Propeter Sub-Processors
Every third-party company engaged by Propeter to process hotel guest personal data on your behalf β disclosed in full, updated in real time.
What Is a Sub-Processor?
A sub-processor is any third-party service provider that Propeter engages to process personal data on behalf of its hotel clients (data controllers). Under GDPR Article 28, data processors like Propeter must disclose all sub-processors and impose equivalent data protection obligations on each one by written contract.
Propeter remains fully accountable to you β the data controller β for the performance and compliance of every sub-processor listed on this page. Sub-processors receive only the minimum data necessary to perform their specific function, and may not use that data for their own purposes.
Current Approved Sub-Processors
The table below lists every sub-processor currently authorised under the Propeter Data Processing Agreement (DPA), Annex 1. All sub-processors are bound by written data processing contracts imposing obligations equivalent to those in Propeter's DPA.
| Sub-Processor | Purpose | Personal Data Processed | Location | Transfer Mechanism | Status |
|---|---|---|---|---|---|
| Twilio / SendGrid sendgrid.com |
Transactional Email
Marketing Email
Delivery of booking confirmations, loyalty updates, and marketing campaigns on behalf of the hotel controller. |
Email addresses, email content, engagement metadata (opens, clicks) | πΊπΈ United States | SCCs Module 2 (EU Commission Decision 2021/914) |
Active |
| Twilio Inc. twilio.com |
SMS
WhatsApp
Delivery of SMS and WhatsApp messages (booking alerts, OTPs, loyalty notifications) as instructed by the hotel controller. |
Phone numbers, message content | πΊπΈ United States | SCCs Module 2 | Active |
| Google Firebase firebase.google.com |
Push Notifications
Crash Analytics
Mobile push notification delivery for the Propeter Guest App; anonymised crash and performance analytics. |
Device tokens, notification content, app usage data (anonymised crash reports) | π United States / Global | SCCs Module 2 EUβUS DPF | Active |
| Windcave / Qvalent windcave.com |
Payment Processing
PCI DSS Level 1-certified payment processing for direct bookings via the Propeter Booking Engine. Propeter does not store or access card numbers. |
Transaction reference numbers only β no card data stored by Propeter | π¦πΊ Australia / New Zealand | APP 8 Equivalent (Australian Privacy Principles) |
Active |
| Amazon Web Services (AWS) aws.amazon.com |
Cloud Hosting
Storage
Compute
Primary cloud infrastructure for all Propeter services. All data is encrypted at rest (AES-256) and in transit (TLS 1.3 minimum). AWS maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications. |
All personal data categories (encrypted at rest and in transit) | π Asia Pacific (primary) / US | SCCs Module 2 AWS DPA | Active |
| mkng360.com mkng360.com |
Marketing CRM
Campaign Management
Closed-loop marketing analytics and campaign delivery as part of Propeter's Marketing CRM & Analytics module. Activated only where the hotel controller has enabled the integration. |
Marketing contact data, campaign engagement data (as configured per controller) | π As configured per controller | DPA with mkng360.com | Active |
Propeter's Sub-Processor Commitments
Propeter takes its obligations as a data processor seriously. The following commitments apply to every sub-processor relationship without exception.
Written Contracts Required
Every sub-processor is bound by a written data processing agreement imposing obligations at least equivalent to those in Propeter's DPA with hotel clients.
30-Day Change Notice
Propeter provides a minimum of 30 days' written notice before adding any new sub-processor or making material changes to an existing one.
Objection Rights Respected
Hotel clients may object to a new sub-processor within 14 days of notice on reasonable data protection grounds. Propeter will work to resolve objections before proceeding.
Data Minimisation Enforced
Sub-processors receive only the personal data categories necessary for their specific function β never a broader data set than required.
Lawful Transfer Mechanisms
All international data transfers are covered by SCCs (Module 2), the EUβUS Data Privacy Framework, or equivalent mechanisms for Australian and UK data subjects.
Breach Notification Within 72 Hours
In the event of a breach involving sub-processor infrastructure, Propeter will notify affected hotel clients within 72 hours of becoming aware of the incident.
Data Transfer Mechanisms Explained
All personal data transfers to sub-processors outside the originating jurisdiction are covered by one or more of the following recognised safeguards:
Standard Contractual Clauses (SCCs) β Module 2
The SCCs adopted by the European Commission in Decision 2021/914/EU govern transfers of EU and UK personal data to Propeter sub-processors in the United States and other third countries. Module 2 (Controller to Processor) applies to all Propeter sub-processor transfers. Governing law is Irish law; forum is the courts of Ireland.
EUβUS Data Privacy Framework (DPF)
Where a US sub-processor participates in the EUβUS Data Privacy Framework (as Google Firebase does), DPF certification serves as an additional adequacy-equivalent transfer mechanism alongside SCCs.
Australian Privacy Principles (APP 8)
For transfers involving Australian residents' personal data, Propeter discloses such data to overseas sub-processors only where those sub-processors maintain protections substantially equivalent to the APPs under the Privacy Act 1988 (Cth), or where another APP 8.2 exception applies. Windcave/Qvalent, as an Australia/NZ-based PCI DSS-certified processor, satisfies these requirements.
UK International Data Transfer Agreement (IDTA)
For UK data subjects, Propeter supplements SCCs with the UK IDTA approved by the Information Commissioner's Office (ICO). Hotel clients may request an executed IDTA from legal@propeter.com.
Frequently Asked Questions
What is the difference between Propeter as a processor and these sub-processors?
Your hotel (the data controller) instructs Propeter (the data processor) to process guest personal data on your behalf. When Propeter engages a sub-processor β such as AWS for cloud hosting or SendGrid for email β the sub-processor processes that data at Propeter's direction. Propeter remains contractually and legally responsible to you for everything sub-processors do with your data.
Does Propeter use AI/ML models trained on my hotel guests' personal data?
No. Propeter's AI revenue management models (XGBoost + LSTM demand forecasting, price elasticity models) are trained on aggregated, anonymised market data patterns β not on individual guest personal data from any hotel client. No individual guest profiling is performed for Propeter's own AI model training purposes.
How can I object to a new sub-processor being added?
When Propeter notifies you of a new sub-processor (at least 30 days in advance), you may raise a written objection to legal@propeter.com within 14 days of receiving the notice. The objection must be based on reasonable data protection grounds. If the parties cannot resolve the objection, you may terminate the affected Services with 30 days' notice as your sole remedy β as set out in Section 4.4(c) of the DPA.
Is Propeter certified under ISO 27001 or SOC 2?
Propeter's primary cloud infrastructure is provided by Amazon Web Services, which holds SOC 2 Type II, ISO 27001, and PCI DSS certifications. Propeter applies OWASP Top 10 security practices, mandatory MFA for all production staff, annual third-party penetration testing, and AES-256 encryption at rest. Propeter's own SOC 2 audit programme is part of the product roadmap. Contact legal@propeter.com for the current security posture documentation.
What happens to my guests' data if I cancel my Propeter subscription?
Upon termination, you may elect within 30 days to receive all personal data in a structured, machine-readable format (CSV or JSON), or to have Propeter securely delete all personal data within 90 days. Propeter will provide written confirmation of deletion upon request. Data retained solely to comply with applicable law (e.g. Indian tax records) is held in isolation with no active processing.
Who do I contact for data protection questions?
Propeter's data protection contact is legal@propeter.com. For Enterprise clients requiring separately executed DPAs, Standard Contractual Clauses, or Transfer Impact Assessment summaries, the same address applies. Responses are provided within 5 business days for standard requests.
Related Legal Documents
Questions About Data Processing?
Our legal team is available to discuss sub-processor arrangements, execute supplementary SCCs, or provide Transfer Impact Assessment summaries for Enterprise clients.
Email legal@propeter.com Book a Demo
Enhance customer engagement with our intelligent chatbot solutions. Seamlessly automate conversations and elevate user experiences with cutting-edge AI technology.
Products
Copyright © 2026 propeter | Powered by Propeter