Bokrez
Data Processing Agreement
Last updated: April 1, 2026. | Applicable pursuant to GDPR Article 28
Note: This Data Processing Agreement (“DPA”) automatically applies between each Business User (“Controller”) and 360 tour obrt (“Processor”, operating Bokrez) from the moment of registration and acceptance of the Terms of Service. No separate signature is required.
1. Parties and Definitions
This Data Processing Agreement is concluded between:
Controller:
The Business User registered on the Bokrez platform who processes personal data of their end clients through the Platform.
Processor:
360 Tour — Obrt za virtualne zapise, Zagrebačka cesta 81, 10000 Zagreb, Croatia, OIB: 59456273095 — operator of the Bokrez platform (bokrez.com).
In this Agreement:
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- “Personal Data” has the meaning given in Article 4(1) GDPR.
- “Processing” has the meaning given in Article 4(2) GDPR.
- “Platform” means the Bokrez SaaS service available at bokrez.com.
- “Data Subjects” means the end clients of the Controller whose personal data is processed through the Platform.
- “Sub-processors” means third parties engaged by the Processor to process personal data on behalf of the Controller.
2. Subject Matter and Duration of Processing
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Bokrez service as described in the Terms of Service.
| Subject matter | Management of appointment bookings, client data (CRM), communications and related features within the Bokrez platform |
| Duration | For the entire period of the Controller's active subscription to Bokrez |
| Nature of processing | Storage, organisation, retrieval, display, notification delivery, backup |
| Purpose | Providing the Bokrez platform features to the Controller and their end users |
3. Types of Personal Data and Categories of Data Subjects
3.1 Types of personal data processed
- Identity data: first name, last name
- Contact data: email address, mobile number
- Booking data: dates, services, appointment notes
- CRM notes and tags entered by the Controller about Data Subjects
- Loyalty programme data: points/stamps balance, transaction history
- Review and rating data
- In-platform messages between Data Subjects and the Controller
Bokrez does not process special categories of personal data (Art. 9 GDPR) under the standard service, unless the Controller explicitly enters such data into free-text fields, for which the Controller bears full responsibility.
3.2 Categories of Data Subjects
End clients of the Controller (natural persons who book appointments or communicate with the Controller through the Platform).
4. Processor Obligations
The Processor (Bokrez) undertakes to:
5. Security Measures
Bokrez implements the following technical and organisational measures to protect Data Subjects' personal data:
| Measure | Implementation detail |
|---|---|
| Encryption in transit | TLS 1.2+ for all traffic between client and server |
| Encryption at rest | Encrypted disk for database and file system |
| Access management | Role-based access control (RBAC); all access is authenticated and logged |
| Passwords | Never stored in readable form; bcrypt hashing with cost factor 12 |
| Backups | Daily automated encrypted database backups |
| Monitoring and logging | Audit logs of access and changes; retained for 90 days |
| Sub-processor management | All third parties with data access are bound by DPA agreements |
| Incident response | Documented data breach response procedure with 72-hour AZOP notification deadline |
6. Sub-processors
The Controller hereby generally authorises Bokrez to engage sub-processors. Bokrez ensures all sub-processors are bound by contractual obligations equivalent to those in this Agreement.
Current sub-processors:
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Resend Inc. | Sending transactional emails | USA | EU-US DPF + SCC |
| Hosting provider (EU server) | Data storage | EU | Within EEA |
Bokrez will notify the Controller of planned sub-processor changes at least 14 days in advance. The Controller may object within 10 days. If the objection cannot be resolved, the Controller has the right to terminate the agreement without penalty.
7. Personal Data Breach Notification
Bokrez will, without undue delay and in any event within 48 hours of becoming aware of a personal data breach involving data processed on behalf of the Controller, notify the Controller.
The notification will contain at minimum:
- A description of the nature of the breach, including categories and approximate number of affected Data Subjects and records
- Contact details of the person available for further information
- A description of the likely consequences of the breach
- A description of measures taken or proposed to address the breach
The Controller retains responsibility for its own obligations to notify AZOP within 72 hours (Art. 33 GDPR) and to communicate to Data Subjects (Art. 34 GDPR).
8. Data Subject Rights
Bokrez will, taking into account the nature of processing, assist the Controller with appropriate technical measures insofar as possible in meeting its obligations to respond to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection).
Bokrez must, without undue delay and within 5 business days, forward to the Controller any Data Subject requests it receives directly that relate to data processed on behalf of the Controller.
9. Controller Obligations
The Controller represents and warrants that:
- It has a valid legal basis for collecting and processing Data Subjects' personal data through the Platform
- It has informed Data Subjects about the processing of their data in accordance with Art. 13 and 14 GDPR (e.g. through its own privacy policy)
- It will use the Platform only for lawful purposes
- It will immediately inform Bokrez of any Data Subject requests or complaints relating to processing through the Platform
- It has the authority to give instructions to Bokrez regarding processing, including instructions for deletion or modification of data
10. Audit and Inspection
The Controller has the right to verify Bokrez's compliance with this Agreement. Bokrez will:
- Upon request, make available relevant documentation regarding security measures and compliance
- Once per year, with 30 days' prior notice, permit the Controller or an authorised independent auditor to conduct an audit, provided the audit does not disrupt Bokrez's operations and the costs of the audit are borne by the Controller
11. Return and Deletion of Data
Upon expiry or termination of the subscription:
- The Controller will be given the ability to export data in machine-readable format (CSV, JSON) within 30 days
- After that period, Bokrez will delete all personal data of Data Subjects processed on behalf of the Controller, except where a statutory retention obligation applies
- Upon request, Bokrez will provide written confirmation of deletion
12. Liability
Bokrez is liable to the Controller for direct damages arising from Bokrez's breach of this Agreement or applicable data protection law, subject to the limitations set out in the Terms of Service.
Each party is independently responsible to the supervisory authority for its own violations of data protection regulations.
13. Governing Law
This Agreement is governed by and construed in accordance with the law of the Republic of Croatia and applicable EU law, in particular the GDPR. The Commercial Court in Zagreb shall have jurisdiction over any disputes.
14. Amendments
Bokrez may amend this Agreement with at least 30 days' prior written notice. Continued use of the Platform after the amendment date constitutes acceptance. If the Controller does not agree, it may terminate the subscription without penalty.
Data Protection Contact
360 Tour — Obrt za virtualne zapise — Bokrez Data Protection
Email: privacy@bokrez.com
Web: bokrez.com