Celestical Celestical Sign up free
Features
Sign in

Data Processing Addendum

Last updated: Wednesday, May 6, 2026

This Data Processing Addendum together with its Schedules and Appendices (“DPA”) forms a part of Terms of Service and Privacy Notice, both as updated from time to time, or other applicable agreement between 52 hertz Ltd (“Celestical” or “Processor”) and you (together, with any subsidiaries and affiliated entities, collectively, “Customer”) identified in such agreement (“Agreement”) for the use of Celestical’s online services (“Services”). All capitalized terms not defined herein shall have the meaning set forth in the Agreement. To the extent of any conflict between this DPA, any previously executed data processing addendum, and the Agreement, this DPA will govern.

By entering into this DPA, Customer accepts these terms with respect to all Processing of Personal Data carried out by Celestical on Customer’s behalf in connection with the Services. This DPA reflects the parties’ agreement with regard to the Processing of Personal Data. In the course of providing the Services to Customer pursuant to the Agreement, Celestical may process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data.

1.0 Defined Terms

  • Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
  • Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the data-protection laws of the European Economic Area Member States that implement or supplement GDPR, and any successor or replacement legislation, in each case as amended from time to time.
  • Data Subject” means the identified or identifiable person to whom Personal Data relates.
  • Personal Data” has the meaning given in Article 4(1) GDPR.
  • "Personal Data Breach" has the meaning given in Article 4(12) GDPR.
  • "Personnel" means Celestical's employees and contractors who are authorized by Celestical to access Personal Data, and who are bound by written confidentiality obligations.
  • Processing” has the meaning given in Article 4(2) GDPR.
  • Processor” as defined in Article 4(8) GDPR.
  • Services” means the services provided by Celestical to you under the Agreement.
  • Sub-processor” means any Processor engaged by Celestical.
  • Technical and Organizational Measures” means the technical and organizational measures implemented by the Processor pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk of the processing, as set out in Schedule 2, as such measures may be updated from time to time in accordance with clause 4.2.

2.0 Processing of Personal Data

2.1. Customer Obligations. Customer is the Controller of Personal Data and shall (a) determine the purpose and essential means of the Processing of Personal Data in accordance with the Agreement; (b) be responsible for the accuracy of Personal Data; and (c) comply with its obligations under Data Protection Laws, including, when applicable, ensuring Customer has a lawful basis to collect Personal Data, providing Data Subjects with any required notices, and/or obtaining the Data Subject’s consent to process the Personal Data.

2.2. Celestical Obligations. Celestical is the Processor of Personal Data and shall (a) Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless Celestical is required to Process the Personal Data by Union or Member State law to which Celestical is subject; in such a case, Celestical shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest; and (b) comply with its obligations under Data Protection Laws. A description of the processing of Personal Data intended to be carried out under this DPA is set out in Schedule 1 attached hereto. The parties agree that the Agreement, including this DPA, together with Customer’s use of the Services in compliance with the Agreement, constitute Customer’s complete and final written instructions to Celestical in relation to the Processing of Personal Data, and additional instructions outside the scope of these instructions shall require a prior written and mutually executed agreement between Customer and Celestical. Celestical shall immediately inform Customer if, in its opinion, an instruction from Customer infringes Data Protection Laws and the parties shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.

2.3. Permitted Other Uses. Celestical shall not Process Personal Data for any purpose other than the documented instructions referred to in Section 2.2, except where Celestical is required to do so by Union or Member State law to which it is subject (the notification obligation in Section 2.2 applies).

2.4. Location of Processing. Production processing of Personal Data takes place in the European Union. Sub-processors located outside the European Economic Area are engaged in accordance with Section 2.6.

2.5. Return or Destruction of Data. Celestical shall return or securely destroy Personal Data, in accordance with Customer’s instructions, upon Customer’s request or upon termination of Customer’s account(s) unless Personal Data must be retained to comply with applicable law.

2.6. International Transfers. Where Celestical transfers Personal Data to a Sub-processor located outside the European Economic Area, Celestical shall ensure that an appropriate safeguard under Article 46 GDPR is in place, such as the Commission's Standard Contractual Clauses, or that the transfer benefits from a Commission adequacy decision under Article 45 GDPR (including, where applicable, the EU-US Data Privacy Framework). Celestical shall make available to Customer, on request, a copy or description of the safeguard relied on for each Sub-processor. The transfer mechanism applicable to each Sub-processor is identified on Celestical's Sub-processors page.

3.0. Sub-processors

3.1. Customer authorizes Celestical to engage Sub-processors to assist in providing the Services. The current list of Celestical's Sub-processors is published at Data Processors page, which forms part of this DPA and is updated as Sub-processors change in accordance with this Section 3.0.

3.2. Celestical will give Customer such advance notice of any new or replacement Sub-processor as is reasonable in the circumstances, providing Customer a reasonable opportunity to object before the change takes effect. In emergencies, including where a change is necessary to maintain the security, integrity, or continued availability of the Services, Celestical may make the change immediately and will notify Customer promptly thereafter.

3.3. If Customer objects to a new or replacement Sub-processor on reasonable data-protection grounds, Customer may terminate the Agreement by written notice to Celestical. Where Customer exercises this right, Celestical will cooperate in good faith to facilitate the orderly return or deletion of Personal Data in accordance with Section 2.5.

3.4. Celestical will engage Sub-processors only under written contracts that impose data-protection obligations on the Sub-processor equivalent in substance to those set out in this DPA. Where a Sub-processor fails to fulfill its data-protection obligations, Celestical shall remain fully liable to Customer for the performance of that Sub-processor's obligations, in accordance with Article 28(4) GDPR.

4.0. Data Protection

4.1. Celestical shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The measures in place as of the Effective Date are set out in Schedule 2 – Technical and Organizational Measures, which is incorporated into and forms an integral part of this Agreement.

4.2. The Processor may update the measures set out in Schedule 2 from time to time, provided that no such update materially reduces the overall level of protection afforded to Personal Data.

4.3. Without undue delay after becoming aware of a Personal Data Breach (a) Celestical will: (i) notify Customer of the Personal Data Breach; (ii) investigate the Personal Data Breach; (iii) provide Customer with necessary details about the Personal Data Breach as required by applicable law; and (iv) take reasonable actions to prevent a recurrence of the Personal Data Breach; and (b) Celestical agrees to cooperate in Customer’s handling of the matter by: (i) providing reasonable assistance with Customer’s investigation; and (ii) making available relevant records and other materials related to the Personal Data Breach’s effects on Customer, as required to comply with Data Protection Laws.

4.4. Celestical ensures that Personnel authorized to Process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory duty of confidence.

5.0. Assistance

5.1. Processor Assistance. Taking into account the nature of the Processing and the information available to it, Celestical shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligations under Articles 32 to 36 GDPR, including: (a) the security of Processing under Article 32; (b) the notification of a Personal Data Breach to the supervisory authority and to data subjects under Articles 33 and 34; (c) data protection impact assessments under Article 35; and (d) prior consultations with the supervisory authority under Article 36. Celestical may charge Customer reasonable costs for assistance that materially exceeds the standard service.

5.2. Data Subject Requests. Celestical shall reasonably assist Customer with the fulfillment of Customer’s obligations to Data Subjects exercising rights afforded by Data Protection Laws, with respect to Personal Data in the event that Customer cannot act on such request without Celestical’s assistance. If a Data Subject makes a request to Celestical to exercise a right with respect to his or her Personal Data of which Customer is the Controller, Celestical will promptly inform Customer of the request, and will advise the Data Subject to submit their request directly to Customer. Customer will be responsible for addressing such request.

6.0. Audits

6.1. Within thirty (30) days of Customer’s written request, and no more than once annually, Celestical will make available to Customer (or to an independent auditor mandated by Customer, subject to the conditions set out in Section 6.2) information reasonably necessary to demonstrate Celestical’s compliance with the obligations set out in this DPA. Information Customer and any third-party auditor receive in connection with such a request is confidential and may be used only to verify Celestical’s compliance with this DPA.

6.2. Where the information made available under Section 6.1 is not sufficient to demonstrate compliance with this DPA, Customer (or an independent auditor mandated by Customer, provided the auditor is not a competitor of Celestical and is bound by written confidentiality obligations at least as protective as those in this DPA) may conduct an audit, including an inspection, of Celestical's Processing of Personal Data, to the extent reasonably necessary to verify compliance with this DPA. Audits under this Section 6.2 will be: (a) conducted on at least thirty (30) days' prior written notice, except where Data Protection Laws or a supervisory authority require otherwise; (b) limited to no more than once in any twelve-month period, except where required by Data Protection Laws, by a supervisory authority, or following a Personal Data Breach affecting Customer; (c) conducted at Customer's expense and during normal business hours; and (d) carried out in a manner that does not unreasonably disrupt Celestical's operations or compromise the security, confidentiality, or availability of Personal Data or other data of any other customer of Celestical.

7.0. Customer Representations and Warranties

7.1. Customer represents and warrants that, before causing Personal Data to be processed through the Services, Customer has a valid lawful basis under Article 6 GDPR, and has provided any notices and obtained any consents required of a Controller under Data Protection Laws.

7.2. Customer represents and warrants that, where Customer causes Personal Data within the scope of Article 9 GDPR to be processed through the Services, Customer has a valid lawful basis under Article 9(2) GDPR, typically the Data Subject’s explicit consent under Article 9(2)(a).

7.3. Where Personal Data processed through the Services concerns a minor, Customer represents and warrants that such Personal Data has been provided by a person with parental responsibility or other lawful authority over the minor.

7.4. Customer’s indemnification obligations under the Agreement apply to any breach of this Section 7.0.

8.0. Term and Termination

8.1. This DPA takes effect, and terminates, in accordance with the Agreement.

8.2. Any obligations under this DPA that by their nature are intended to survive termination of the Agreement, including without limitation Sections 2.5, 4.1, 4.3, 4.4, 6.0, 7.0, and 9.1, survive termination of the Agreement.

9.0. Miscellaneous

9.1. Each party’s liability under this DPA is subject to the limitations of liability set out in the Agreement.

9.2. This DPA may be modified only in accordance with the amendment provisions of the Agreement. If Data Protection Laws change, or a competent supervisory authority determines that this DPA is insufficient to comply with them, the parties will cooperate in good faith to amend this DPA as required.

9.3. In the event of any conflict or inconsistency between this DPA and Data Protection Laws, Data Protection Laws shall prevail. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the Processing of Personal Data.

Schedule 1 – Details of Processing

Categories of data subjects: Personal Data processed under this DPA may relate to the following categories of data subjects: (i) Schedulers (as defined in the Agreement); (ii) other natural persons whose Personal Data is processed through the Services.

Categories of personal data: The categories of Personal Data Processed by Celestical on Customer's behalf may include: (a) identification and contact data of Schedulers; (b) appointment and scheduling metadata; (c) free-text content submitted by Schedulers (booking notes, cancellation and rescheduling reasons, and intake comments where the relevant form is enabled); (d) intake data specific to the service offering, where Customer has enabled the relevant intake form; and (e) Personal Data of Customer that Customer elects to include in Scheduler-bound communications, including bank account details where bank-transfer payment is configured, conferencing access credentials, and location/address information.

‌Special categories of Personal Data (Article 9 GDPR): Celestical does not require special-category data for the operation of the Services. Customer may, however, cause special-category data to be Processed through the Services, in particular through free-text fields (e.g., booking notes, cancellation reasons, intake comments). Where Customer does so, Section 7.2 of this DPA governs and Customer is responsible for ensuring a lawful basis under Article 9(2) GDPR.

Nature of the processing: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, and destruction of Personal Data.

Purpose of the processing: Celestical’s facilitation of the contractual Services under the Agreement with the Customer. Personal data is retained for so long as is reasonably necessary to fulfill the purposes for which the data was collected, to perform our contractual and legal obligations, and for any applicable statute of limitations periods for the purposes of bringing and defending claims.

Frequency of the processing: Continuous, for the duration of the Agreement.

Retention: Personal data is retained for so long as is reasonably necessary to fulfill the purposes for which the data was collected, to perform Celestical’s contractual and legal obligations, and for any applicable statute of limitations periods for the purposes of bringing and defending claims.

Sub-processor processing: The subject matter and nature of processing carried out by Sub-processors is as set out on Schedule 3 in this DPA. The duration of Sub-processor processing is for as long as Celestical provides the Services under the Agreement to the Customer.

Competent supervisory authority: The competent authority is the Commission for Personal Data Protection of the Republic of Bulgaria. The Customer may also refer matters to the supervisory authority of the EEA Member State in which it is established.

Schedule 2 – Technical and Organizational Measures

The following technical and organizational measures are in place to protect Personal Data processed under this DPA. Celestical keeps these measures under review and updates them as appropriate.

Encryption in transit. All connections to the Services are protected by Transport Layer Security (TLS).

Encryption at rest. Personal Data is stored on encrypted storage at the database level.

Application-level encryption. In addition to storage-level encryption at rest, sensitive categories of Personal Data are additionally encrypted at the application level before being written to the database.

Password storage. Passwords are never stored in plaintext. They are stored as hashes generated by a modern adaptive password-hashing function.

Hosting location. Production application servers and the production database are hosted in the European Union.

Access control. Access to production systems and Personal Data is restricted to Personnel who require it to perform their role, on a least-privilege basis.

Multi-factor authentication. Multi-factor authentication is enforced for Personnel access to production hosting and source-code repositories.

Vulnerability monitoring. Automated vulnerability scanning of third-party dependencies and automated static security analysis of the codebase are integrated into Celestical’s development workflow.

Sub-processor engagement. Sub-processors are engaged only under written contracts that include data-protection terms equivalent to those set out in this DPA, as set out in Schedule 3.

Backups. Application data is backed up regularly. Backups are encrypted at rest and stored in the European Union.

Schedule 3 – Celestical’s Sub-processors

By entering into this DPA, the Customer  has authorized the use of the listed sub-processors found here.