Data Processing Addendum (DPA)

Last updated: 21 May 2026

When a DPA applies

When you (the Host) use HostPal to process Personal Data of Guests, you are the controller and HostPal is the processor under GDPR Art. 4(8). A Data Processing Addendum sets out the processor's obligations under Art. 28: the scope and purpose of processing, security measures, sub-processor management, audit rights, and assistance with data subject requests.

Current status

A formal HostPal DPA template is in development and will be published here when finalised. In the meantime, controllers requiring a written agreement (typically enterprise customers, or hosts whose own clients ask for upstream documentation) should email [email protected] and we will work with you on a bespoke arrangement. The eventual template will incorporate:

• Scope: Guest message content, phone numbers / Telegram IDs, reservation data.
• Subject-matter and duration: for the term of your subscription plus the 30-day grace period before deletion.
• Categories of data subjects: Guests, prospective Guests, and (where applicable) your team members.
• Security measures: those described in our Security Statement.
• Sub-processors: the list published at /legal/sub-processors with 30-day advance notice for material changes.
• International transfers: EU Standard Contractual Clauses (SCCs, Module 2: Controller-to-Processor) for transfers outside the EEA where required.
• Data subject request assistance: we provide the runbook and tooling necessary to fulfil access, erasure, rectification, and portability requests under Art. 12.
• Breach notification: without undue delay and within 72 hours of awareness, per Art. 33.
• Audit rights: by reasonable advance request, typically satisfied by providing our current security documentation and any available third-party attestations.

Why we ask you to request it by email

A DPA is a contract — a signed copy is the audit artefact that demonstrates the controller-processor relationship to a supervisory authority. We track signed copies in our records management system so that, if you or a supervisory authority later request proof, we can produce it within the GDPR timelines.

Questions: [email protected].