where personal data is transferred outside the UK or EEA (e.g. to US-headquartered sub-processors), the Processor ensures an appropriate transfer mechanism is in place — Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision.
8. Security
The Processor implements appropriate technical and organisational measures including: TLS-in-transit on all customer-facing endpoints; encryption-at-rest for the primary database; tenant isolation enforced at the database query layer; signed-webhook verification on inbound integrations; least-privilege secrets management; structured request-tagged logging for incident response; and routine application and dependency updates.
9. Data subject rights
The Processor will assist the Controller in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) by providing self-serve export and delete tooling in the Controller's dashboard, and by handling escalations sent to support@openyourdiary.com. Requests will be actioned within 30 days.
10. Personal data breaches
The Processor will notify the Controller without undue delay, and within 72 hours where feasible, of any confirmed personal data breach affecting the Controller's data. Notification will include the nature of the breach, categories and approximate volume of data subjects and records affected, likely consequences, and measures taken or proposed.
11. Audits
On reasonable written request, and subject to confidentiality, the Processor will provide information necessary to demonstrate compliance with this DPA. For traders on the standard subscription plan this is satisfied by written documentation; on-site audits are available by separate written agreement.
12. Return and deletion
On termination of the subscription, the Processor will permanently delete the Controller's customer personal data after a reasonable wind-down period (no longer than 90 days), or on earlier written request, save where retention is required by law. Backup copies are deleted on the next regular backup-retention cycle.
13. Liability
Liability under this DPA is governed by the OpenYourDiary subscription terms. Nothing in this DPA limits a party's statutory liability under the UK GDPR.
14. Governing law
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with it.
This DPA is the beta-stage version. We will replace it with a counsel-reviewed version before broader launch.