Data Protection Addendum

1. Definitions

In addition to the defined terms set out in the Skhedio Partner Terms of Business, the following words and expressions shall have the following meanings:

2. Roles and Compliance with Data Protection Laws

2.1 Roles

The parties acknowledge and agree that:

• The Partner is the Controller of Partner Customer Data (data about the Partner's customers)
• Skhedio is the Processor of Partner Customer Data when processing it on behalf of the Partner
• Skhedio is an independent Controller of data it collects directly from End Users through the marketplace

2.2 Partner Obligations

The Partner shall:

• Comply with all applicable Data Protection Laws in respect of its use of the Services
• Ensure it has obtained all necessary consents and provided all necessary notices to Data Subjects
• Ensure that its instructions to Skhedio comply with Data Protection Laws
• Be responsible for the accuracy, quality, and legality of Personal Data provided to Skhedio

2.3 Skhedio Obligations

Skhedio shall:

• Process Personal Data only on documented instructions from the Partner
• Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organisational security measures
• Assist the Partner in responding to Data Subject requests
• Assist the Partner with data protection impact assessments where required

3. Description of Processing

4. Technical and Organisational Security Measures

Skhedio implements and maintains appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

Technical Measures

• Encryption in transit: All data transmitted using TLS/SSL with HSTS enforcement
• Encryption at rest: Passwords hashed using bcrypt, sensitive data encrypted in database
• Authentication: Secure OAuth 2.0 (Google, Facebook, Apple) with session validation
• CSRF protection: Custom header validation and SameSite cookie policies
• Rate limiting: Brute-force protection on authentication endpoints (5 attempts/minute)
• XSS prevention: Content Security Policy (CSP) headers and input sanitization
• Session security: HttpOnly, Secure, SameSite cookies with database-backed sessions
• Multi-tenant isolation: All queries filtered by user/business ownership
• Input validation: Schema-based validation on all API endpoints
• Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
• Password security: Session invalidation on password change

Infrastructure Security

• Database connections secured with TLS and certificate validation
• Connection pooling with automatic cleanup and retry logic
• Environment-based security enforcement (production vs development)
• Audit logging for administrative actions

Organisational Measures

• Confidentiality agreements with personnel
• Security awareness training
• Access limited to authorised personnel on a need-to-know basis
• Incident response procedures
• Regular review of security measures

5. Security Breaches and Data Subject Requests

5.1 Notification

Skhedio shall notify the Partner without undue delay (and in any event within 72 hours) after becoming aware of a Security Breach affecting Personal Data processed on behalf of the Partner.

5.2 Breach Information

The notification shall include:

• A description of the nature of the breach
• The categories and approximate number of Data Subjects affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach

5.3 Cooperation

Skhedio shall cooperate with the Partner and take reasonable steps to assist in the investigation, mitigation, and remediation of any Security Breach.

6. Data Subject Requests and Assistance

Skhedio shall:

• Promptly notify the Partner if it receives a request from a Data Subject to exercise rights under Data Protection Laws
• Provide reasonable assistance to enable the Partner to respond to such requests within required timeframes
• Provide functionality within the platform for Partners to access, export, and delete customer data
• Not respond directly to Data Subject requests unless authorised by the Partner or required by law

7. Sub-processing

7.1 Authorised Sub-processors

The Partner authorises Skhedio to engage sub-processors to provide the following platform capabilities:

• Subscription payment processing - Secure billing for Partner subscriptions
• Email notifications - Booking confirmations, reminders, and platform communications
• SMS notifications - Appointment reminders and alerts
• Maps and location services - Business location display
• Image storage - Business photos and media
• Authentication - Secure sign-in services
• Database and hosting - Secure data storage and platform infrastructure

A current list of sub-processors and their locations is available upon request by contacting info@skhedio.com.

7.2 Sub-processor Requirements

Skhedio shall:

• Enter into written agreements with Sub-processors imposing data protection obligations no less protective than this DPA
• Remain liable for the acts and omissions of its Sub-processors
• Notify the Partner of any intended changes to Sub-processors

7.3 Objection Right

The Partner may object to any new Sub-processor by providing written notice within 14 days of notification. If the objection is not resolved, the Partner may terminate the affected Services.

8. International Transfers

Personal Data may be transferred to and processed in countries outside New Zealand, including countries that may not have equivalent data protection laws. When transferring Personal Data internationally, Skhedio shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Transfers to countries with adequacy decisions
• Other legally recognised transfer mechanisms

Skhedio shall provide information about the specific transfer mechanisms used upon request.

9. Audit and Records

9.1 Records

Skhedio shall maintain records of processing activities carried out on behalf of the Partner, including the categories of processing, transfers, and security measures implemented.

9.2 Audit Rights

Upon reasonable notice, Skhedio shall make available to the Partner information necessary to demonstrate compliance with this DPA. This may include:

• Completion of security questionnaires
• Provision of relevant certifications or audit reports
• Responses to reasonable information requests

9.3 On-site Audits

On-site audits may be conducted with reasonable advance notice (minimum 30 days) and subject to confidentiality obligations. The Partner shall bear the costs of any such audit unless the audit reveals material non-compliance by Skhedio.

10. Deletion or Return of Data

Upon termination of the Agreement or upon the Partner's request:

• Skhedio shall delete or return all Personal Data to the Partner (at the Partner's election)
• Deletion shall occur within 30 days of the request or termination
• Skhedio may retain Personal Data to the extent required by applicable law
• The Partner may export their data at any time through the platform's data export features

Upon request, Skhedio shall certify in writing that it has complied with deletion requirements.

11. Limitation of Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

Each party shall be liable to the other for any direct losses, damages, costs, or expenses arising from its breach of this DPA, subject to the caps and exclusions in the Agreement.

Nothing in this DPA excludes or limits either party's liability for fraud, death or personal injury caused by negligence, or any other liability that cannot be excluded by law.