Data Processing Addendum

This Data Processing Addendum (the DPA) governs personal data processing when using Slotio and forms part of the contractual framework between the Slotio customer as controller and ByteWoods, spol. s r.o., company ID 01849883, VAT ID CZ01849883, č.ev. 7, 739 36 Sedliště, Czech Republic, as processor.

If there is a conflict between the main agreement, the terms and this DPA on data protection matters, this DPA prevails. The Terms of Service continue to apply to other matters.

The customer determines the purposes and means of processing customer personal data uploaded to Slotio and acts as controller. ByteWoods processes that data as processor only on behalf of controller, as necessary to provide the service and according to documented instructions, unless processing is required by law.

Documented instructions include service configuration, actions of authorized users in administration and ordinary use of ordered features. If processor believes that an instruction infringes data protection law, it will inform controller without undue delay unless prohibited by law.

Processing continues for the use of the service and then for the period necessary for export, deletion, ordinary backup cycles, security, audit and legal compliance.

Processing may include collection, storage, organization, retrieval, display, use, notification delivery, backup and deletion. Its purpose is to operate the booking SaaS, manage reservations and related communication, support and secure the service.

• Data subjects: controller end customers, persons making reservations and other persons whose data controller lawfully uploads to Slotio.
• Data types: identification data, contact data, booking data, related notes and technical or audit records necessary to operate the service.
• Special categories: without prior written agreement, controller will not upload special categories of personal data under Article 9 GDPR to Slotio.

Processor ensures that persons authorized to process personal data are bound by confidentiality and only access data as needed to operate, support or secure the service.

• role-based access controls and permissions
• encrypted data transmission (TLS)
• logging, monitoring and security updates
• backup and restore procedures
• internal security incident procedures

Controller gives processor general authorization to engage subprocessors, subject to GDPR requirements and appropriate contractual data protection terms. Processor ensures that subprocessors are bound by obligations corresponding to this DPA.

ByteWoods provides the current named list of subprocessors on request sent to gdpr@myslotio.com. Controller will receive reasonable advance notice of a material list change in a manner appropriate to the contractual relationship. Controller may object on reasonable data protection grounds.

Taking into account the nature of processing and available information, processor reasonably assists controller with data subject requests and compliance with Articles 32 to 36 GDPR, including impact assessments and supervisory authority consultations where relevant.

If processor receives a data subject request concerning customer data processed on behalf of controller, it forwards the request to controller and does not respond substantively unless required by law.

Processor notifies controller without undue delay after becoming aware of a personal data breach affecting customer personal data processed under this DPA. To the extent available, the notice describes the incident, affected data categories, likely consequences and measures taken or proposed.

After service termination, processor returns or deletes customer personal data at controller choice unless further retention is required by law. Ordinary export and deletion periods are described in the Terms of Service and Privacy Policy.

Processor makes available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Verification is ordinarily performed by questionnaire, documentation review or relevant security information. Any onsite audit requires prior agreement and must not compromise other customers security or processor trade secrets.

Where processor or a subprocessor transfers personal data outside the EU/EEA, processor ensures an appropriate transfer mechanism, such as an adequacy decision or standard contractual clauses.

Send questions about this DPA to gdpr@myslotio.com. More information is available in the Privacy Policy.

This DPA may be made available in translated versions. Unless mandatory law provides otherwise, the English version prevails if translations conflict.