Legal
Data Processing Agreement
Effective Date: April 3, 2026 · Last Updated: April 3, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Vurium Inc. ("Processor" or "Vurium") and the business customer ("Controller" or "Customer") who uses the VuriumBook™ platform. This DPA governs the processing of personal data by Vurium on behalf of the Customer in compliance with the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Data Subject" means an identifiable person whose Personal Data is processed.
- "Sub-processor" means a third party engaged by Vurium to process Personal Data on behalf of the Customer.
2. Scope and Purpose of Processing
- Subject Matter: Provision of scheduling, booking management, client CRM, and appointment notifications.
- Categories of Data Subjects: End-user clients of the Customer (people who book appointments).
- Types of Personal Data: Name, phone number, email address, booking details, payment references, SMS consent records.
- Purpose: To provide the VuriumBook Service as described in the Terms of Service.
- Duration: For the duration of the service agreement, plus any retention period required by law.
3. Processor Obligations
Vurium shall:
- Process Personal Data only on documented instructions from the Customer, unless required by law.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures, including encryption at rest and in transit, access controls, and regular security reviews.
- Not engage another processor (Sub-processor) without prior written authorization from the Customer. Vurium shall inform the Customer of any intended changes and provide the Customer with an opportunity to object.
- Assist the Customer in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
- Assist the Customer in ensuring compliance with data breach notification obligations (72-hour notification to supervisory authorities under GDPR).
- Delete or return all Personal Data upon termination of the service, at the Customer's choice, within 30 days.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits.
4. Sub-processors
Vurium currently uses the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Cloud hosting, database (Firestore) | United States |
| Telnyx | SMS delivery | United States |
| Stripe | Payment processing | United States |
Each Sub-processor is bound by data protection obligations no less protective than those in this DPA. The Customer will be notified of any changes to the Sub-processor list with at least 30 days' advance notice.
5. International Data Transfers
Personal Data may be transferred to and processed in the United States. For transfers from the EEA/UK, Vurium relies on the EU Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). Where required, supplementary measures are implemented to ensure adequate protection.
6. Security Measures
Vurium implements the following technical and organizational measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 for phone numbers).
- Role-based access controls with least-privilege principles.
- Regular security reviews and vulnerability assessments.
- Secure development practices and code review processes.
- Incident response procedures with 72-hour breach notification capability.
- Automated backups with encryption.
7. Data Subject Rights
Vurium shall assist the Customer in fulfilling its obligations to respond to Data Subject requests under GDPR Articles 15–22, including rights of access, rectification, erasure, data portability, restriction of processing, and objection. Vurium will promptly notify the Customer if it receives a request directly from a Data Subject.
8. Data Breach Notification
In the event of a Personal Data breach, Vurium shall notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of the breach. The notification shall include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
9. Audit Rights
The Customer may audit Vurium's compliance with this DPA once per year, with at least 30 days' written notice, during business hours, and subject to reasonable confidentiality obligations. Vurium shall cooperate and provide necessary access and information. Vurium may also provide relevant certifications or third-party audit reports as an alternative.
10. Term and Termination
This DPA shall remain in effect for the duration of the service agreement. Upon termination, Vurium shall, at the Customer's election, delete or return all Personal Data within 30 days and certify the deletion in writing, unless retention is required by applicable law.
11. Contact
For DPA-related inquiries or to request a signed copy of this agreement, contact us at:
support@vurium.com