Data Processing Addendum (DPA)

Last updated: October 17, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between the customer (the "Controller") and BOA DIGITAL SOLUTIONS S.R.L., CIF/CUI 51680505, registered office: BUZĂU, Mun. Buzău, Str. Pietroasele 24, Romania ("Plan4Host", the "Processor"). This DPA reflects the parties’ agreement with respect to Processing of Personal Data under GDPR Article 28.

1. Subject matter & duration

The Processor provides the Plan4Host service (calendar, iCal sync, property setup, team workflows) and processes Personal Data on behalf of the Controller for the duration of the Agreement and any post‑termination period required to delete or return data.

2. Nature & purpose of Processing

Hosting, storage, retrieval, structuring, and transmission as needed to operate the application; including iCal import/export, synchronization jobs, user management, billing and subscription management.

3. Categories of Data & Data Subjects

  • Data Subjects: Controller’s staff and end‑customers/guests.
  • Personal Data: names, emails, reservation data (dates/room types), optional contact details provided by Controller, technical logs.
  • No special categories are intended to be processed by the Service.

4. Controller instructions

The Processor will process Personal Data only on documented instructions from the Controller as set out in the Agreement, including this DPA and applicable feature configuration, unless required by law.

5. Confidentiality

The Processor ensures persons authorized to process Personal Data have committed to confidentiality obligations.

6. Security measures

Processor implements appropriate technical and organizational measures including TLS in transit, encryption at rest provided by cloud providers, access controls, least‑privilege, and separation of environments. See Privacy Policy.

7. Sub‑processors

Controller authorizes use of sub‑processors necessary for the Service: Supabase (auth/db/storage), Vercel (hosting/edge), Stripe (payments), Microsoft 365 (email). Processor remains responsible for their performance and will impose data protection obligations at least as protective as this DPA. Processor will update this list as needed.

8. International transfers

Where sub‑processors transfer Personal Data outside the EU/EEA, they rely on appropriate safeguards such as Standard Contractual Clauses and complementary measures where required.

9. Data Subject Requests

Processor will assist Controller, insofar as possible, by appropriate technical and organizational measures, to fulfill requests from Data Subjects (access, rectification, erasure, restriction, portability, objection) forwarded by Controller.

10. Personal Data Breach

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach and provide available information to assist Controller in meeting its obligations.

11. Records & audits

Processor will make available information reasonably necessary to demonstrate compliance with Article 28 and allow for audits by Controller or its auditor upon reasonable notice and subject to confidentiality, without disrupting operations.

12. Return or deletion of data

Upon termination, Processor will delete Personal Data or return it to Controller upon request. Operational deletions occur promptly; residual backups are overwritten within up to 30 days, unless a longer retention is required by law.

13. Liability

Liability is governed by the Agreement. Nothing in this DPA limits the parties’ rights and obligations under GDPR.

14. Contact

For privacy matters related to this DPA, contact office@plan4host.com.