1. Definitions

The following terms have the meanings set forth below: "Controller" means the entity determining the purposes and means of processing personal data (the Provider). "Processor" means the entity processing personal data on behalf of the Controller (Suitespace). "Personal Data" means any information relating to an identified or identifiable individual. "Processing" means any operation performed on personal data, including collection, storage, transmission, or deletion. "Applicable Laws" means GDPR, KVKK, PIPEDA, and other data protection laws that may apply based on the Controller's operations. "Sub-Processor" means any third party engaged by Suitespace to assist in processing personal data.

2. Roles of the Parties

3. Nature and Purpose of Processing

Suitespace processes personal data for the following purposes: Providing the booking and scheduling platform Storing Customer data on behalf of the Provider Managing communications, notifications, and reminders Supporting Provider account management functions Providing analytics and performance insights Hosting provider websites or booking pages Ensuring platform security and fraud prevention Suitespace does not process Customer data for its own purposes or share it with unauthorized third parties.

4. Types of Personal Data Processed

Personal data processed may include: Customer name Customer email address Customer phone number (if collected) Booking details (date, time, service type) Service-related notes Event or attendance details Device/IP information Other data the Provider uploads voluntarily Suitespace does not process financial card data, as payments are handled directly by Stripe.

5. Provider Responsibilities (controller Obligations)

Provider agrees to: Comply with all Applicable Laws Provide legally required privacy notices to Customers Obtain valid consent where required (GDPR/KVKK) Ensure Customer data is lawfully collected Respond to Customer requests for access, deletion, or correction Use Suitespace only for lawful purposes Determine appropriate data retention periods Suitespace is not responsible for Provider-specific compliance obligations.

6. Suitespace Responsibilities (processor Obligations)

Suitespace agrees to: Process personal data only on documented instructions from Provider Implement appropriate technical and organizational security measures Ensure personnel with access to data are bound by confidentiality Assist the Provider with data subject requests (when feasible) Notify the Provider of data breaches without undue delay Delete or return Customer data after termination, subject to legal retention requirements Provide information necessary to demonstrate compliance with this DPA Suitespace does not independently determine the purpose or means of personal data processing.

7. Sub-processors

Suitespace may engage the following Sub-Processors: Amazon Web Services (AWS) – Hosting and storage Stripe – Payment processing Email delivery providers Analytics service providers (if enabled by Provider) Customer communication services Suitespace ensures Sub-Processors are bound by data protection obligations similar to those in this Agreement. Provider authorizes the use of Sub-Processors.

8. International Data Transfers

Personal data may be transferred to and processed in the United States (AWS us-east-1). Suitespace implements appropriate safeguards, including: Standard Contractual Clauses (where applicable) Encryption at rest and in transit Access controls and monitoring By using Suitespace, Provider acknowledges these transfers.

9. Security Measures

Suitespace implements industry-standard security measures, including: Encryption of data in transit (TLS) Encryption of data at rest Restricted personnel access Two-factor authentication for internal systems Firewall and intrusion detection systems Regular security audits and monitoring Data redundancy and backup Suitespace may update security measures as technology evolves.

10. Data Subject Rights

Suitespace assists Providers in fulfilling requests from data subjects (Customers), including: Access requests Correction requests Deletion requests Data export requests Objections or withdrawal of consent Requests should be directed to the Provider. Suitespace will support Provider where reasonably possible.

11. Data Retention

Upon Provider account termination: Customer booking data is retained for 12 months Financial transaction logs are retained for 5 years System logs may be retained for security purposes After retention periods expire, data is deleted or anonymized.

12. Data Breach Notification

Suitespace will notify the Provider without undue delay upon confirming a personal data breach involving Customer data. Notification will include: Nature of the breach Categories of affected data Estimated number of data subjects affected Likely consequences Mitigation measures taken Provider is responsible for notifying regulators or affected Customers when required by law.

13. Audits

Suitespace will make available documentation necessary to demonstrate compliance with this DPA. Formal audits may be conducted only: If required by law If security circumstances require it Upon mutual written agreement

14. Termination

This DPA remains in effect as long as Suitespace processes personal data on behalf of the Provider. Upon termination: Access to data is removed Data is deleted after applicable retention periods Provider may request a final export of Customer data

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada. Any disputes shall be resolved exclusively in the courts of Toronto, Ontario.

16. Contact Information

Suitespace Inc. support@suitespace.app privacy@suitespace.app