Skip to main content

Reservly Data Processing Agreement

Last updated: April 26, 2026

This Data Processing Agreement ("DPA") forms part of the Reservly Terms of Service (the "Agreement") between Reservly, a Wyoming limited liability company with its legal-notice address at Northwestern Registered Agent Services, 30 N Gould St Ste R, Sheridan WY 82801, United States ("Reservly", "we", "us", "Processor"), and the business customer identified in the Agreement ("you", "Customer", "Controller"), each a "Party" and together the "Parties".

This DPA governs our processing of Personal Data on your behalf in connection with the Reservly platform (the "Service"). Where and to the extent required by applicable Data Protection Laws, the 2021 EU Standard Contractual Clauses and the UK Addendum (each incorporated by reference in Annex IV) form part of this DPA.

How to execute this DPA. This DPA is pre-executed by Reservly and takes effect automatically when you accept the Reservly Terms of Service or subscribe to the Service. You do not need to countersign or return a signed copy. If your procurement team requires a countersigned PDF, download it from reservly.io/legal/dpa.pdf and email support@reservly.io; we will return a countersigned copy within five business days.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms capitalised but not defined here take the meaning given in the Agreement or in applicable Data Protection Laws.

  • "Applicable Data Protection Laws" means, as applicable to a Party's processing: the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"); the UK GDPR and the UK Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("nFADP"); the California Consumer Privacy Act of 2018 as amended by the CPRA ("CCPA/CPRA"); South Africa's Protection of Personal Information Act 4 of 2013 ("POPIA"); Nigeria's Nigeria Data Protection Act 2023 ("NDPA"); Kenya's Data Protection Act 2019 ("Kenya DPA"); Ghana's Data Protection Act, 2012 (Act 843) ("Ghana DPA"); Tanzania's Personal Data Protection Act 2022 ("Tanzania PDPA"); and any other privacy or data-protection law applicable to either Party's processing of Personal Data under this DPA.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Categories of Personal Data", "Sub-processor", "Supervisory Authority" — have the meanings given in the GDPR (or the equivalent terms in other Applicable Data Protection Laws).
  • "Customer Personal Data" means Personal Data that Reservly processes on the Customer's behalf under the Agreement, including Personal Data submitted by the Customer or its end users through the Service or collected through the Customer's Reservly-hosted booking pages.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as amended from time to time.
  • "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, version B1.0, in force 21 March 2022.

2. Roles and scope of processing

2.1 Roles. For Customer Personal Data, the Customer is the Controller and Reservly is the Processor. Each Party shall comply with its respective obligations under Applicable Data Protection Laws. This DPA does not govern Reservly's processing of Personal Data as Controller (e.g., account-management data of the Customer's administrators), which is governed by the Reservly Privacy Policy.

2.2 Subject matter, duration, nature and purpose, categories of Personal Data, and categories of Data Subjects are set out in Annex I and form part of the Parties' Article 28(3) GDPR agreement.

2.3 Instructions. Reservly shall process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which Reservly is subject; in which case Reservly shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Customer's use of the Service, including the configuration choices the Customer makes in the Service (such as custom form fields, retention toggles, enabled integrations), constitutes the Customer's documented instructions. Additional instructions outside the scope of the Service may be agreed in writing and may be subject to additional fees.

2.4 Prohibition on out-of-scope processing. Reservly shall not process Customer Personal Data for its own purposes, for advertising, for profiling, or for sale (as defined in CCPA/CPRA) or "sharing" for cross-context behavioural advertising. Reservly certifies compliance with the restrictions of CCPA/CPRA § 1798.140(ag)(1) applicable to service providers.

3. Customer obligations

3.1 The Customer shall:

  • (a) ensure that it has a valid lawful basis under Applicable Data Protection Laws for the Personal Data it submits to the Service, and that it has provided all required notices and obtained all required consents from Data Subjects;
  • (b) not submit Special Categories of Personal Data through the Service, including but not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and data concerning criminal convictions or offences, except where Reservly has agreed in writing to such processing;
  • (c) comply with the Reservly Acceptable Use Policy, including the prohibition on use by HIPAA-covered entities, GDPR Article 9 health-data controllers, and similarly regulated healthcare providers, who must not use the Service for protected health information;
  • (d) be solely responsible for the accuracy, quality, and legality of the Personal Data, and for the configuration of custom form fields, retention settings, and integrations.

4. Confidentiality

Reservly shall ensure that personnel authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data is restricted on a need-to-know basis and is logged.

5. Security — Article 32 measures

5.1 Reservly maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit — TLS 1.2+ on all public endpoints, HSTS preload.
  • Encryption at rest — AES-256 for the production database (Supabase), object storage (Cloudflare R2), and backups.
  • Tenant isolation — row-level security (PostgreSQL RLS) on every table, with separate RLS policies per business tenant; verified continuously through automated tests.
  • Secret management — OAuth tokens (Google, Microsoft, Zoom, Dropbox, Stripe, PayPal) encrypted using Supabase Vault with keys managed in a separate HSM-backed vault.
  • Authentication — Supabase Auth with scrypt-hashed passwords; per-user API keys with configurable expiry; TOTP-based MFA available for all accounts. SSO (SAML 2.0) is on the product roadmap; not yet available.
  • Access control — role-based permissions inside the product; internal admin access limited to named personnel with 2FA enforced.
  • Monitoring — Sentry error monitoring (EU region, 90-day retention, PII scrubbing), application and auth logs, Vercel edge logs, Supabase audit logs.
  • Resilience — daily encrypted backups retained for 30 days, point-in-time recovery for 7 days, documented disaster-recovery plan.
  • Secure development — TypeScript strict mode, continuous build/type/lint gates, Playwright end-to-end test suite, code review before merge, automated dependency vulnerability scanning.
  • Incident response — documented plan with 72-hour supervisory-authority notification SLA (GDPR Article 33 — this is the Controller's obligation to notify its supervisory authority; Reservly's obligation to notify the Controller is without-undue-delay per §9.1 of this DPA); incident response tabletop exercise planned annually (first exercise to be conducted within 12 months of general availability).

5.2 Reservly may update the measures from time to time provided the updated measures do not materially degrade the security of Customer Personal Data. The current version of the measures is available at reservly.io/legal/security#technical-and-organisational-measures and forms part of Annex II.

6. Sub-processors

6.1 General authorisation. The Customer provides general written authorisation for Reservly to engage Sub-processors to process Customer Personal Data, subject to this Section 6.

6.2 Current list. Reservly's current Sub-processors are listed at reservly.io/legal/subprocessors. The list identifies each Sub-processor, the purpose of the processing, and the location.

6.3 Change notification. Reservly will give the Customer at least 30 days' prior written notice of any intended change to the Sub-processor list (whether addition, replacement, or material change in scope) by (i) updating the public Sub-processor list, (ii) emailing the Customer's notice address, and (iii) posting a banner in the Reservly dashboard.

6.4 Objection right. The Customer may reasonably object to the engagement of a new Sub-processor within 15 days of the notice. If the Customer objects, Reservly will work in good faith to offer the Customer a commercially reasonable alternative; if no alternative can be found, the Customer may terminate the Agreement for convenience with respect to the functionality that requires the new Sub-processor and receive a pro-rated refund for pre-paid and unused fees.

6.5 Flow-down. Reservly shall impose on each Sub-processor, by written contract, data-protection obligations that are no less protective than those in this DPA (including regarding security measures, confidentiality, audit rights, and international-transfer mechanisms). Reservly remains fully liable to the Customer for each Sub-processor's performance.

7. Assistance — Data Subject rights

7.1 Reservly shall provide reasonable assistance to the Customer, through appropriate technical and organisational measures, to fulfil the Customer's obligations to respond to Data Subject requests under Applicable Data Protection Laws.

7.2 The Service provides self-service tools for access, rectification, export, and deletion of Customer Personal Data. Where a Data Subject contacts Reservly directly, Reservly will, unless legally prohibited, promptly forward the request to the Customer and instruct the Data Subject to contact the Customer.

7.3 If assistance beyond the self-service tooling is required, Reservly may charge a reasonable fee, notified to the Customer in advance.

8. Assistance — Articles 32–36 (security, breaches, DPIAs, prior consultation)

Reservly shall provide reasonable assistance to the Customer with:

  • (a) ensuring the security of processing (Article 32);
  • (b) notifying Personal Data Breaches (Article 33);
  • (c) communicating breaches to Data Subjects (Article 34);
  • (d) carrying out Data Protection Impact Assessments (Article 35); and
  • (e) prior consultations with Supervisory Authorities (Article 36),

in each case taking into account the nature of the processing and the information available to Reservly.

9. Personal Data Breach — Article 33(2)

9.1 Reservly shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. There is no fixed time limit on the processor's notification to the Controller under GDPR Article 33(2); the 72-hour deadline applies to the Controller's obligation to notify its supervisory authority under GDPR Article 33(1) — that obligation falls on the Customer (as Controller), not on Reservly. Reservly will notify the Customer as quickly as the circumstances allow. The notification will include, to the extent then known:

  • the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned;
  • the name and contact details of Reservly's security contact;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its effects.

Reservly may provide the notification in phases if full information is not yet available, and will update the Customer as the investigation proceeds.

9.2 Reservly is not obliged to notify the Customer of incidents that do not compromise Customer Personal Data (for example, unsuccessful intrusion attempts, DDoS activity that did not result in access, port scanning).

10. Deletion and return

10.1 Upon termination or expiry of the Agreement, Reservly shall, at the Customer's choice:

  • (a) delete all Customer Personal Data and copies within 90 days of termination, except to the extent retention is required by Union, Member State, or other applicable law (e.g., tax or dispute-defense retention); or
  • (b) return all Customer Personal Data to the Customer in a structured, commonly used, machine-readable format before deletion.

10.2 The 90-day horizon allows for grace-period reactivation, final billing, and coordinated off-boarding. Backups containing Customer Personal Data are overwritten on a rolling 30-day cycle and are inaccessible to production systems.

10.3 Reservly's records required by its retention schedule (booking records for 7 years for tax/dispute defense; email send logs for 12 months; Sentry traces for 90 days) are retained in accordance with the Reservly Privacy Policy and applicable law.

11. Audit

11.1 Reservly shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and this DPA.

11.2 Standard audit evidence. Reservly will, on request and no more than once per 12-month period, provide the Customer with:

  • Reservly's security whitepaper describing the controls summarised in Section 5 and Annex II;
  • Reservly's most recent penetration-test executive summary, once available;
  • Reservly's then-current SOC 2 Type II report (once Reservly's formal SOC 2 programme is attested — Reservly is pursuing SOC 2 Type II attestation and will publish availability on this page when the first report issues).

11.3 On-site audit. If the standard audit evidence does not, in the Customer's reasonable view, provide sufficient information to demonstrate compliance, the Customer may conduct an on-site audit subject to:

  • (a) 30 days' advance written notice (immediate in the event of a Personal Data Breach or regulator investigation);
  • (b) execution of a confidentiality agreement in a form reasonably acceptable to Reservly;
  • (c) audit scope limited to what is strictly necessary to demonstrate GDPR Article 28 compliance, excluding any information of other Reservly customers and Reservly trade secrets not necessary for the audit;
  • (d) conducted during business hours in a manner that minimises disruption;
  • (e) at the Customer's expense, except where the audit uncovers material non-compliance, in which case Reservly bears reasonable costs.

11.4 Regulator-mandated audits by a Supervisory Authority override the restrictions in 11.3 to the extent required by law.

12. International transfers

12.1 Where Reservly processes Customer Personal Data in a country that does not have an adequacy decision applicable to the transfer, the Parties agree that the applicable transfer mechanism in Annex IV shall apply:

  • EU/EEA transfers to third countries — the 2021 EU SCCs, Module 2 (Controller to Processor), are incorporated by reference. Annex IV completes the SCC annexes.
  • UK transfers — the UK Addendum to EU Commission Standard Contractual Clauses (UK Addendum, version B1.0, issued by the UK Information Commissioner's Office, in force 21 March 2022) is incorporated by reference and modifies the SCCs as set out therein. Alternatively, where both Parties agree, the ICO's International Data Transfer Agreement (IDTA, version 1.0) may be used as a standalone transfer mechanism in lieu of the UK Addendum. For transfers to UK-certified processors under the UK Extension to the EU–US Data Privacy Framework (UK-US Data Bridge), Parties may rely on that certification in lieu of the UK Addendum or IDTA, provided the certification remains valid.
  • Swiss transfers — the SCCs apply with the FDPIC-endorsed amendments (references to GDPR also read as references to the nFADP; references to Member State supervisory authorities also include the FDPIC).

12.2 Where both Parties are certified under the EU–US Data Privacy Framework (or the UK Extension or Swiss-US Framework) for the relevant transfer, the Parties may rely on that certification in lieu of the SCCs, provided the certification remains valid and in force.

12.3 Reservly has conducted a Transfer Impact Assessment for each onward transfer to a Sub-processor in a non-adequate country and will update it on material change.

13. CCPA / CPRA service-provider commitments

For Personal Data subject to CCPA/CPRA, Reservly is a "service provider" (as defined in § 1798.140(ag)(1)) and:

  • shall not sell or share the Personal Data;
  • shall not retain, use, or disclose the Personal Data for any purpose other than the specific business purpose of providing the Service and the permitted purposes in § 1798.140(ag)(1);
  • shall not combine the Personal Data with Personal Data received from or on behalf of any other person, except as permitted by CCPA Regulations § 7050(a)(5);
  • shall notify the Customer if it can no longer meet its obligations under CCPA/CPRA; and
  • grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use.

14. Liability, term, governing law

14.1 Each Party's liability arising out of or related to this DPA is subject to the limitations of liability in the Agreement.

14.2 This DPA takes effect on the Effective Date of the Agreement and continues until Reservly has deleted all Customer Personal Data under Section 10.

14.3 This DPA is governed by the law of the State of Wyoming, United States, without regard to its conflict-of-laws rules, except that the SCCs and UK Addendum are governed by the laws specified in those instruments (EU Member State or United Kingdom), and the jurisdiction clauses in those instruments apply to claims arising under them.

14.4 If any provision of this DPA conflicts with the Agreement, this DPA controls with respect to the subject matter herein. If this DPA conflicts with the SCCs or UK Addendum for matters within their scope, the SCCs or UK Addendum control.

Annex I — Description of the processing

Subject matter and duration. Reservly's processing of Customer Personal Data as necessary to provide the Service to the Customer for the term of the Agreement plus the deletion/return period in Section 10.

Nature and purpose. Hosting, storing, transmitting, and otherwise processing booking-related and business-operations data to deliver the Service — including displaying the Customer's booking page to its end users, collecting bookings, sending booking confirmation and reminder emails to the Customer's end users, synchronising with the Customer's calendars and meeting tools, facilitating payments between the Customer and its end users, and providing analytics and reporting to the Customer.

Calendar integration data flows (where the Customer or the Customer's staff have connected Google Calendar or Microsoft Calendar): Reservly processes the following data on the Customer's behalf: (a) it reads existing calendar event metadata — start time, end time, and organiser status — from the connected calendar in real time to compute booking availability; this data is not stored in Reservly's database and is not retained after the availability computation; and (b) it writes booking event records — containing service or event name, customer name, customer email address, and booking date/time — to the connected calendar when bookings are confirmed, rescheduled, or cancelled. This processing is performed under the Customer's documented instruction (by activating the integration from the dashboard) and for the sole purpose of maintaining calendar availability accuracy and booking visibility.

Cross-border transfer note for calendar integrations: Google LLC and Microsoft Corporation store and process calendar data on their global infrastructure, which includes servers in the United States, the European Union, and other jurisdictions. When Reservly reads from or writes to a connected Google or Microsoft calendar, Customer Personal Data (booking event details including customer names and email addresses) passes through those providers' global infrastructure. The transfer mechanisms described in Section 12 and Annex IV of this DPA apply. Google LLC and Microsoft Corporation each participate in the EU–US Data Privacy Framework (DPF); where their DPF certifications are valid and current, Reservly may rely on DPF for the onward transfer to these sub-processors in lieu of SCCs under Article 45a GDPR.

Cloud backup data flows (where the Customer has connected Google Drive, Microsoft OneDrive, or Dropbox): Reservly writes structured backup export files — containing booking records, customer contact data as present in those bookings, and business configuration data — to the Customer's connected cloud storage account at a scheduled cadence. The Customer's act of connecting the cloud storage integration and enabling backup constitutes the Customer's documented instruction. Reservly does not read existing files in the Customer's connected cloud storage; access is write-only to the backup scope.

Categories of Personal Data.

  • End-user / customer of the Customer: name, email, phone number, booking date/time, service/event/rental selected, notes to the business, any custom form-field responses the Customer configures, payment-transaction identifiers (no card numbers or CVV), IP address (transiently, for security), locale.
  • Customer staff / team members: name, email, role, working hours, staff profile photo.
  • Customer itself: business name, address, contact details.

Categories of Data Subjects.

  • End users (booking customers of the Customer's business)
  • Staff of the Customer
  • The Customer itself (individual owners / administrators)
  • Prospects / leads who interact with the Customer's booking page (via marketing attribution links)

Special-category data. None — the Customer warrants it will not submit special-category data without express written agreement (§3.1(b)).

Frequency of processing. Continuous, for the term of the Agreement.

Retention.

  • Active bookings — for the life of the Customer's account, plus 90 days after termination (soft-delete: 30 days, then hard-delete).
  • Booking records — 7 years for tax and dispute-defense purposes.
  • Email send logs — 12 months.
  • Sentry error traces — 90 days.
  • Backups — 30-day rolling window.

Annex II — Technical and organisational measures

Current version published at reservly.io/legal/security#technical-and-organisational-measures. Summary: encryption in transit (TLS 1.2+) and at rest (AES-256); PostgreSQL row-level security with per-tenant isolation; Supabase Vault for OAuth tokens; TOTP-based MFA for Reservly administrator access (SSO on product roadmap, not yet available); Sentry error monitoring with PII scrubbing (90-day retention, EU region); rolling encrypted backups (30 days); documented incident response plan; external penetration test (first engagement planned within 12 months of general availability; results published to customers under Section 11.2 when available); continuous CI gates (TypeScript, build, lint, Playwright) and code review before merge.

Annex III — Sub-processors

Current list published at reservly.io/legal/subprocessors. At the date of this DPA the list includes:

Core infrastructure: Supabase, Inc. (database, authentication, storage; region: us-east-2, Ohio); Vercel, Inc. (application hosting; iad1, Northern Virginia); Cloudflare, Inc. (R2 object storage for images; global edge); Resend, Inc. (transactional email; US); Functional Software Inc. / Sentry (error monitoring; EU region, ingest.de.sentry.io; 90-day retention); Upstash, Inc. (rate-limiting counters; US; DPA status: confirmation pending per RA-47); Paddle.com Market Ltd. (Reservly's own subscription billing; Paddle acts as Merchant of Record and independent Controller for payment data, but is listed here as Reservly's sub-processor for account-management data).

Integration sub-processors (at the Customer's direction): Google LLC (Calendar sync — bidirectional booking event and availability metadata; Google Meet creation; Google Drive backup exports containing booking records and customer contact data; all Customer-directed via OAuth; OAuth tokens encrypted in Supabase Vault); Microsoft Corporation (same functions via Microsoft Calendar / Teams / OneDrive; same data categories; Customer-directed via OAuth); Zoom Video Communications, Inc. (meeting creation; write-only; Customer-directed); Dropbox, Inc. (backup exports to app folder; write-only; Customer-directed).

Planned sub-processors (not yet active): Mistral AI SARL (AI translation; EU-based; DPA available at legal.mistral.ai); Telnyx LLC and Infobip Ltd. (SMS delivery; activated on SMS feature launch with 30-day advance notice per Section 6.3).

Independent processors (not Reservly sub-processors): Stripe, Inc. and PayPal, Inc. process payment data in the customer-to-business payment flow on the business's instruction via the business's own Stripe Connect Standard and PayPal Commerce Platform accounts. These providers are not sub-processors of Reservly in this flow; they are independent data processors engaged directly by the business. Reservly stores OAuth tokens and minimal reference data (transaction IDs, last-4 of payment method) for display purposes only. These providers are listed in the Sub-Processor List (reservly.io/legal/subprocessors) for transparency.

BYO arrangements: Where the Customer connects a Twilio account for SMS messaging, Twilio processes SMS data on the Customer's instruction. Reservly facilitates the connection but is not the party instructing Twilio. The Customer is responsible for Twilio's compliance in this flow.

The full current list with data categories, regions, and provider DPA links is maintained at reservly.io/legal/subprocessors.

Annex IV — Standard Contractual Clauses completion

The 2021 EU SCCs, Module 2 (Controller → Processor), apply to EEA transfers. The UK Addendum (B1.0) applies to UK transfers. Swiss amendments apply to Swiss transfers. The SCC annexes are completed as follows:

  • Annex I.A (parties) — Data exporter: the Customer. Data importer: Reservly. Contact details as set out in the Agreement and this DPA.
  • Annex I.B (description of transfer) — as set out in Annex I above.
  • Annex I.C (competent supervisory authority) — the Supervisory Authority of the EEA Member State in which the Customer is established; for the UK (UK GDPR), the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — the ICO is the competent authority for UK GDPR Article 33 notifications and UK-resident Data Subject complaints; for Switzerland, the Federal Data Protection and Information Commissioner (FDPIC).
  • Annex II (technical and organisational measures) — as set out in Annex II above.
  • Annex III (list of Sub-processors) — as set out in Annex III above and at reservly.io/legal/subprocessors.
  • Docking Clause — Clause 7 of the SCCs (docking clause) applies.
  • Clause 9 — Sub-processors option — Option 2 (general written authorisation) applies, with the 30-day notice period in Section 6.3.
  • Clause 11 — Redress — Reservly does not agree to binding independent dispute resolution with Data Subjects beyond what the SCCs themselves provide.
  • Clause 17 — Governing law — Irish law.
  • Clause 18 — Choice of forum — Irish courts.

Contact

Questions about this DPA: support@reservly.io with subject line "DPA".

Formal data-protection inquiries (data subject requests, regulator correspondence): support@reservly.io with subject line "Privacy Officer" — routed to Reservly's designated Privacy Officer role.