Start free!
Login
Start free

Data Processing Agreement (DPA)

Who’sMyGuest Ltd.

Effective Date: April 25, 2025

1. Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meanings set forth below:

  • “Personal Data”means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, email address, location data, or an online identifier.
  • “Processing”means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
  • “Controller”means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  • “Processor”means the party processing Personal Data on behalf of the Controller under the terms of this Agreement.
  • “Data Subject”means the individual whose Personal Data is being processed.
  • “Sub-Processor”means any third party engaged by the Processor who agrees to process Personal Data on behalf of the Controller in accordance with this DPA.
  • “Applicable Data Protection Laws”means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and all other applicable national laws and regulations relating to the processing of Personal Data, including any guidance or codes of practice issued by relevant supervisory authorities.

2. Subject Matter and Duration

The Processor provides a cloud-based platform for the enrichment of guest data using publicly available sources and AI-based technologies. The Controller uploads personal data of hotel guests for the Processor to enrich.

This Agreement governs the processing of personal data in the context of the contractual relationship between the Parties.

The duration of this Agreement corresponds to the term of the GTC. Test accounts may be terminated by the Processor at any time. Data from test accounts will be deleted upon termination.

3. Type and Purpose of Processing

The Processor shall process the personal data solely on behalf of the Controller and only in accordance with the documented instructions of the Controller.

The processing includes the following activities:

  • Uploading guest data (e.g., name, nationality, email address);
  • Enriching guest profiles through publicly available online sources using AI technologies;
  • Generating summary profiles, links to social media, and guest personalization recommendations;
  • Generating estimated social influence scores or public interest rankings;
  • Providing guest profile pictures where publicly available.

The purpose of the processing is to support the Controller in personalizing guest experiences.

4. Categories of Data Subjects

The personal data processed concerns the following categories of data subjects:

  • Hotel guests whose data is uploaded by the Controller.

5. Categories of Personal Data

The following types of personal data may be processed:

  • Names
  • Nationality
  • Email addresses
  • Publicly available biographical data
  • Links to social media profiles
  • Indications of interests, preferences, or public activities
  • Social media influence ratings (score 1-10)
  • Public profile images (if available)
  • Public evaluation of public interest relevance (score 1-10)

Special categories of personal data (e.g., health, religion) are not intentionally processed and should not be uploaded by the Controller.

6. Controller Responsibilities

The Controller is solely responsible for:

  • Ensuring a legal basis under GDPR Art. 6 for processing the personal data;
  • Providing data subjects with transparent information under GDPR Arts. 13 and 14;
  • Conducting a data protection impact assessment if required;
  • Maintaining an internal record of processing activities;
  • Ensuring that the uploaded data is accurate and necessary;
  • Avoiding the upload of sensitive or special category data unless legally justified;
  • Informing their guests, where legally required, about the data enrichment processes used.

7. Obligations of the Processor

The Processor shall:

  • Process personal data only in accordance with this Agreement and documented instructions of the Controller;
  • Ensure persons authorized to process personal data are bound to confidentiality;
  • Implement appropriate technical and organizational measures pursuant to Art. 32 GDPR as described in Annex I – Technical and Organizational Measures.
  • Assist the Controller in fulfilling obligations under GDPR Arts. 32-36;
  • Make available all information necessary to demonstrate compliance;
  • Maintain a record of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) GDPR, and make such records available to the supervisory authority upon request;
  • Notify the Controller without undue delay of any personal data breach;
  • Allow for audits or inspections by the Controller or an auditor mandated by the Controller, subject to reasonable notice and scope;
  • Inform the Controller if instructions are unlawful or in conflict with data protection laws;
  • Maintain procedures for secure and permanent deletion of data upon termination of service.

8. Sub-Processors

The Controller hereby authorizes the use of sub-processors, including:

  • Hosting providers
  • Cloud infrastructure services
  • AI/LLM services such as OpenAI
  • Search and data enrichment APIs

A list of current sub-processors is available upon request or on the Who’sMyGuest website. The Processor shall inform the Controller of intended changes and provide a reasonable objection period.

9. International Data Transfers

If data is transferred to a third country outside the EEA, the Processor ensures appropriate safeguards are in place in accordance with GDPR Chapter V, including the use of Standard Contractual Clauses (SCCs).

10. Deletion or Return of Data

Upon termination of the GTC, the Processor shall, at the choice of the Controller, delete or return all personal data unless Union or Member State law requires storage. The Processor shall confirm in writing that deletion has occurred. A grace period of four weeks will be observed before irreversible deletion unless otherwise requested.

11. Liability

Liability is governed by the GTC. Insofar as a third party asserts a claim against the Processor for which the Controller is responsible, the Controller shall indemnify the Processor accordingly.

12. Acceptance

This Data Processing Agreement becomes binding upon the Customer’s electronic acceptance via the registration form at https://whoismyguest.com. The acceptance is logged digitally and stored by Who’sMyGuest Ltd. for compliance purposes.

13. Final Provisions

In the event of any inconsistency between this Agreement and the GTC, this Agreement shall prevail with respect to data protection obligations.

This Agreement is governed by the laws of the Republic of Cyprus.

Who’sMyGuest Ltd.

Nicosia, Cyprus

https://whoismyguest.com

 

 

Annex 1

The Processor implements the following security measures to protect the Personal Data processed on behalf of the Controller, in accordance with Article 32 of the GDPR:

  1. Access Control
  • Role-based access restrictions and user permissions
  • Strong password requirements and multi-factor authentication (MFA) for administrator accounts
  • Logging and monitoring of access to production systems
  • Principle of least privilege enforced across internal tools
  1. Data Encryption
  • Encryption of personal data in transit using TLS 1.2 or higher
  • Encryption of stored data (at rest) using industry-standard algorithms (e.g., AES-256)
  • API keys and credentials are encrypted and securely stored
  1. Data Segregation
  • Logical separation of customer data through isolated processing instances or tenant-based architecture
  • Access only permitted based on authenticated user identity and authorization level
  1. Backup & Disaster Recovery
  • Daily encrypted backups stored securely on geographically redundant systems
  • Disaster recovery procedures tested periodically
  • Recovery Time Objective (RTO): <24h / Recovery Point Objective (RPO): <12h
  1. Incident Detection & Response
  • Continuous monitoring for unusual behavior and unauthorized access attempts
  • Formal data breach response plan and internal escalation protocol
  • Notification to controller without undue delay (and within 48 hours) upon awareness of a personal data breach
  1. Sub-Processor Due Diligence
  • Contractual agreements with all sub-processors that include equivalent TOMs
  • Ongoing monitoring and reassessment of sub-processor compliance
  1. Physical Security
  • Hosting infrastructure (Hetzner and others) certified to ISO 27001 or equivalent
  • Data centers with 24/7 monitoring, physical access restrictions, fire suppression, and redundant power systems
  1. Staff Training and Awareness
  • Mandatory GDPR and security training for staff with access to personal data
  • Confidentiality obligations signed and regularly reinforced
  1. Data Minimization and Retention
  • Only data strictly necessary for service delivery is collected
  • Automated data deletion after project termination or inactivity grace period (e.g., 30 days)
  • Configurable retention policies for customers (where applicable)
  1. Audit and Compliance
  • Internal audits and logging of access and administrative activity
  • Documentation of processing activities in accordance with Art. 30 GDPR
  • Provision of audit access to customers upon request, subject to reasonable notice and scope
Copyrights © 2025 Who'sMyGuest | All Rights Reserved.
Scroll to Top