GDPR Data Processing Agreement
Last Updated: April 17, 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service ("Agreement") between CozyCal Scheduling Inc ("CozyCal") and the Customer, and applies where CozyCal processes Personal Data subject to the EU General Data Protection Regulation or the UK GDPR (together, "Data Protection Laws"). By accepting the Agreement, Customer accepts this DPA on behalf of itself and, to the extent required, its Controllers; no separate signature is required. Capitalized terms not defined here have the meanings given in the Agreement or the GDPR.
1. Roles
Customer is the Controller of Personal Data it submits through the Service. CozyCal is the Processor, acting on Customer's documented instructions as set out in the Agreement and this DPA. Customer is responsible for having a lawful basis for processing and for obtaining any necessary consents.
CozyCal may separately act as Controller for data relating to the operation and support of the Service (billing, account management, abuse and security prevention, and aggregated or de-identified analytics).
2. Sub-processors
Customer provides general written authorization for CozyCal to engage and replace Sub-processors. The current list is published at www.cozycal.com/subprocessors, and CozyCal will update that list promptly after engaging a new Sub-processor. Customer may object to a change on reasonable data-protection grounds within 15 days of the update by contacting support@cozycal.com; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service.
3. Security and Confidentiality
CozyCal maintains commercially reasonable technical and organizational measures appropriate to the risks, in accordance with Article 32 of the GDPR. Personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality.
Security Incident. A "Security Incident" is a confirmed breach leading to unauthorized access to or disclosure of Customer Personal Data. It does not include unsuccessful attempts or activities that do not compromise security. CozyCal will notify Customer without undue delay after a member of its security or engineering team has confirmed a Security Incident has occurred. Notification is not an acknowledgement of fault or liability.
Data Subject Requests. Customer is responsible for responding to data subjects. If CozyCal receives a request directly, it will forward the request to Customer and will not respond except to acknowledge receipt or as required by law.
Information on Request. CozyCal demonstrates Article 28 compliance through the documentation at www.cozycal.com/security.
4. International Transfers
Where CozyCal transfers Personal Data from the EEA or UK to a country without an adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two, apply, together with the UK International Data Transfer Addendum. The SCCs prevail over this DPA for the transfers to which they apply.
5. Deletion
Deletion of Personal Data on termination is handled as described in the Cancellation and Termination section of the Agreement.
6. Conflicts
If this DPA conflicts with the Agreement, this DPA prevails. Each party's liability under this DPA is subject to the limits in the Agreement, except where prohibited by Data Protection Laws.
Contact
Questions: support@cozycal.com.