Data Processing Agreement

Last updated: 11 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller" — the practice or practitioner using booki) and booki Health Ltd (the "Processor") for your use of booki. It governs booki's processing of personal data relating to your clients on your behalf. It takes effect when you accept booki's Terms of Service. Capitalised data-protection terms have the meaning given in the UK GDPR and Data Protection Act 2018 ("Data Protection Law").

1. Roles

You are the Controller of your clients' personal data; booki is the Processor. booki processes that data only to provide the service and only on your documented instructions (which include your use of the service's features and these terms). booki is the controller of your own account and billing data, which is covered by the Privacy Policy.

2. booki's obligations

booki will:

  • process personal data only on your documented instructions, unless required by law (in which case we'll tell you, unless legally prohibited);
  • ensure people authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational measures (Annex B);
  • respect the conditions for engaging sub-processors (clause 4);
  • assist you, taking into account the nature of processing, in responding to data-subject requests;
  • assist you with security, breach notification, data protection impact assessments and prior consultation (clauses 5–6);
  • delete or return personal data at the end of the service (clause 7);
  • make available information needed to demonstrate compliance and allow for audits (clause 8).

3. Your obligations

You confirm you have a lawful basis (and, for special-category health data, a valid condition and any required explicit consent) to process your clients' data and to have booki process it. You are responsible for the accuracy of the data you enter and for your own privacy notice to your clients.

4. Sub-processors

You give general authorisation for booki to engage the sub-processors listed in Annex C to help deliver the service. Each is bound by data-protection obligations no less protective than this DPA. We'll give reasonable notice of any intended change (addition or replacement) of a sub-processor; if you reasonably object on data-protection grounds, we'll work with you in good faith to resolve it.

5. Personal data breaches

booki will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide the information you reasonably need to meet your own notification obligations (which, for you as controller, may include notifying the ICO within 72 hours and notifying affected individuals).

6. Assistance

Taking into account the nature of processing and the information available to us, booki will provide reasonable assistance with data-subject rights requests, data protection impact assessments and prior consultations with the ICO.

7. Return or deletion

On termination, or when a trial lapses without subscribing, booki provides export tools so you can retrieve your data, then deletes your practice's personal data in line with the retention timeline in the Terms (read-only window, then permanent deletion), except where the law requires us to retain limited records.

8. Audit

booki will make available, on reasonable written request, the information necessary to demonstrate compliance with this DPA. Audits will be conducted on reasonable notice, no more than once a year (except following a breach or where required by a regulator), and subject to confidentiality.

9. International transfers

booki keeps personal data in the UK/EEA where possible. Where a sub-processor processes data outside the UK/EEA, an appropriate transfer mechanism applies (UK IDTA/Addendum or EU Standard Contractual Clauses), together with the provider's data-protection commitments.

10. General

If there is any conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails. This DPA is governed by the laws of England and Wales.


Annex A — Details of processing

  • Subject matter: provision of the booki practice-management service.
  • Duration: for the term of your use of booki, plus the retention period in the Terms.
  • Nature & purpose: storage, scheduling, record-keeping, invoicing/payments, and communications carried out on your instructions.
  • Types of data: client contact details, dates of birth, appointment and payment history, clinical/health notes, and communications you create.
  • Categories of data subjects: your clients (and, where you add them, their emergency contacts).
  • Special categories: health data contained in clinical records.

Annex B — Technical & organisational measures (TOMs)

  • Encryption: TLS/HTTPS in transit; encryption at rest for the database and file storage.
  • Access control: row-level security scoping each practice's data; authentication with hashed passwords; least-privilege access to production; service keys kept server-side only.
  • Data residency: primary database and email sending hosted in the EU/UK (London region).
  • Network & platform: security headers (CSP, HSTS), HTTPS-only, platform-level DDoS protection.
  • Segregation: multi-tenant isolation enforced at the database (RLS) and application layers.
  • Resilience: managed, backed-up database infrastructure provided by our hosting sub-processors.
  • Organisational: confidentiality obligations on personnel; secret-rotation procedures; a documented breach-response procedure.

Annex C — Approved sub-processors

  • Supabase — database & file storage (EU/London).
  • Vercel — application hosting & CDN.
  • Amazon Web Services (SES) — transactional email (eu-west-2, London).
  • Twilio — SMS messaging (optional add-on).
  • Stripe — payments & subscription billing.
  • Anthropic — AI-assisted features; minimum necessary data only; no training on your data.

Contact

Questions about this DPA? Email admin@booki.health.