Appointments Data Processing Addendum (DPA) and Subprocessors

Module: Utsav Appointments™ (Privacy & Data Protection)
Document Type: Legal Addendum
Trademark: Utsav Appointments™ is a trademark of MyMahotsav Futuretech Ltd
Effective Date: 24th February 2026
Version: 1.0

Part A: Plain English Summary #

Our Commitment to Data Protection #

This Data Processing Addendum (“DPA”) is a legally binding document that applies when European data protection laws (GDPR, UK GDPR) or the California Consumer Privacy Act (CCPA) require additional protections for personal data. It forms part of our Host Terms.

The Simple Truth #

• Who needs this: This DPA applies automatically if you are subject to GDPR, UK GDPR, or CCPA.

• Your data, your control: You decide what personal data we process, and we follow your instructions.

• We protect your data: We maintain strict security measures and only use sub-processors who meet our standards.

• International transfers: When data crosses borders, we use approved mechanisms (SCCs, UK Addendum, Data Privacy Frameworks).

• Your rights: Data subjects can exercise their rights through you (as the data controller) or through us.

Part B: Legal Terms and Conditions #

1. Introduction and Scope #

1.1 This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Host Terms and Conditions (Document 2) between MyMahotsav Futuretech Ltd (“Utsav Appointments™,” “Processor,” “we,” “us”) and the Customer (“Controller,” “you”).

1.2 This DPA applies to the extent that Utsav Appointments™ processes Personal Data (as defined below) on behalf of Customer in connection with the Services.

1.3 In the event of any conflict between the Host Terms and this DPA, this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions #

In addition to terms defined elsewhere in these documents, for purposes of this DPA:

“CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 and its implementing regulations.

“Data Protection Laws” means all applicable laws relating to the processing of Personal Data, including but not limited to (where applicable):

• The General Data Protection Regulation (EU) 2016/679 (“GDPR”)

• The UK General Data Protection Regulation (“UK GDPR”)

• The Swiss Federal Act on Data Protection (“FADP”)

• The California Consumer Privacy Act (“CCPA”)

• India’s Digital Personal Data Protection Act, 2023 (“DPDPA”)

• Any other national implementing laws or regulations

“Data Subject” means the individual to whom Personal Data relates.

“Data Subject Request” means a request by a Data Subject to exercise rights afforded by Data Protection Laws.

“Personal Data” means any Customer Data relating to an identified or identifiable natural person that is processed by Utsav Appointments™ on behalf of Customer in connection with the Services.

“Processing” or “Process” means any operation or set of operations performed on Personal Data, whether by automatic means, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.

“Security Breach” means a confirmed breach of Utsav Appointments™’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Standard Contractual Clauses” or “SCCs” means the European Commission’s implementing decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries.

“Sub-processor” means any third-party processor engaged by Utsav Appointments™ to process Personal Data on behalf of Customer.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under S119A(1) Data Protection Act 2018.

3. Processing of Personal Data #

3.1 Roles of the Parties #

3.1.1 Customer is the Controller of Personal Data. Customer determines the purposes and means of processing Personal Data.

3.1.2 Utsav Appointments™ is the Processor of Personal Data on behalf of Customer. We process Personal Data only in accordance with Customer’s documented instructions.

3.2 Details of Processing #

The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 (Details of Processing) attached hereto.

3.3 Customer’s Instructions #

3.3.1 Customer instructs Utsav Appointments™ to process Personal Data for the following purposes:

• Providing the Services in accordance with the Host Terms

• Processing in accordance with Customer’s use of the Services

• As necessary to comply with applicable law

3.3.2 The Agreement (including these DPA terms) constitutes Customer’s complete and final instructions. Any additional instructions outside the scope of the Agreement shall require a written agreement between the parties.

3.3.3 If Utsav Appointments™ reasonably believes that Customer’s instructions violate Data Protection Laws, we will inform Customer promptly and may cease processing until corrected.

4. Obligations of Utsav Appointments™ (Processor) #

4.1 Compliance with Instructions #

Utsav Appointments™ shall process Personal Data only on documented instructions from Customer, unless required to do otherwise by applicable law. If so required, we will inform Customer of that legal requirement before processing, unless prohibited by law.

4.2 Confidentiality #

Utsav Appointments™ shall ensure that any person we authorize to process Personal Data is subject to confidentiality obligations (whether contractual or statutory).

4.3 Security #

Utsav Appointments™ shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2 (Security Measures).

4.4 Sub-processors #

4.4.1 Customer authorizes Utsav Appointments™ to engage Sub-processors to process Personal Data. A current list of Sub-processors is maintained at Annex 3.

4.4.2 Utsav Appointments™ shall:

• Enter into written agreements with Sub-processors imposing data protection obligations at least as protective as those in this DPA

• Remain fully liable for Sub-processors’ compliance with this DPA

• Notify Customer of any intended changes concerning the addition or replacement of Sub-processors (by updating Annex 3) at least 30 days in advance

4.4.3 Customer may object to a new Sub-processor by terminating the Agreement within 30 days of notice.

4.5 Data Subject Rights #

4.5.1 Utsav Appointments™ shall reasonably assist Customer in fulfilling Customer’s obligations to respond to Data Subject Requests under Data Protection Laws.

4.5.2 If a Data Subject Request is made directly to Utsav Appointments™, we shall:

• Inform the Data Subject that we are a processor and cannot respond directly

• Forward the request to Customer promptly

4.5.3 For requests forwarded to Customer, Customer shall be responsible for substantively responding to the request.

4.6 Assistance with Compliance #

Utsav Appointments™ shall provide reasonable assistance to Customer in ensuring compliance with obligations under Data Protection Laws regarding:

• Security of processing

• Data protection impact assessments

• Prior consultation with supervisory authorities

4.7 Return or Deletion of Personal Data #

Upon termination of Customer’s account or upon Customer’s written request, Utsav Appointments™ shall:

• Delete or return all Personal Data to Customer

• Delete existing copies unless retention is required by applicable law

Customer may request such deletion or return up to 30 days after termination.

4.8 Audit Rights #

4.8.1 Utsav Appointments™ shall make available to Customer all information necessary to demonstrate compliance with this DPA.

4.8.2 Customer may conduct audits (including inspections) by:

• Reviewing Utsav Appointments™’s then-current SOC 2, ISO 27001, or similar audit reports (to the extent available)

• Requesting additional information reasonably necessary to verify compliance

• In the event a third-party audit report is insufficient, Customer may conduct an on-site audit upon 30 days’ notice, not more than once annually, at Customer’s expense

4.8.3 Any audit shall be conducted during normal business hours, with reasonable advance notice, and in a manner that does not disrupt Utsav Appointments™’s operations.

5. Obligations of Customer (Controller) #

5.1 Lawfulness of Processing #

Customer represents and warrants that:

• It has complied and will continue to comply with all applicable Data Protection Laws

• It has a lawful basis for processing Personal Data and providing it to Utsav Appointments™

• It has provided all necessary notices and obtained all necessary consents from Data Subjects

• Its instructions to Utsav Appointments™ will comply with Data Protection Laws

5.2 Accuracy of Data #

Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which it was acquired.

5.3 Data Subject Rights #

Customer is responsible for responding to Data Subject Requests. Utsav Appointments™ will assist as described in Section 4.5.

6. International Data Transfers #

6.1 Transfers from the European Economic Area (EEA) #

For transfers of Personal Data from the EEA to countries not deemed adequate by the European Commission, the parties agree to the following transfer mechanisms in order of precedence:

6.1.1 Data Privacy Framework: For transfers to the United States, if Utsav Appointments™ is self-certified under the EU-US Data Privacy Framework, transfers shall be governed by such framework.

6.1.2 Standard Contractual Clauses: If the Data Privacy Framework does not apply or is invalidated, transfers shall be governed by Module 2 (Controller to Processor) of the Standard Contractual Clauses (SCCs), which are incorporated by reference. The following options apply:

• Clause 7 (Docking Clause): Included

• Clause 9 (Sub-processors): Option 2 (general written authorization) with 30 days’ notice

• Clause 11 (Redress): The optional language requiring independent dispute resolution bodies is not included

• Clause 17 (Governing Law): The SCCs shall be governed by the law of the Netherlands

• Clause 18 (Choice of Forum and Jurisdiction): Disputes shall be resolved by the courts of the Netherlands

Annexes to SCCs:

• Annex I.A (List of Parties): As set forth in the Agreement

• Annex I.B (Description of Transfer): As set forth in Annex 1 to this DPA

• Annex I.C (Competent Supervisory Authority): The supervisory authority in the Member State where Customer is established

• Annex II (Technical and Organizational Security Measures): As set forth in Annex 2 to this DPA

• Annex III (List of Sub-processors): As set forth in Annex 3 to this DPA

6.2 Transfers from the United Kingdom #

For transfers of UK Personal Data, the UK Addendum to the SCCs shall apply, incorporating the SCCs as set forth in Section 6.1.2 with the following modifications:

• Tables 1-3 of the UK Addendum shall be completed using the information in Annexes 1-3

• Table 4 of the UK Addendum: Either party may end the UK Addendum as set forth in Section 19

6.3 Transfers from Switzerland #

For transfers of Swiss Personal Data:

• The SCCs shall apply with the following modifications:

  • References to “GDPR” shall be understood as references to the Swiss FADP

  • Data Subjects in Switzerland may bring claims in Switzerland in accordance with Clause 18(c)

6.4 Transfers from India #

For transfers of Personal Data from India subject to the DPDPA, Utsav Appointments™ shall:

• Comply with all applicable cross-border transfer restrictions

• Provide the same level of protection as required under the DPDPA

7. CCPA Compliance #

7.1 For purposes of this Section 7, the terms “business,” “consumer,” “service provider,” “sell,” and “share” shall have the meanings given in the CCPA.

7.2 Utsav Appointments™ is a service provider under the CCPA with respect to Personal Data subject to the CCPA.

7.3 Utsav Appointments™ shall not:

• Sell or share the Personal Data

• Retain, use, or disclose the Personal Data for any purpose other than the business purposes specified in the Agreement

• Combine the Personal Data with personal data from other sources (except as necessary to perform the business purposes)

7.4 Utsav Appointments™ shall:

• Comply with obligations applicable to service providers under the CCPA

• Provide the same level of privacy protection as required by the CCPA

• Notify Customer if it determines it can no longer meet its CCPA obligations

• Ensure Sub-processors observe CCPA requirements

7.5 Customer may take reasonable steps to ensure Utsav Appointments™ uses Personal Data consistent with Customer’s CCPA obligations.

8. Security Breach Notification #

8.1 Upon becoming aware of a Security Breach, Utsav Appointments™ shall:

• Notify Customer without undue delay (and within 48 hours of confirmation)

• Provide available information to assist Customer in meeting its notification obligations

• Take reasonable steps to mitigate the breach

8.2 Notification shall include to the extent known:

• Nature of the breach

• Categories and approximate number of Data Subjects affected

• Categories and approximate amount of Personal Data records affected

• Likely consequences

• Measures taken or proposed

8.3 Utsav Appointments™ shall cooperate fully with Customer in investigating and responding to the Security Breach.

9. Liability #

9.1 Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Host Terms.

9.2 Customer acknowledges that Utsav Appointments™ is a processor and shall have no liability for any claims arising from:

• Customer’s instructions

• Customer’s failure to comply with Data Protection Laws

• Processing necessary to provide the Services in accordance with the Agreement

10. Term and Termination #

10.1 This DPA shall remain in effect as long as Utsav Appointments™ processes Personal Data on behalf of Customer.

10.2 Upon termination of the Agreement or completion of processing, Utsav Appointments™ shall comply with Section 4.7.

Annex 1: Details of Processing #

A. Subject Matter of Processing #

The subject matter of processing is Personal Data processed by Utsav Appointments™ on behalf of Customer in connection with the Services.

B. Duration of Processing #

Processing shall continue for the duration of Customer’s use of the Services, plus the period until all Personal Data is deleted or returned in accordance with the DPA.

C. Nature and Purpose of Processing #

Utsav Appointments™ processes Personal Data for the following purposes:

• Facilitating scheduling of meetings between Hosts and Invitees

• Sending confirmations, reminders, and updates

• Providing calendar synchronization

• Enabling meeting intelligence features (where enabled)

• Providing support and troubleshooting

• Improving the Services (using anonymized data)

D. Type of Personal Data #

Utsav Appointments™ may process the following categories of Personal Data on behalf of Customer:

• Names

• Email addresses

• Phone numbers (if provided)

• Calendar availability data

• Time zone information

• Meeting preferences and answers to custom questions

• Meeting recordings and transcriptions (if enabled)

• Technical data (IP address, device information)

E. Categories of Data Subjects #

• Hosts (individuals with Utsav Appointments™ accounts)

• Invitees (individuals who book meetings with Hosts)

• Authorized Users (individuals authorized by Entity Customers)

Annex 2: Security Measures #

Utsav Appointments™ maintains the following technical and organizational security measures:

A. Access Controls #

• Multi-factor authentication for administrative access

• Role-based access controls

• Principle of least privilege

• Regular access reviews

B. Data Encryption #

• Encryption in transit: TLS 1.2 or higher

• Encryption at rest: AES-256

• Secure key management

C. Network Security #

• Firewalls and intrusion detection/prevention systems

• Regular vulnerability scanning

• Penetration testing at least annually

D. Data Center Security #

• Industry-leading cloud infrastructure providers (AWS, Google Cloud)

• SOC 2, ISO 27001 certified data centers

• Redundant, geographically distributed infrastructure

E. Incident Management #

• Documented incident response plan

• 24/7 security monitoring

• Post-incident reviews

F. Business Continuity #

• Regular backups (daily)

• Disaster recovery testing annually

• Redundant systems

G. Personnel Security #

• Background checks (where legally permissible)

• Confidentiality agreements

• Security training

• Code of conduct

H. Sub-processor Oversight #

• Due diligence before engagement

• Contractual data protection obligations

• Regular compliance monitoring

I. Data Protection Governance #

• Designated Data Protection Officer

• Data protection impact assessments where required

• Privacy by design in product development

Annex 3: Sub-processors #