42min

    Data Processing Addendum

    Last Updated: April 27, 2026 · Effective Date: April 27, 2026

    This Data Processing Addendum ("DPA") supplements the Terms of Use (the "Agreement") between Kikinda LLC ("Processor," "we," "us," or "42min") and the customer entering into the Agreement ("Controller," "Customer," or "you"), and forms part of the Agreement.

    This DPA reflects the parties' agreement on the processing of personal data subject to:

    • the EU General Data Protection Regulation (GDPR) and applicable Member State implementations;
    • the UK Data Protection Act 2018 and UK GDPR;
    • the Swiss Federal Act on Data Protection (FADP);
    • the California Consumer Privacy Act (CCPA), as amended by the CPRA, where 42min acts as a "Service Provider"; and
    • other applicable data-protection laws.

    By accepting the Terms of Use, the Customer also accepts this DPA. Customers requiring a separately signed DPA may request one at plus@42min.us.

    1. Definitions

    Capitalized terms not defined here have the meanings given in the Agreement, in the GDPR, or in applicable data-protection law. The following definitions also apply:

    • "Controller," "Processor," "Personal Data," "Process" / "Processing," "Data Subject," and "Personal Data Breach" have the meanings in Article 4 GDPR.
    • "Customer Personal Data" means Personal Data Processed by 42min on Customer's behalf in connection with the Service, including: (a) Customer's account and configuration data when 42min acts as Processor; (b) Invitee Data; (c) calendar, booking, and routing form data managed through Customer's account.
    • "Sub-processor" means a third party engaged by 42min to Process Customer Personal Data on 42min's behalf.
    • "SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended.
    • "UK IDTA" means the UK International Data Transfer Addendum to the SCCs, issued by the UK Information Commissioner's Office.

    2. Roles and Scope

    2.1. With respect to Customer Personal Data, Customer is the Controller, and 42min is the Processor.

    2.2. With respect to Personal Data of Customer's account holders (e.g., contact and account data) Processed for our own purposes (billing, security, product improvement), 42min is an independent Controller. That processing is governed by our Privacy Policy, not this DPA.

    2.3. Subject matter and duration of Processing: as described in Annex A. Processing continues for the duration of the Agreement and until deletion or return under Section 11.

    2.4. Categories of Data Subjects, Personal Data, processing operations, and purposes are described in Annex A.

    3. Customer Instructions

    3.1. 42min Processes Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, except where required by applicable law.

    3.2. The Agreement and Customer's lawful use of the Service constitute Customer's complete and final instructions for Processing. Additional instructions must be agreed in writing.

    3.3. 42min will inform Customer if, in 42min's opinion, an instruction infringes applicable data-protection law.

    4. Customer Obligations

    4.1. Customer is responsible for: (a) the lawfulness of the Personal Data and the means by which it was obtained; (b) configuring booking pages, forms, and integrations in compliance with applicable law (including providing notices and obtaining consents from Invitees); (c) responding to Data Subject requests directed at Customer Personal Data; and (d) maintaining accurate contact information for sub-processor and breach notices.

    5. Confidentiality

    5.1. 42min ensures that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations and are trained on data protection.

    6. Security Measures

    6.1. 42min implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk. These measures are summarized in Annex B.

    6.2. 42min may update its security measures from time to time, provided that the updates do not materially decrease the overall level of protection.

    7. Sub-Processors

    7.1. General authorization. Customer authorizes 42min to engage Sub-processors to Process Customer Personal Data, subject to this Section 7.

    7.2. Current Sub-processors. The current list of Sub-processors is published in Section 8 of our Privacy Policy. At the Last Updated date above:

    Sub-processor Purpose Location
    Hostinger International Ltd. Application and database hosting United States
    SendPulse Inc. Transactional / marketing email and SMS United States, EU
    Stripe, Inc. Payment processing (when paid features apply) United States

    7.3. Notice and right to object. 42min will provide reasonable advance notice of new Sub-processors via email or in-product notification. Customer may object in writing to a new Sub-processor within 30 days of notice on reasonable data-protection grounds. If 42min and Customer cannot reach a resolution, Customer may terminate the affected Service. To subscribe to Sub-processor change notifications, email plus@42min.us with subject "subscribe: subprocessors".

    7.4. Sub-processor obligations. 42min will impose written data-protection obligations on each Sub-processor that are no less protective than this DPA, and will remain liable for the acts and omissions of Sub-processors with respect to Customer Personal Data.

    8. International Data Transfers

    8.1. Transfers from the EEA. Where Customer Personal Data originating in the EEA is transferred to a country without an adequacy decision, the transfer is governed by the SCCs, which are incorporated into this DPA by reference, with:

    • Module Two (Controller-to-Processor) where Customer is Controller and 42min is Processor;
    • Module Three (Processor-to-Processor) where applicable for Sub-processor transfers;
    • Annex I of the SCCs is populated by Annex A of this DPA;
    • Annex II of the SCCs is populated by Annex B of this DPA;
    • Clause 7 (docking clause): not applied;
    • Clause 9 (Sub-processors): Option 2 (general written authorization), with the notice period in Section 7.3;
    • Clause 11 (independent dispute resolution): the optional language is not used;
    • Clause 17 (governing law): the laws of Ireland;
    • Clause 18 (choice of forum and jurisdiction): the courts of Ireland.

    8.2. Transfers from the United Kingdom. Transfers from the UK are governed by the UK IDTA (or the UK Addendum to the SCCs, as applicable), incorporated into this DPA by reference.

    8.3. Transfers from Switzerland. Transfers from Switzerland are governed by the SCCs, with the following adaptations: (a) references to the "GDPR" include the FADP where applicable; (b) the term "Member State" is interpreted to include Switzerland; (c) the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

    8.4. Transfer Impact Assessment. 42min has assessed material transfers and will cooperate with Customer's transfer impact assessment requests.

    9. Data Subject Rights

    9.1. Taking into account the nature of the Processing, 42min will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests under applicable law.

    9.2. If 42min receives a request from a Data Subject relating to Customer Personal Data, 42min will, without undue delay, forward the request to Customer and not respond directly except as instructed by Customer or required by law.

    10. Personal Data Breaches

    10.1. 42min will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any case within 72 hours after becoming aware. The notice will include, to the extent reasonably available: nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

    10.2. 42min will cooperate with Customer in investigation and mitigation. Notification under this Section 10 is not an admission of fault or liability.

    11. Deletion and Return of Customer Personal Data

    11.1. Upon termination of the Agreement, or earlier on Customer's written request, 42min will, at Customer's option, delete or return Customer Personal Data, except to the extent retention is required by applicable law. Default retention timelines are described in Section 9 of the Privacy Policy.

    11.2. Customer may export Customer Content using in-product export tools, or by emailing plus@42min.us, before termination.

    12. Audit Rights

    12.1. 42min will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.

    12.2. Customer may, no more than once per year and on reasonable advance written notice (at least 30 days), request to audit 42min's compliance. Audits will be conducted: (a) during normal business hours; (b) at Customer's sole expense; (c) by Customer or a mutually agreed independent auditor bound by confidentiality; (d) in a manner that does not unreasonably interfere with 42min's operations or compromise other customers' data; and (e) without access to systems containing other customers' Personal Data.

    12.3. 42min may satisfy audit requests by providing recent third-party audit reports, certifications (e.g., SOC, ISO), or summary documentation of its security measures.

    13. Liability

    The liability of each party under this DPA, in the aggregate, is subject to the limitations set out in the Agreement.

    14. CCPA / CPRA Service-Provider Status

    When 42min Processes "personal information" of California residents on Customer's behalf, 42min acts as a "Service Provider" within the meaning of CCPA / CPRA. 42min:

    • Will not Sell or Share such personal information;
    • Will not retain, use, or disclose it outside the direct business relationship with Customer or for any purpose other than the business purpose specified in the Agreement;
    • Will not combine personal information received from Customer with personal information from other sources except as permitted by CCPA / CPRA;
    • Will comply with applicable obligations under CCPA / CPRA and provide Customer with the same level of privacy protection as required by CCPA / CPRA.

    15. Term; Order of Precedence

    15.1. This DPA is effective as of the start of the Agreement and continues for as long as 42min Processes Customer Personal Data, plus the period required for the obligations in Section 11.

    15.2. In case of conflict between this DPA and the Agreement regarding Processing of Customer Personal Data, this DPA prevails. The SCCs prevail over this DPA where required by law.

    16. Changes to This DPA

    We may update this DPA to reflect legal, operational, or technical changes. We will provide at least 30 days' advance notice of material changes by email or in-product notification. Continued use of the Service after the effective date constitutes acceptance.

    17. Contact

    Kikinda LLC
    Naples, FL, USA
    Email: plus@42min.us

    Annex A — Description of Processing

    Subject matter: Processing of Customer Personal Data in connection with provision of the Service.

    Duration: For the term of the Agreement, plus retention periods set out in Section 9 of the Privacy Policy.

    Nature and purpose of Processing: Hosting, storing, transmitting, and otherwise Processing Customer Personal Data for the purpose of providing scheduling, booking, calendar synchronization, routing, reminders, communications, integrations, analytics, and related features chosen by Customer.

    Categories of Data Subjects:

    • Customer's authorized users (account holders, team members, administrators);
    • Invitees who book or attend meetings through Customer's booking pages;
    • Other individuals about whom Customer or Invitees provide information through booking forms.

    Categories of Personal Data:

    • Identifiers (name, email, phone);
    • Account credentials;
    • Calendar events, availability, time zones;
    • Booking requests, routing form responses, custom question answers;
    • Communications metadata (email/SMS reminder delivery);
    • IP addresses, device and browser information, log data;
    • AI / recording / transcript data (only if such features are enabled in the future);
    • Other Personal Data Customer chooses to collect through forms.

    Special categories of Personal Data: None expected. Customer agrees not to use the Service to Process special categories without our prior written approval.

    Frequency of Processing: Continuous, for the term of the Agreement.

    Recipients: Sub-processors listed in Section 7; Customer's authorized recipients (e.g., team members, integrated Connected Services); other recipients identified in Section 8 of the Privacy Policy.

    Retention: As set out in Section 9 of the Privacy Policy.

    Annex B — Technical and Organizational Security Measures

    Encryption. TLS 1.2 or higher for data in transit. AES-256 for data at rest in production data stores and backups. Argon2 / bcrypt password hashing.

    Access controls. Least-privilege role-based access. Multi-factor authentication for administrative accounts. Periodic review of access rights.

    Network security. Firewalls, segmented production environments, DDoS protections via the hosting provider.

    Monitoring. Centralized application and security logging; anomaly alerts.

    Backups. Encrypted, tested periodically.

    Vulnerability management. Dependency scanning, patching, periodic security reviews.

    Incident response. Documented procedures with notification timelines aligned to Section 10 of this DPA.

    Personnel. Confidentiality obligations and security training.

    Sub-processor management. Written DPAs with each Sub-processor; compliance reviews.

    Physical security. Data centers operated by Sub-processors with industry-standard physical controls.