Data Processing Agreement

Important notice

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the Customer) and StayReply Limited. It applies whenever StayReply processes personal data on behalf of the Customer in connection with the Service.

1. Parties and scope

This DPA is entered into by:

• Customer: the organisation or individual that subscribes to or uses the Service

• Processor: StayReply Limited, a company registered in England and Wales (company number 17082699), with registered office at 124-128 City Road, London, EC1V 2NX, United Kingdom

This DPA applies to processing of personal data by StayReply as a Processor acting on behalf of the Customer as Controller, as those terms are defined under UK GDPR, EU GDPR, and other applicable data protection laws.

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to processing of personal data.

2. Definitions

Terms such as "personal data", "processing", "Controller", "Processor", "Sub-processor", "data subject", and "supervisory authority" have the meanings given in UK GDPR and EU GDPR.

In this DPA:

• Customer Data means personal data submitted to or processed through the Service on behalf of the Customer

• Authorised Users means individuals authorised by the Customer to use the Service

• Data Subject Request means a request by an individual to exercise rights under applicable data protection law

• Service means the StayReply guest messaging platform and related services

3. Roles of the parties

The Customer is the Controller of Customer Data and determines the purposes and means of processing.

StayReply is the Processor and processes Customer Data only on documented instructions from the Customer, including as necessary to provide and secure the Service, maintain functionality, and provide support.

The Customer is responsible for ensuring it has a lawful basis to collect Customer Data and to provide it to StayReply, and for providing any required notices to data subjects (including guests communicating through the Service).

4. Details of processing

4.1 Subject matter

The subject matter of processing is the provision of the Service, including hosting, storage, AI-generated reply functionality, integration with third-party systems, support, and related features.

4.2 Duration

Processing continues for the term of the Customer's use of the Service, plus any retention period described in the Terms of Service or as required by law.

4.3 Nature and purpose

Processing may include collection, storage, organisation, access, use, transmission, analysis, and deletion of Customer Data as needed to deliver the Service, maintain security, prevent abuse, provide support, and meet legal obligations.

4.4 Categories of data subjects

Data subjects may include:

• Customer employees, contractors, and authorised users

• Guests of properties managed by the Customer

• Customer contacts and collaborators

• Other individuals whose personal data is included in Customer Data

4.5 Categories of personal data

Customer Data may include:

• Identifiers such as name, email address, phone number, and account identifiers

• Reservation data including check-in and check-out dates, property details, and booking source

• Communication content including guest messages, replies, and conversation history

• Knowledge base content created by the Customer

• Integration credentials (encrypted)

• Smart lock access events including verification attempts and code generation events

• Usage data within the Service

Special categories of personal data should not be submitted to the Service unless the parties have agreed in writing and appropriate safeguards are in place.

5. Customer instructions

StayReply processes Customer Data only on documented instructions from the Customer. Instructions are provided through:

• Configuration of the Service

• Use of product features and integrations

• Written requests through support channels at support@stayreply.com

If StayReply believes an instruction violates applicable data protection law, it will inform the Customer unless prohibited by law.

6. Confidentiality

StayReply ensures that personnel authorised to process Customer Data are subject to confidentiality obligations and receive appropriate training on data protection and information security.

7. Security measures

StayReply implements technical and organisational measures designed to protect Customer Data, including:

• Encryption in transit using TLS 1.3

• Encryption at rest using AES-256

• Encryption of sensitive credentials (PMS API keys, smart lock tokens) using AES-256-GCM

• Role-based access controls following least-privilege principles

• Continuous monitoring and logging of production systems

• Vulnerability management and regular security review

• Backups and resilience practices

• Incident response procedures

The Customer acknowledges that no method of transmission or storage can be guaranteed absolutely secure.

8. Sub-processors

The Customer authorises StayReply to engage Sub-processors to assist in providing the Service. Sub-processor categories include:

• Hosting and infrastructure providers

• AI and large language model processing providers

• Payment processing providers

• Email delivery providers

• SMS delivery providers

• Affiliate tracking providers

• Analytics providers

• Customer support tooling

• Scheduling and calendar tools

A current list of Sub-processors is available on request to privacy@stayreply.com.

StayReply will:

• Impose data protection obligations on Sub-processors consistent with this DPA

• Remain responsible for Sub-processors' performance of their obligations

• Provide notice to Customers of material changes to its Sub-processor list, with reasonable opportunity to object where required by law

If the Customer reasonably objects to a Sub-processor on data protection grounds, StayReply will work in good faith to find a resolution. If no resolution is reached, either party may terminate the Service subject to the Terms of Service.

9. International transfers

If Customer Data is transferred to or accessed from locations outside the UK or EEA, StayReply uses appropriate safeguards including Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

Transfer mechanisms depend on the locations of StayReply's Sub-processors and infrastructure.

10. Assistance with data subject requests

Taking into account the nature of processing, StayReply provides reasonable assistance to help the Customer respond to Data Subject Requests, to the extent required by law and technically feasible.

The Customer is primarily responsible for responding to Data Subject Requests. If StayReply receives a Data Subject Request directly relating to Customer Data, it will direct the request to the Customer unless legally prohibited.

11. Assistance with security requests

StayReply provides reasonable assistance to the Customer in connection with:

• Security incidents affecting Customer Data

• Regulatory inquiries related to processing under this DPA

• Data protection impact assessments (DPIAs) where required by law

Assistance may be provided through documentation, security overviews, and support responses.

12. Personal data breach notification

StayReply will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably necessary to help the Customer meet its own notification obligations to supervisory authorities and data subjects.

Notification will include, where available:

• Description of the nature of the breach

• Categories and approximate number of data subjects and records affected

• Likely consequences of the breach

• Measures taken or proposed to address the breach

The Customer is responsible for notifying supervisory authorities and affected individuals where required by law.

13. Deletion and return of data

Upon termination of the Service, StayReply will delete or return Customer Data within a reasonable period as described in the Terms of Service (currently 30 days following cancellation).

StayReply may retain limited Customer Data as required by law or for legitimate business purposes such as:

• Tax and accounting records

• Dispute resolution and enforcement of agreements

• Security incident records

14. Audits

The Customer may request reasonable information to verify StayReply's compliance with this DPA. Audit requests are satisfied through:

• Third-party audit reports where available

• Security documentation provided on request

• Written responses to specific compliance questions

Audit requests must be reasonable, limited in scope, and subject to confidentiality. On-site audits may be permitted only by prior written agreement and may be subject to a reasonable fee.

15. Liability

Liability under this DPA is subject to the limitations of liability set out in the Terms of Service, unless applicable law requires otherwise.

16. Governing law

This DPA is governed by the laws of England and Wales, consistent with the Terms of Service, unless applicable law requires a different approach for specific data protection matters.

17. Contact information

For data protection inquiries related to this DPA, contact:

StayReply Limited Data Protection 124-128 City Road London, EC1V 2NX United Kingdom

Email: privacy@stayreply.com

Company number: 17082699