Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between the customer (the "Controller") and BOA DIGITAL SOLUTIONS S.R.L., CIF/CUI 51680505, registered office: BUZĂU, Mun. Buzău, Str. Pietroasele 24, Romania ("Plan4Host", the "Processor"). This DPA reflects the parties’ agreement with respect to Processing of Personal Data under GDPR Article 28.

1. Subject matter & duration

The Processor provides the Plan4Host service (calendar, iCal sync, property setup, team workflows) and processes Personal Data on behalf of the Controller for the duration of the Agreement and any post‑termination period required to delete or return data.

2. Nature & purpose of Processing

Hosting, storage, retrieval, structuring, and transmission as needed to operate the application; including iCal import/export, synchronization jobs, user management, billing and subscription management.

3. Categories of Data & Data Subjects

• Data Subjects: Controller’s staff and end‑customers/guests, including additional guests/companions in a reservation.
• Personal Data: names, emails, reservation data (dates/room/room type), optional contact details provided by Controller, online check‑in data (address, nationality, document metadata such as document type/series/number and issuing country, where requested by the Controller or required by law), and technical logs.
• No special categories are intended to be processed by the Service.

4. Controller instructions

The Processor will process Personal Data only on documented instructions from the Controller as set out in the Agreement, including this DPA and applicable feature configuration, unless required by law.

5. Confidentiality

The Processor ensures persons authorized to process Personal Data have committed to confidentiality obligations.

6. Security measures

Processor implements appropriate technical and organizational measures including TLS in transit, encryption at rest provided by cloud providers, Plan4Host server-side application-layer encryption for sensitive guest identification data and guest contact data using AES-256-GCM authenticated encryption, access controls, least‑privilege, and separation of environments. Protected values are encrypted by the application before database storage and are not stored in directly readable form. This additional protection is applied to sensitive guest identification data, guest contact data, and related structured document metadata processed through check‑in workflows, including email address, phone number, address, city, country, government-issued identifiers such as Romanian CNP where applicable for Romanian residents, and document series/number. Guest names may remain unencrypted for operational display and reservation handling, and certain descriptive labels that are not treated as primary identifiers (for example document type or nationality, where applicable) may also remain outside this field-level encryption scope. Protected data is also separated across multiple encryption scopes and keys, so access to one decryption key does not automatically provide access to all protected data categories for the same guest and helps reduce the impact of a compromise affecting only one protected data category. ID document images are retained only for temporary verification purposes and are deleted when a reservation is confirmed and a room is assigned; if immediate deletion is missed operationally, they are removed by scheduled cleanup controls. See Privacy Policy.

7. Sub‑processors

Controller authorizes use of sub‑processors necessary for the Service: Supabase (auth/db/storage), Vercel (hosting/edge), Stripe (payments), Microsoft 365 (email). Processor remains responsible for their performance and will impose data protection obligations at least as protective as this DPA. Processor will update this list as needed.

8. International transfers

Where sub‑processors transfer Personal Data outside the EU/EEA, they rely on appropriate safeguards such as Standard Contractual Clauses and complementary measures where required.

9. Data Subject Requests

Processor will assist Controller, insofar as possible, by appropriate technical and organizational measures, to fulfill requests from Data Subjects (access, rectification, erasure, restriction, portability, objection) forwarded by Controller.

10. Personal Data Breach

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach and provide available information to assist Controller in meeting its obligations.

11. Records & audits

Processor will make available information reasonably necessary to demonstrate compliance with Article 28 and allow for audits by Controller or its auditor upon reasonable notice and subject to confidentiality, without disrupting operations.

12. Return or deletion of data

Upon termination, Processor will delete Personal Data or return it to Controller upon request. Where the Controller account still includes active reservations or calendar events that require operational cleanup, deletion may require support coordination before completion. Once deletion can proceed, operational deletions occur promptly; residual backups are overwritten within up to 30 days, unless a longer retention is required by law.

13. Liability

Liability is governed by the Agreement. Nothing in this DPA limits the parties’ rights and obligations under GDPR.

14. Contact

For privacy matters related to this DPA, contact office@plan4host.com.