DATA PROCESSING ADDENDUM

Last updated May 28, 2026

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Terms of Service and any other written or electronic agreement between OneCal SHPK ("OneCal", "we", "us") and the customer identified in the Account ("Customer", "you") under which we provide the Service (together, the "Agreement").

This DPA governs the processing of Personal Data by OneCal as Processor on behalf of Customer as Controller, in connection with Customer's use of the Service. It reflects the parties' agreement with respect to the Processing of Personal Data and applies to the extent that EU/UK/Swiss Data Protection Laws or other applicable Data Protection Laws apply to that Processing.

This DPA takes effect when you accept the Terms of Service. By using the Service, you accept this DPA on your own behalf and, where applicable, on behalf of the Customer entity you represent. No countersignature is required, but Customers that need a counter-signed copy may request one at contact@onecal.io.

In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. The Annexes form an integral part of this DPA.

1. Definitions

Capitalized terms not defined in this DPA have the meaning given to them in the Agreement. For the purposes of this DPA:

  • "Customer Personal Data" means Personal Data that OneCal Processes on behalf of Customer in the course of providing the Service, as further described in Annex 1.
  • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (i) Regulation (EU) 2016/679 ("GDPR"), (ii) the UK Data Protection Act 2018 and the UK GDPR ("UK GDPR"), (iii) the Swiss Federal Act on Data Protection ("FADP"), (iv) the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and (v) any other applicable equivalent or successor laws.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Special Categories of Personal Data" have the meanings given to them in the GDPR.
  • "Sub-processor" means any third party engaged by OneCal that Processes Customer Personal Data on OneCal's behalf in connection with the Service.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by OneCal or its Sub-processors. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, version B1.0, in force 21 March 2022.
  • "End User" has the meaning given in the Terms of Service: any person who interacts with content Customer publishes through the Service, including invitees of Customer's Booking Pages and viewers of Customer's Public Calendar Feeds.

2. Scope and Roles of the Parties

Customer is the Controller and OneCal is the Processor for the Personal Data Customer submits to or generates through the Service, including Personal Data of Customer's End Users that Customer collects through Booking Pages, calendar synchronization, and other features Customer makes available to those End Users ("Customer Personal Data"). Where Customer is itself a Processor acting on behalf of a third-party Controller (for example, where Customer is an organization using the Service to process Personal Data on behalf of its own customers), OneCal acts as a Sub-processor and Customer warrants that it has the authority of the underlying Controller to enter into this DPA.

OneCal will Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, except where required to do so by applicable law. The Agreement (including this DPA, the Service documentation, the Customer's configuration of the Service, and any instructions issued via the Service's administrative controls) constitutes Customer's complete and final documented instructions to OneCal for the Processing of Customer Personal Data. Additional or alternate instructions must be agreed in writing.

OneCal will inform Customer if, in its opinion, an instruction infringes applicable Data Protection Laws, without obligation to monitor Customer's compliance with those laws.

This DPA applies only to OneCal's Processing of Customer Personal Data on Customer's behalf as Processor. OneCal separately Processes Personal Data as an independent Controller, including Customer's own Account, billing, and contact information; authentication, security, and fraud-prevention metadata used to operate and secure the Service; product analytics OneCal uses to operate and improve the Service; OneCal's own marketing communications sent with the recipient's separate consent; and one-way hashed identifiers of deleted or banned accounts retained for as long as necessary for the legitimate-interest purpose of preventing re-registration and supporting fraud and abuse prevention. That separate Processing is described in, and governed by, OneCal's Privacy Policy, not this DPA.

OneCal will not use Customer Personal Data to train or fine-tune artificial-intelligence or machine-learning models without Customer's express prior permission.

3. Customer Obligations

Customer is responsible for the lawfulness of Customer Personal Data and the means by which Customer acquired it. Customer warrants that it has all necessary rights, lawful bases, consents, and authorizations to Process Customer Personal Data and to instruct OneCal to Process Customer Personal Data on Customer's behalf as described in the Agreement and this DPA, including in connection with calendar events synced from third-party calendar providers and Personal Data of End Users such as booking invitees.

Customer is responsible for providing all required notices to, and obtaining all required consents from, Data Subjects (including End Users) in respect of Customer's Processing of their Personal Data through the Service.

Customer will not submit, and will use reasonable efforts to prevent its End Users from submitting, Special Categories of Personal Data or data subject to special legal regimes that the Service is not designed to handle, as described in the Terms of Service (including but not limited to data subject to HIPAA or GLBA). OneCal is not liable for the Processing of any such data submitted to the Service in breach of this restriction.

Customer acknowledges that the Service depends on third-party calendar providers and that Customer's authorization of those providers, the data made available by them, and their continued availability are outside OneCal's control.

4. Sub-processors

Customer provides OneCal with general written authorization to engage Sub-processors to Process Customer Personal Data in connection with providing the Service.

OneCal maintains a current list of its Sub-processors, including the name, role, and primary location of each Sub-processor, on the Sub-processors page. Customer may consult that list at any time. View the Sub-processors page.

OneCal will give Customer prior notice of the addition or replacement of any Sub-processor by updating the Sub-processors page at least 30 days before the change takes effect.

Customer may object to OneCal's appointment of a new Sub-processor on reasonable data-protection grounds by notifying OneCal in writing at contact@onecal.io within 14 days of the notice. If Customer objects, the parties will work together in good faith to resolve the objection. If no resolution can be reached within a reasonable period, Customer may, as its sole remedy, terminate the affected Subscription and receive a pro-rata refund of any Subscription Fees prepaid for the period after termination.

OneCal will enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective of Customer Personal Data than those imposed on OneCal under this DPA. OneCal remains liable to Customer for the performance of each Sub-processor's obligations under such agreement to the extent provided for in the Agreement.

5. International Data Transfers

OneCal's primary processing infrastructure for Customer Personal Data is located in the United States. OneCal may also need to Process Customer Personal Data anywhere else in the world where OneCal or its Sub-processors maintain operations. View the Sub-processors page.

Where OneCal Processes Customer Personal Data subject to the GDPR in a country that is not the subject of a European Commission adequacy decision, the parties incorporate the Standard Contractual Clauses (Module Two: Controller to Processor) into this DPA by reference, with the parties' details, the description of the transfer, and the technical and organizational measures completed as set out in Annex 3, with the following selections: (i) the optional docking clause (Clause 7) applies; (ii) for sub-processor changes, Option 2 (general written authorization) applies with the notice period set out in Section 4; (iii) Clause 17 (governing law) is governed by the law of Ireland; (iv) the forum and jurisdiction under Clause 18 are the courts of Ireland; and (v) Annex I.C identifies the Irish Data Protection Commission as the competent supervisory authority.

Where Customer Personal Data is subject to the UK GDPR, the parties incorporate the UK Addendum into this DPA, with the SCCs above as the "Approved EU SCCs" referenced in the UK Addendum, and with Tables 1 to 3 completed by reference to Annex 3. Either party may end the UK Addendum as set out in Section 19 of the UK Addendum.

Where Customer Personal Data is subject to the FADP, the SCCs apply with the following modifications: (a) references to the GDPR are read as references to the FADP where the FADP applies; (b) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for transfers exclusively subject to the FADP; and (c) the term "Member State" is interpreted not to exclude Data Subjects in Switzerland from exercising rights in their place of habitual residence.

If a competent supervisory authority or court invalidates or limits the SCCs, UK Addendum, or any other transfer mechanism relied on under this DPA, OneCal and Customer will cooperate in good faith to adopt a replacement transfer mechanism that complies with applicable Data Protection Laws.

6. Security

OneCal will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the Processing, and the risk to Data Subjects. A current summary of those measures is set out in Annex 2.

OneCal will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and have received training on their data-protection responsibilities, and will limit access to Customer Personal Data to personnel who need that access to perform their role.

OneCal may update its technical and organizational measures from time to time provided that the updated measures do not materially reduce the level of protection of Customer Personal Data.

7. Security Incident Notification

OneCal will notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident affecting Customer Personal Data.

Each notification will include, to the extent then known to OneCal: (a) a description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the Security Incident; (c) the measures taken or proposed to address the Security Incident and to mitigate its possible adverse effects; and (d) a contact point at OneCal from which further information can be obtained. Where information cannot be provided at the same time, OneCal will provide it in stages without further undue delay.

OneCal will provide Customer with reasonable assistance to enable Customer to comply with its own notification obligations under applicable Data Protection Laws (including notifications to supervisory authorities and to affected Data Subjects).

OneCal's notification of, or response to, a Security Incident under this Section is not an acknowledgement by OneCal of any fault or liability with respect to the Security Incident.

8. Data Subject Requests and Cooperation

Taking into account the nature of the Processing, OneCal will provide reasonable assistance to Customer, through appropriate technical and organizational measures and insofar as possible, to enable Customer to fulfil its obligation to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

If a Data Subject contacts OneCal directly with a request relating to Customer Personal Data, OneCal will, without undue delay, inform the Data Subject that the request should be addressed to Customer, or, where the Data Subject's identifying details allow OneCal to do so, forward the request to Customer. OneCal will not respond to such a request on Customer's behalf except on Customer's documented instructions.

Taking into account the nature of the Processing and the information available to it, OneCal will provide Customer with reasonable assistance with the obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities), at Customer's expense for any out-of-pocket costs incurred by OneCal beyond those reasonably included in the Service.

9. Records and Audits

OneCal will maintain records of Processing activities carried out on Customer's behalf as required by Article 30(2) of the GDPR.

OneCal will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and the obligations of a Processor under Article 28 of the GDPR. In the first instance, Customer's audit right is satisfied by OneCal providing: (a) this DPA and the description of technical and organizational measures set out in Annex 2 and at the OneCal Data Security page; (b) copies of OneCal's then-current third-party certifications, attestations, penetration-test summaries, or audit reports, where available; and (c) reasonable written responses to a standard security questionnaire covering the matters set out in Annex 2, in each case subject to reasonable confidentiality obligations.

If the information provided under the preceding paragraph is not, in Customer's reasonable assessment, sufficient to demonstrate compliance with a specific obligation under this DPA, Customer may submit a written request to contact@onecal.io identifying the matter to be addressed and the additional information required. OneCal will respond in writing within a reasonable period and in any event within thirty (30) days of receipt, providing further information, clarifications, or evidence reasonably available to it, subject to reasonable confidentiality obligations and to any restrictions arising from OneCal's obligations to third parties, the protection of other customers' data, or the protection of OneCal's trade secrets.

If, following completion of the steps in the preceding paragraphs, Customer reasonably believes that the information provided is still insufficient to demonstrate compliance with a specific obligation under this DPA, Customer may, at its expense, conduct an audit of OneCal's data-protection compliance limited to that specific matter, no more than once per twelve-month period (except where required by a supervisory authority or after a Security Incident), subject to: (a) at least sixty (60) days' prior written notice; (b) execution of a confidentiality agreement reasonably acceptable to OneCal; (c) the audit being conducted during regular business hours, in a manner that does not interfere with OneCal's operations, and not extending to data of any other customer, trade secrets, or any system to which access would breach OneCal's obligations to third parties; and (d) the auditor being a reputable independent third party that is not a competitor of OneCal and that has entered into the confidentiality agreement referenced above. The parties will share the audit results and discuss any findings in good faith.

10. Return and Deletion of Customer Personal Data

Customer may delete Customer Personal Data through the Service's functionality at any time during the term of the Agreement. For data export requests, Customer may contact OneCal at contact@onecal.io.

On termination or expiry of the Agreement, OneCal will, at Customer's choice, delete or return all Customer Personal Data to Customer, and delete any existing copies, except to the extent that applicable law requires OneCal to retain the Personal Data, or where the Personal Data is retained in routine encrypted backups that are cycled out and deleted in the ordinary course of OneCal's backup-retention practices.

When the Agreement is terminated, including when Customer deletes their account through the Service, OneCal promptly deletes Customer Personal Data from active production systems. Backup copies are purged as those backups are cycled out in the ordinary course of OneCal's backup-retention practices (typically within seven (7) days). One-way hashed identifiers of deleted or banned accounts may be retained as described in Section 2 (Scope and Roles). Financial records of record are held by OneCal's merchants of record under their own statutory retention periods, and are not retained by OneCal.

11. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Agreement, and any reference in the Agreement to a party's liability means the aggregate liability of that party under the Agreement and this DPA together. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law, including liability under Article 82 of the GDPR.

Customer will not bring duplicative claims under both the Agreement and this DPA in respect of the same loss.

12. California Consumer Privacy Act

Where OneCal Processes Personal Data of California residents on Customer's behalf, OneCal acts as Customer's "service provider" within the meaning of the CCPA. OneCal will: (a) Process such Personal Data only for the limited and specified business purposes set out in this DPA and the Agreement; (b) not Sell or Share such Personal Data (as those terms are defined in the CCPA); (c) not retain, use, or disclose such Personal Data outside the direct business relationship between Customer and OneCal, or for any commercial purpose other than the business purposes set out in this DPA, except as permitted by the CCPA; and (d) not combine such Personal Data with Personal Data received from any other person, except as permitted by the CCPA.

OneCal certifies that it understands the restrictions set out in this Section and will comply with them.

13. General

This DPA takes effect on the date Customer accepts the Agreement and remains in force for as long as OneCal Processes Customer Personal Data, including after termination of the Agreement to the extent of any continued Processing necessary to give effect to Section 10 (Return and Deletion).

OneCal may update this DPA from time to time, including to reflect changes in applicable Data Protection Laws, transfer mechanisms, or OneCal's operations. We will give notice of material changes as described in the Terms of Service. Updates that are required by applicable law, by a supervisory authority, or to reflect a replacement transfer mechanism take effect on the date specified in the notice without requiring further action by Customer.

If any provision of this DPA is found by a court of competent jurisdiction to be invalid or unenforceable, the remaining provisions remain in full force and effect.

Questions about this DPA, requests for a counter-signed copy, requests for an executed copy of the SCCs, or notices required under this DPA may be sent to OneCal at contact@onecal.io. EU-based Data Subjects may also use the channels set out in the "EU/EEA GDPR Representative" section of OneCal's Privacy Policy. Read the Privacy Policy.

Annex 1: Description of the Processing

Subject matter

OneCal Processes Customer Personal Data as necessary to provide the Service in accordance with the Agreement and Customer's documented instructions, including any features and functionality made available to Customer from time to time.

Duration

For the term of the Agreement, plus the post-termination retention period set out in Section 10.

Nature and purpose

Processing activities include hosting, storing, transmitting, displaying, backing up, securing, and otherwise handling Customer Personal Data as reasonably necessary to deliver, support, and improve the Service in accordance with the Agreement and Customer's instructions.

Categories of Data Subjects

  • Customer's Authorized Users: account holders and other individuals authorized by Customer to use the Service.
  • Customer's End Users: booking attendees and schedulers, workspace invitees, and other persons who interact with content the Customer publishes through the Service or who are invited to scheduled events.

Categories of Personal Data

  • Identification and contact data: such as name, email address, time zone, and similar contact details of Authorized Users and End Users.
  • Account and workspace data: account and team-membership information for Authorized Users, such as role and permission assignments, invitation status, and team affiliations.
  • Calendar data: Personal Data contained in connected calendar event details as exposed by Customer's connected calendar providers. Customer may minimize what is mirrored to destination calendars through the privacy controls available in the Service.
  • Booking data: Booking Page and per-link configuration, and booking event data, including times, attendee details, and custom-field responses, which may contain arbitrary Customer-defined Personal Data.
  • Customer-published content: text, images, links, and other content Customer publishes on Booking Pages and similar surfaces.
  • Communications data sent through the Service on Customer's behalf: outbound transactional and service email content to End Users (such as booking confirmations, reminders, and calendar invites).
  • Support communications: messages, transcripts, and attachments exchanged with OneCal's support channel.
  • Device and mobile-application data: data necessary to operate OneCal's mobile applications, such as push notification tokens and device-level preferences.
  • Integration data: payload contents of outbound webhooks delivered to Customer-provided endpoints, and other Personal Data transmitted through Customer's use of OneCal APIs.

Special categories of Personal Data

The Service is not intended for, and Customer warrants that it will not submit, Special Categories of Personal Data (Article 9 GDPR) or data subject to HIPAA or GLBA. To the extent any such data is submitted in breach of that restriction, it is not part of the Processing contemplated by this DPA.

Frequency of the Processing

Continuous, for the duration of the Agreement.

Retention

As set out in Section 10 of this DPA and in OneCal's Privacy Policy.

Annex 2: Technical and Organizational Measures

OneCal implements technical and organizational measures designed to protect Customer Personal Data in line with Article 32 of the GDPR, including: encryption of Personal Data in transit (TLS) and at rest; private, network-isolated production databases hosted on AWS; role-based access controls and the principle of least privilege for personnel; hashing of high-risk identifiers (API keys, post-deletion account identifiers); webhook signature verification on inbound provider events; automated encrypted backups; logging of security-relevant administrative actions, including impersonation; abuse-prevention controls such as IP-based rate limiting and disposable-email blocklists; automated dependency vulnerability scanning; a documented incident-response procedure; and the execution of data-processing agreements with each Sub-processor.

A current, more detailed description of OneCal's security controls is published at the OneCal Data Security page and forms part of the technical and organizational measures applied to Customer Personal Data under this DPA. OneCal may update the controls described there from time to time provided that any update does not materially reduce the overall level of protection of Customer Personal Data.

Annex 3: Annexes to the Standard Contractual Clauses

This Annex 3 completes the annexes to the Standard Contractual Clauses where they are incorporated under Section 5 of this DPA.

A. List of Parties

Data exporter: Customer, identified in its OneCal Account, acting as Controller, with the contact details Customer provides in its Account.

Data importer: OneCal SHPK, Rruga Gjon Buzuku, Apartamenti nr.2, Kati 7, Tirana, Albania, acting as Processor. Contact: contact@onecal.io. Representative in the EU: Euverify Ltd, Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland. Email: gdpr@euverify.com.

B. Description of Transfer

The categories of Data Subjects, categories of Personal Data, special categories of data (none, as set out in Annex 1), nature and purpose of the Processing, frequency, duration, and retention are set out in Annex 1.

C. Competent Supervisory Authority

For transfers subject to the GDPR: the Irish Data Protection Commission (21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland). For transfers subject to the UK GDPR: the UK Information Commissioner's Office. For transfers subject only to the FADP: the Swiss Federal Data Protection and Information Commissioner.

II. Technical and Organisational Measures

The technical and organizational measures applied by the data importer are set out in Annex 2.

III. List of Sub-processors

The current list of authorized Sub-processors is published on the OneCal Sub-processors page. View the Sub-processors page.