Data Processing Agreement (DPA)

1. Definitions

Capitalised terms not defined below have the meaning given to them in the Terms. For the purposes of this DPA:

• "Customer Personal Data" means the personal data processed by the Provider on behalf of the Customer in the course of the Service, as described in Schedule 1.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed through the Service (including the Customer's guests, employees, partners or contacts).
• "Sub-processor" means any legal or natural person to whom the Provider entrusts the performance of processing activities on behalf of the Customer, in accordance with article 28(2) of the GDPR.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data (art. 4(12) GDPR).
• "Supervisory Authority" means the competent data-protection authority (including the ICO in the United Kingdom, or any other competent authority in the EEA).

2. Roles and allocation of responsibilities

The Customer acts as the controller within the meaning of article 4(7) of the GDPR / UK GDPR for all Customer Personal Data it processes through the Service. As such, it alone determines the purpose and means of the processing, its legal basis, applicable retention periods and how Data Subjects are informed.

The Provider acts as a processor within the meaning of article 4(8) and article 28 of the GDPR / UK GDPR for the processing operations carried out on behalf of the Customer in the course of the Service. It processes Customer Personal Data exclusively on documented instructions from the Customer, including with regard to transfers of personal data to a third country.

The Provider acts as an independent controller for its own processing activities related to the management of the Customer account, billing, platform security and compliance with its legal obligations (see Privacy Policy). This DPA does not apply to such processing.

3. Subject-matter, duration and nature of processing

Subject-matter. This DPA sets out the conditions under which the Provider processes Customer Personal Data solely for the purposes of providing the Service.

Duration. The DPA takes effect on the date the Terms are accepted and remains applicable for the entire duration of the Subscription and, where applicable, for the time necessary to carry out the return or deletion operations concerning Customer Personal Data.

Nature, purpose, categories. The nature and purpose of the processing, the categories of Customer Personal Data and of Data Subjects are set out in Schedule 1 to this DPA.

4. Customer instructions and compliance

The Provider processes Customer Personal Data only on documented instructions from the Customer, including with regard to transfers outside the United Kingdom or the European Economic Area. The Terms, this DPA, the configuration of the Service by the Customer and any written instruction subsequently given by the Customer constitute documented instructions within the meaning of article 28(3)(a) of the GDPR.

If the Provider considers that an instruction from the Customer constitutes a breach of the EU GDPR, the UK GDPR or any other applicable data-protection provision, the Provider shall inform the Customer without delay, without prejudice to the Customer's right to maintain its instruction under its sole responsibility (art. 28(3) *in fine* GDPR).

The Provider does not process Customer Personal Data for purposes other than those defined by the Customer through the Service, save where required to do so by law — in which case the Provider shall inform the Customer beforehand, unless prohibited by law from doing so.

5. Confidentiality of personnel

The Provider ensures that persons authorised to process Customer Personal Data commit themselves to confidentiality or are bound by an appropriate statutory obligation of confidentiality (art. 28(3)(b) GDPR). Access to Customer Personal Data is limited to the Provider's personnel who are strictly authorised and trained in data protection, on a least-privilege basis.

6. Technical and organisational measures

The Provider implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with article 32 of the GDPR / UK GDPR. Detailed measures are set out in Schedule 2 to this DPA and include, in particular: logical segregation of environments; strong authentication for administrative personnel; access management on a least-privilege basis; logging of administrative access; regular security reviews; backup and restore plan; incident-management procedures. Encryption in transit (TLS) and at rest is provided at infrastructure level by the Provider's hosting sub-processors.

The Provider may update these measures to maintain an appropriate level of security, provided that such updates do not reduce the overall level of protection.

7. Sub-processors

General authorisation. The Customer authorises the Provider to engage the Sub-processors listed in the Legal notice and the Privacy Policy for the performance of the Service.

Prior notification of changes. The Provider will inform the Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days before the change takes effect. Such notice is given by email, through an in-product notice or by updating the public list of Sub-processors.

Right to object. The Customer may object, on reasonable data-protection grounds, to a new Sub-processor by sending an objection by email to support@zenhost.com within thirty (30) days. If the objection is maintained, the parties will seek a reasonable solution. Failing that, the Customer may terminate the Subscription in writing with effect on the effective date of the change, with a pro-rata refund of amounts already paid for the unused period.

Provider's obligations. The Provider imposes on each Sub-processor, by contract, the same data-protection obligations as those set out in this DPA, in particular as regards sufficient guarantees to implement appropriate technical and organisational measures. The Provider remains fully liable to the Customer for the Sub-processor's performance of its obligations (art. 28(4) GDPR).

8. Assistance with data-subject rights requests

Taking into account the nature of the processing, the Provider assists the Customer, through appropriate technical and organisational measures, in fulfilling its obligation to respond to data-subject rights requests (access, rectification, erasure, restriction, portability, objection — articles 15 to 22 of the GDPR / UK GDPR).

The self-service features of the Service enable the Customer to search, modify, export or delete Data Subjects' personal data autonomously. Where a request requires additional assistance from the Provider, the Provider shall provide reasonable assistance within the limits of article 28(3)(e) GDPR.

If a Data Subject contacts the Provider directly, the Provider shall forward the request to the Customer without delay and inform the Data Subject that they must contact its Customer, unless the Customer instructs otherwise.

9. Personal data breach notification

The Provider shall notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay and, in any event, within forty-eight (48) hours of actually becoming aware of it, in order to allow the Customer to comply, where applicable, with its notification obligation to the Supervisory Authority (art. 33(1) GDPR) and to Data Subjects (art. 34 GDPR).

The notice to the Customer shall, as far as possible, include: (i) a description of the nature of the Breach, including the categories and approximate number of Data Subjects concerned; (ii) the name and contact details of the point of contact from which further information may be obtained; (iii) a description of the likely consequences; (iv) a description of the measures taken or proposed to address the Breach and, where appropriate, to mitigate its possible adverse effects.

The Provider shall assist the Customer, on reasonable request and based on the information available to it, in managing the Breach.

10. Data protection impact assessments and prior consultation

The Provider shall provide the Customer, upon request and within the reasonable limits of the information available to it, with the assistance necessary to carry out data protection impact assessments (DPIAs, art. 35 GDPR) and any prior consultations with the Supervisory Authority (art. 36 GDPR) where such activities relate to processing carried out through the Service (art. 28(3)(f) GDPR).

11. Audit rights

The Provider makes available to the Customer, upon written request, all information reasonably necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR and in this DPA (art. 28(3)(h) GDPR).

Arrangements. The Customer may, once per calendar year and subject to thirty (30) days' prior written notice, audit the technical and organisational measures implemented by the Provider:

- either by reviewing the documentation provided by the Provider (security policy, audit reports, certifications, penetration test reports); - or, failing that, by appointing an independent third-party auditor, bound by a strict confidentiality obligation, to carry out an audit on the Provider's systems.

Conditions. The audit is carried out during business hours, with due regard to the Provider's activity, without disruption to the continuity of the Service, and exclusively covers processing relating to the Service. The auditor shall not access data of other Provider customers. Audit costs are borne by the Customer, unless the audit reveals a substantial breach by the Provider of its obligations, in which case such reasonable costs shall be borne by the Provider.

More frequent audits. Additional audits may be carried out without frequency limitation in the event of a confirmed Personal Data Breach, a request from the Supervisory Authority or a mandatory legal obligation.

12. Transfers outside the United Kingdom and the European Economic Area

Where processing activities involve a transfer of Customer Personal Data to a country outside the United Kingdom or the European Economic Area that does not benefit from an adequacy decision, such transfer is governed by one or more of the following safeguards:

- the Standard Contractual Clauses (SCCs) adopted by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021; - the UK International Data Transfer Agreement (IDTA) or the Addendum to the SCCs published by the ICO for transfers subject to the UK GDPR; - certification under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) and its UK Extension where the recipient is certified thereto.

A copy of the applicable safeguards may be obtained upon written request to support@zenhost.com.

13. Return and deletion upon termination

Upon termination or expiry of the Service, in accordance with article 28(3)(g) GDPR, and at the Customer's written choice:

- the Provider makes available to the Customer self-service export features for a period of ninety (90) days from the termination date, allowing the retrieval of Customer Personal Data in a structured, commonly used format (JSON or CSV); - or the Provider proceeds with the secure deletion of Customer Personal Data within the same timeframe.

After the ninety (90) day period, the Provider deletes all copies of Customer Personal Data, subject to any statutory retention obligation. Full physical deletion, taking into account the rotation cycle of technical backups operated by infrastructure sub-processors, occurs within a maximum of one hundred and twenty (120) days. The Provider shall provide written certification of deletion upon the Customer's written request.

14. Liability

The Provider's liability under this DPA is subject to the same limitations and exclusions as those set out in Article 11 of the Terms, save for liabilities that cannot be limited or excluded under applicable law.

15. Order of precedence and changes

In the event of any inconsistency between the provisions of this DPA and those of the Terms, this DPA shall prevail solely for any matter relating to the processing of Customer Personal Data.

Unilateral modification. The Provider may amend this DPA at any time, at its sole discretion, in particular to reflect changes in applicable regulations, supervisory-authority guidance, subprocessors or technical and organisational measures. Changes take effect against the Customer upon publication on /dpa, without any prior individual notice, and the "Last updated" date is determinative. Continued use of the Service after publication constitutes acceptance.

Mandatory GDPR carve-out. Article 28 of the GDPR / UK GDPR requires the Provider to process Customer Personal Data only on the Customer's documented instructions. To the extent a modification to this DPA would reduce the mandatory safeguards owed to the Customer as *controller* under article 28, such modification shall be enforceable only after the Customer's acceptance, whether express or tacit (through continued use of the Service after the new version is made available). In any event, the mandatory obligations of article 28 (limitation to documented instructions, confidentiality of personnel, security, sub-processors, assistance with data-subject rights, breach notification, deletion/return, audit, transfers) remain due regardless of any modification.

Schedule 1 — Description of the processing

This Schedule 1 describes the characteristics of the processing carried out by the Provider on behalf of the Customer:

• Subject-matter and nature: hosting, organising, accessing, transmitting and deleting personal data in the course of the short-term rental management Service.
• Purpose: making the Service available to the Customer, including the management of listings, calendars, bookings, guest communications, check-in/check-out, billing and operational reporting.
• Duration: for the entire duration of the Subscription, extended by the return or deletion period set out in Article 13 of this DPA.
• Categories of Data Subjects: Customer's guests; Customer's prospects and contacts; Customer's employees, partners and collaborators using the Service.
• Categories of Customer Personal Data: identification data (name, first name, address, date of birth, nationality); contact details (email, phone); stay information (dates, accommodation, number of persons); copies of identity documents uploaded by the Customer or its guests; billing and payment data; messages exchanged through the Service; photographs and documents uploaded to the Service; technical metadata (IP addresses, session identifiers, activity logs).
• Processing operations: collection; recording; organisation; structuring; storage; consultation; retrieval; use; disclosure by transmission; making available; alignment; restriction; erasure.

Schedule 2 — Technical and organisational measures

As at the date of this DPA, the Provider implements the following measures, which may evolve provided that an equivalent level of protection is maintained:

• Encryption (provided at infrastructure level by hosting sub-processors): TLS in transit; encryption at rest for databases and storage volumes.
• Segregation: logical separation of environments (production, staging, development); per-customer data isolation through PostgreSQL *row-level security* (RLS) mechanisms.
• Access control: mandatory strong authentication (MFA) for all administrator accounts; access management on a least-privilege basis; periodic review of access rights.
• Logging: retention of administrator access logs and sensitive-operation logs; timestamping and integrity of logs; retention for twelve (12) months.
• Backups: automated backups (encrypted at infrastructure level by hosting sub-processors) with defined retention policy; periodic restore tests; backup location in the European Union for data hosted with European sub-processors.
• Application security: code review of sensitive changes; dependencies kept up to date; automated tests; protection against OWASP Top 10 vulnerabilities; anti-bot captcha (Cloudflare Turnstile) on public forms.
• Incident management: detection, triage, containment, eradication and notification procedure; defined escalation chain; preservation of evidence.
• Personnel management: confidentiality undertaking for all staff with access to data; regular awareness training on data protection and security.
• Business continuity: documented recovery procedures; redundancy of critical components through infrastructure sub-processors.
• Sub-processor management: prior security assessment; contractualisation via article-28-compliant DPAs; periodic review.

Schedule 3 — Contacts

Provider (processor). SPARTAN LABS LLP, 24-26 Arcadia Avenue, Fin009/8659, London N3 2JU, United Kingdom. For any question or notification relating to this DPA: support@zenhost.com.

Customer (controller). The Customer's details are set out in its account. Any notice must be sent to the contact address recorded in the account.