Legal
Data Processing Agreement
This DPA forms part of the agreement between your business ("Data Controller") and Calenxo (Pty) Ltd ("Data Processor") for the provision of the Calenxo booking platform.
Last updated: March 2026
Contents
Definitions
The following terms have specific meanings within this agreement:
Personal Data
Any information relating to an identified or identifiable natural person processed through the Service.
Processing
Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
Sub-processor
Any third party engaged by Calenxo to process Personal Data on behalf of the Data Controller.
Data Subject
An identified or identifiable natural person whose Personal Data is processed.
Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
Scope & Purpose
Calenxo processes Personal Data solely for the purpose of providing the Service as instructed by the Data Controller. This includes:
- Managing customer bookings, appointments, and schedules
- Sending booking confirmations, reminders, and notifications
- Providing analytics, reporting, and business insights to the Data Controller
- Processing WhatsApp communications on behalf of the Data Controller
- Maintaining customer records and service history
Calenxo will not process Personal Data for any purpose other than those specified in this DPA or as instructed by the Data Controller in writing.
Categories of Data Processed
The following categories of Personal Data are processed through the Service:
| Category | Examples |
|---|---|
| Identity data | Customer names, phone numbers, email addresses |
| Booking data | Appointment history, service details, scheduling preferences |
| Communication data | WhatsApp messages, notification logs, consent records |
| Service preferences | Notes, preferred providers, service history |
| Consent records | Marketing opt-in/out, communication preferences, timestamps |
No special categories of data (health, biometric, etc.) are intentionally collected. Data Controllers should not include such data in free-text fields unless they have obtained explicit consent.
Obligations of the Data Processor
Calenxo shall:
- Process Personal Data only on documented instructions from the Data Controller, unless required by law
- Ensure that all persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Section 8
- Not engage another sub-processor without prior written authorisation of the Data Controller
- Assist the Data Controller in responding to Data Subject requests (access, correction, deletion, portability)
- Assist the Data Controller in ensuring compliance with breach notification, data protection impact assessments, and prior consultation obligations
- Delete or return all Personal Data upon termination of the Service, at the Data Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
Obligations of the Data Controller
As the Data Controller, you are responsible for:
Lawful basis
Ensuring you have a valid legal basis for collecting and processing your customers' Personal Data
Transparency
Informing Data Subjects about the processing of their data, including the use of Calenxo as a processor
Data accuracy
Ensuring that Personal Data provided to Calenxo is accurate, relevant, and not excessive
Rights requests
Managing and responding to Data Subject rights requests, with assistance from Calenxo where needed
Sub-processors
Calenxo uses the following sub-processors to deliver the Service. Each sub-processor is bound by a data processing agreement:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner | Infrastructure hosting | South Africa / EU |
| Resend | Transactional email delivery | United States |
| Stripe | Payment processing | United States / Ireland |
| Meta (WhatsApp) | Messaging platform | United States / EU |
| Amazon S3 | File storage (encrypted at rest) | EU |
We will notify you at least 30 days before adding or replacing a sub-processor, giving you the opportunity to object. If you reasonably object and we cannot accommodate your concern, you may terminate the affected Service.
International Data Transfers
Where Personal Data is transferred outside of South Africa or the European Economic Area, Calenxo ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Approved by the European Commission, incorporated into agreements with all relevant sub-processors
- POPI Act compliance: Transfers comply with Section 72 of the Protection of Personal Information Act
- Adequacy assessments: We assess the data protection laws of recipient countries and implement supplementary measures where necessary
Security Measures
Calenxo implements the following technical and organisational measures to protect Personal Data:
Encryption
TLS 1.2+ for data in transit, AES-256 for data at rest, encrypted backups
Access controls
Role-based access with multi-tenant isolation ensuring strict data separation
Monitoring
Comprehensive audit logging of all data access and automated anomaly detection
Testing
Regular security audits, penetration testing, and vulnerability assessments
Data retention
Automated enforcement of configurable retention periods with secure deletion
Incident response
Documented incident response procedures with defined escalation paths
Data Breach Notification
In the event of a Personal Data breach, Calenxo will follow this notification procedure:
| Timeframe | Action |
|---|---|
| Within 72 hours | Notify the Data Controller of the breach, including its nature and scope |
| Initial report | Categories and approximate number of Data Subjects affected, likely consequences |
| Follow-up | Measures taken or proposed to address the breach and mitigate its effects |
| Ongoing | Cooperate with the Data Controller and supervisory authorities as required |
Calenxo will document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification to the supervisory authority is required.
Data Subject Rights
Calenxo provides built-in tools to assist Data Controllers in responding to Data Subject rights requests:
Access
Customer data export functionality to provide Data Subjects with a copy of their data
Rectification
Customer record editing to correct inaccurate or incomplete Personal Data
Erasure
Customer data deletion with cascading removal across all related records
Portability
JSON and CSV data export in structured, machine-readable formats
Restriction
Ability to restrict processing of specific customer records while retaining the data
Objection
Marketing consent withdrawal and communication preference management
Calenxo will assist the Data Controller in fulfilling requests within the legally required timeframe (30 days under GDPR, 30 days under POPIA).
Audits & Compliance
To demonstrate compliance with this DPA and applicable data protection laws:
- Calenxo will make available all information reasonably necessary to demonstrate compliance with data processing obligations
- The Data Controller may conduct audits, including inspections, with reasonable notice (at least 30 days) and during normal business hours
- Audits shall be conducted no more than once per year unless a Data Breach or regulatory investigation necessitates an additional audit
- Calenxo may provide an independent third-party audit report (e.g., SOC 2) as an alternative to on-site audits, at its discretion
Duration & Termination
This DPA remains in effect for the duration of the Service agreement. Upon termination:
Governing Law
This DPA is governed by the laws of the Republic of South Africa, including the Protection of Personal Information Act (POPIA). Where applicable, the EU General Data Protection Regulation (GDPR) also applies.
In the event of a conflict between this DPA and the main Service agreement, this DPA shall take precedence with respect to the processing of Personal Data.
Contact & Download
For questions about this DPA or to exercise your rights under it:
Download DPA
Download a PDF copy of this Data Processing Agreement for your records.
Related documents: Privacy Policy | Terms of Service