Data Processing Agreement
This DPA governs Propeter's processing of hotel guest personal data on behalf of hotel clients. It is GDPR Article 28 compliant and applicable to clients in the EU, UK, Australia, and globally.
GDPR Note: This DPA satisfies the requirements of GDPR Article 28(3) for EU/UK clients. Standard Contractual Clauses (Module 2: Controller to Processor, EU Commission Decision 2021/914) apply to EU-India data transfers.
P Parties & Recitals
Data Controller ("Client")
The hotel entity or hospitality group that has subscribed to Propeter's services and determines the purposes and means of processing hotel guest personal data.
Entity details provided in Annex 4.
Data Processor ("Propeter")
Propeter — an AI Hotel Operating System
India (registered entity)
Recitals
A. The Controller provides hotel accommodation and related hospitality services and uses the Propeter Platform to manage operations, revenue, guest experience, and related functions.
B. In delivering the Services, the Controller (as Data Controller) instructs Propeter (as Data Processor) to process Personal Data of hotel guests and other data subjects on its behalf.
C. The parties wish to ensure that such processing is conducted lawfully, securely, and in accordance with all Applicable Data Protection Laws — including the EU GDPR, UK GDPR, Australian Privacy Act 1988, and India's Digital Personal Data Protection Act 2023.
D. This DPA sets out the rights and obligations of both parties with respect to such processing and supplements the Terms of Service entered into between them.
1 Definitions
In this DPA, the following terms have the meanings set out below:
- "Applicable Data Protection Laws"
- means all applicable laws and regulations relating to the processing of Personal Data, including: the EU General Data Protection Regulation (2016/679) ("GDPR"); the UK GDPR and Data Protection Act 2018; the Privacy Act 1988 (Cth) and Australian Privacy Principles; the Digital Personal Data Protection Act 2023 (India); the California Consumer Privacy Act (CCPA/CPRA) as applicable; and any other legislation implementing or supplementing the foregoing.
- "Controller" / "Client"
- the hotel entity that determines the purposes and means of processing Personal Data of hotel guests. The Controller is identified in Annex 4.
- "Processor" / "Propeter"
- Propeter, which processes Personal Data on behalf of the Controller as described in this DPA.
- "Personal Data"
- any information relating to an identified or identifiable natural person ("data subject"), as defined under Applicable Data Protection Laws.
- "Processing" / "Process"
- any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Sub-processor"
- any third-party processor engaged by Propeter to process Personal Data on behalf of the Controller. The current list of sub-processors is set out in Annex 1.
- "Personal Data Breach" / "Security Incident"
- a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Propeter.
- "Standard Contractual Clauses" / "SCCs"
- the standard data protection clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Decision 2021/914/EU of 4 June 2021.
- "Technical and Organisational Measures" / "TOMs"
- the security measures described in Annex 2 of this DPA.
- "Services"
- the Propeter AI Hotel Operating System platform and related services as defined in the Terms of Service, including AI Revenue Management, Rate Engine, Direct Booking Engine, Guest Loyalty, Competitive Intelligence, Mobile Guest App, Xero Integration, and Social Analytics CRM.
2 Scope and Duration
2.1 Scope. This DPA governs Propeter's processing of Personal Data when providing the Services to the Controller under the Terms of Service. This DPA applies to all processing of Personal Data carried out by Propeter in connection with the Services.
2.2 Relationship to Terms of Service. This DPA forms part of and supplements the Terms of Service. In the event of any conflict between this DPA and the Terms of Service with respect to processing of Personal Data, this DPA shall prevail. In the event of conflict between this DPA and GDPR requirements, GDPR shall prevail for EU/UK data subjects.
2.3 Duration. This DPA is effective for the duration of the Services agreement and automatically terminates upon expiry or termination of the Terms of Service, subject to obligations that expressly survive termination (including Section 4.9 on data return/deletion and Section 8 on confidentiality).
3 Details of Processing (GDPR Art. 28(3))
3.1 Nature of Processing
Collection, storage, organisation, retrieval, use, disclosure by transmission to sub-processors, erasure, and destruction of Personal Data through the Propeter Platform. This includes automated processing by AI/ML systems for revenue optimisation and personalization purposes, using only aggregated and anonymised patterns — no individual guest profiling is performed for Propeter's own AI model training.
3.2 Purpose of Processing
- Hotel booking management (reservations, amendments, cancellations, check-in/out, guest history)
- Guest loyalty programme administration (points accumulation, tier management, rewards, badge achievements)
- Mobile guest app functionality (digital key, housekeeping requests, F&B orders, concierge messaging)
- Guest communications — email and SMS — as specifically instructed by the Controller
- Payment processing coordination (with PCI DSS-certified sub-processor Windcave/Qvalent)
- Marketing campaign delivery as explicitly instructed by the Controller
- Revenue management and rate optimisation (using aggregated market data; individual guest data not used to train shared AI models)
3.3 Types of Personal Data Processed
| Data Category | Specific Data Elements | Sensitivity |
|---|---|---|
| Identification | Full name, email address, phone number, nationality | Standard |
| Booking | Arrival/departure dates, room type, booking reference, booking source/channel, rate paid | Standard |
| Financial | Transaction reference numbers, amounts (no card numbers — processed by Windcave/Qvalent separately) | Standard |
| Loyalty | Points balance, membership tier, badge/achievement history, stated preferences | Standard |
| Technical | IP addresses, device identifiers, mobile app session data, digital key access logs | Standard |
| Communication | Email/SMS content as transmitted through the platform on Controller's instruction | Standard |
| Identity Documents | Passport/ID number if collected by Controller and entered into the system | Sensitive |
3.4 Categories of Data Subjects
- Hotel guests (primary) — individuals who book and/or stay at the Controller's property
- Prospective guests — marketing contacts provided by the Controller for campaign purposes
- Hotel staff/employees using the Propeter platform — governed separately by the Terms of Service and the Controller's own employment obligations
4 Processor Obligations (Propeter)
4.1 Processing on Instructions Only
Propeter shall process Personal Data only on documented instructions from the Controller, as set out in the Terms of Service and this DPA, unless required to do so by applicable law. If Propeter is required by law to process Personal Data other than as instructed, it shall inform the Controller before such processing unless prohibited by law. If Propeter reasonably believes that an instruction infringes Applicable Data Protection Laws, it shall inform the Controller promptly.
4.2 Confidentiality of Processing
Propeter shall ensure that all persons authorised to process Personal Data under this DPA have committed themselves to confidentiality, or are under a statutory obligation of confidentiality. Access to Personal Data is restricted to Propeter staff who require it for the purposes of providing the Services.
4.3 Security Measures
Propeter shall implement and maintain the Technical and Organisational Measures (TOMs) set out in Annex 2 to ensure a level of security appropriate to the risk of processing. Propeter regularly reviews and updates these measures. The Controller acknowledges that security measures must be balanced against cost and risk, and that no security system can guarantee absolute protection.
4.4 Sub-processing
(a) Propeter shall only engage sub-processors listed in Annex 1 to process Personal Data under this DPA. The current Annex 1 constitutes general authorisation by the Controller for the listed sub-processors.
(b) Propeter shall provide the Controller with at least 30 days' written notice before engaging any new sub-processor or making material changes to existing sub-processors.
(c) The Controller may object to a new sub-processor within 14 days of receiving notice, on reasonable data protection grounds. If the parties cannot resolve the objection, the Controller may terminate the affected Services with 30 days' notice, as its sole remedy.
(d) Propeter shall impose data protection obligations on all sub-processors by written contract, including obligations equivalent to those in this DPA. Propeter remains responsible to the Controller for the performance of sub-processors' obligations.
(e) Propeter maintains an up-to-date sub-processor list at propeter.com/legal/sub-processors.
4.5 Assistance with Data Subject Rights
Propeter shall provide the Controller with reasonable technical assistance to enable the Controller to fulfil its obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). Where Propeter receives a data subject rights request directly concerning Controller-processed data, it shall promptly forward it to the Controller without responding to the data subject directly.
4.6 Assistance with Compliance Obligations
Taking into account the nature of processing and the information available to Propeter, Propeter shall provide reasonable assistance to the Controller in ensuring compliance with: (a) security obligations under Art. 32 GDPR; (b) data breach notification obligations (Art. 33-34 GDPR); (c) Data Protection Impact Assessments (Art. 35 GDPR); and (d) prior consultation with supervisory authorities (Art. 36 GDPR).
4.7 Personal Data Breach Notification
Propeter shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification shall include, to the extent then known:
- Nature of the breach, including the categories and approximate number of data subjects and records affected
- Name and contact details of Propeter's data protection contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach and to mitigate its effects
Where information is not available at the time of initial notification, Propeter shall provide it as soon as reasonably practicable. Propeter shall cooperate with the Controller to satisfy the Controller's own notification obligations to supervisory authorities and data subjects.
4.8 Data Protection Impact Assessments
Propeter shall provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments (DPIAs) related to the Services. Propeter shall maintain its own DPIAs for high-risk processing activities conducted through the platform.
4.9 Return and Deletion of Data
Upon expiry or termination of the Services, Propeter shall, at the Controller's election (to be communicated within 30 days of termination):
- (a) Return: Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (CSV or JSON); or
- (b) Delete: Securely and permanently delete all Personal Data, including all copies and backup instances, within 90 days of termination.
Propeter shall provide the Controller with written confirmation of deletion upon request. This obligation does not apply to the extent Propeter is required to retain Personal Data under applicable law (e.g. financial records under Indian tax law), in which case Propeter shall maintain such data in isolation and cease active processing.
4.10 Audit Rights
Propeter shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller, subject to the following conditions:
- At least 30 days' prior written notice of the intended audit
- Audits conducted during normal business hours and in a manner that minimises disruption
- Not more than once per 12-month period unless there has been a confirmed Personal Data Breach
- The Controller bears all reasonable costs of the audit unless the audit reveals material non-compliance by Propeter
- Propeter may satisfy audit obligations by providing third-party security certifications (e.g. SOC 2 Type II report, ISO 27001 certificate) in lieu of on-site access, where the Controller considers such certifications adequate
5 Controller Obligations
5.1 Lawful Basis for Processing
The Controller warrants that it has, and will maintain throughout the term, a valid lawful basis for processing Personal Data under Applicable Data Protection Laws, and for instructing Propeter to process Personal Data as described in this DPA. The Controller is solely responsible for the lawfulness of its processing instructions.
5.2 Data Collection and Notice
The Controller warrants that it has collected Personal Data lawfully and in compliance with Applicable Data Protection Laws, and that it has provided all required privacy notices and obtained all required consents from data subjects (including hotel guests) prior to providing Personal Data to Propeter for processing.
5.3 Accuracy of Data
The Controller is responsible for the accuracy, quality, and legality of Personal Data it provides to Propeter through the Services. The Controller shall promptly notify Propeter of any errors or corrections required.
5.4 Handling Data Subject Requests
The Controller is responsible for responding to data subjects' rights requests. The Controller shall forward any data subject request that it cannot fulfil using the self-service tools in the Propeter platform to Propeter within 5 business days, to enable Propeter to provide the required technical assistance.
5.5 DPIA Responsibility
The Controller is responsible for determining whether a DPIA is required for its processing activities using the Services and, where required, for conducting and documenting such DPIA. Propeter will assist as described in Section 4.8.
5.6 Changes in Processing Requirements
The Controller shall promptly notify Propeter of any changes to its processing requirements, applicable legal obligations, or any circumstances that may affect Propeter's ability to comply with this DPA or Applicable Data Protection Laws.
6 International Data Transfers
6.1 Primary Transfer Mechanism (EU/UK → India)
Personal Data transfers from the EU/UK to Propeter in India are made pursuant to Standard Contractual Clauses (SCCs), Module 2: Controller to Processor, as adopted by the European Commission in Decision 2021/914/EU of 4 June 2021. A copy of the applicable SCCs (with Annex selections as specified in Annex 3 of this DPA) is incorporated herein and is available on request from legal@propeter.com.
6.2 UK-Specific Transfers
For transfers of Personal Data from the UK to Propeter in India, the UK International Data Transfer Agreement (IDTA), approved by the Information Commissioner's Office (ICO), applies as the transfer mechanism. Controller may request an executed IDTA from legal@propeter.com.
6.3 Sub-processor Transfers
Transfers from Propeter to sub-processors outside the European Economic Area are governed by the transfer mechanisms identified in Annex 1. For sub-processors in the USA, transfers are covered by SCCs between Propeter and the relevant sub-processor. Where a sub-processor participates in the EU-U.S. Data Privacy Framework, this may serve as an additional transfer mechanism.
6.4 Australian Cross-Border Disclosures
For Personal Data of Australian residents, cross-border disclosures comply with Australian Privacy Principle 8.1 (by taking reasonable steps to ensure overseas recipients maintain protections equivalent to the APPs) or APP 8.2 exceptions where applicable. Details of overseas sub-processors are provided in Annex 1.
6.5 Transfer Impact Assessment
Propeter has conducted a Transfer Impact Assessment (TIA) in relation to transfers of EU/UK Personal Data to India, taking into account the legal framework in India (including the DPDP Act 2023) and Propeter's contractual and technical safeguards. The assessment supports the use of SCCs as an appropriate transfer mechanism. A summary of the TIA is available to Controllers on request.
6.6 Controller Cooperation
The Controller agrees to execute any supplementary data transfer documentation reasonably required by Propeter to maintain compliance with international transfer obligations, including any updated or replacement SCCs or transfer agreements required by supervisory authorities.
7 GDPR-Specific Provisions
7.1 Article 28 Compliance
This DPA is intended to satisfy in full the requirements of GDPR Article 28(3). In the event of any inconsistency between the provisions of this DPA and the requirements of GDPR Article 28, the requirements of GDPR Article 28 shall prevail.
7.2 Data Protection Officers
Propeter's data protection contact is: legal@propeter.com. Where the Controller has appointed a Data Protection Officer, the Controller shall provide the DPO's contact details in Annex 4 and keep this information current.
7.3 Supervisory Authority
The Controller's lead supervisory authority for GDPR purposes is the data protection authority in the EU Member State of the Controller's main establishment. Propeter will cooperate with any supervisory authority investigation or inquiry relating to the processing described in this DPA.
7.4 Records of Processing Activities (Art. 30)
Each party shall maintain records of processing activities as required under GDPR Article 30. Propeter maintains a Record of Processing Activities covering all processing conducted as a processor on behalf of its Controller clients. The Controller is responsible for maintaining its own Article 30 records as a controller.
7.5 No Instructions to Infringe GDPR
If Propeter determines that an instruction from the Controller would require it to process Personal Data in a manner that infringes GDPR or any other Applicable Data Protection Laws, Propeter shall immediately inform the Controller and shall be entitled to suspend processing of the affected Personal Data until the Controller provides revised lawful instructions.
8 Australia-Specific Provisions
8.1 Australian Privacy Principles (APPs)
For Controllers established in Australia, or where the processing involves Personal Data of Australian residents, Propeter processes such data in compliance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This includes compliance with APP 11 (security), APP 12 (access), and APP 13 (correction).
8.2 Cross-Border Disclosure (APP 8)
Propeter discloses Personal Data of Australian residents to overseas sub-processors only: (a) where those sub-processors are bound by substantially similar privacy protection obligations; or (b) under other circumstances permitted by APP 8.2. Details of all overseas sub-processors are provided in Annex 1.
8.3 Notifiable Data Breaches (NDB Scheme)
Where a Personal Data Breach involving Australian residents' data is an "eligible data breach" under the Privacy Act 1988 (Cth) (i.e., likely to result in serious harm), Propeter will notify the Controller within 72 hours to enable the Controller to meet its Notifiable Data Breach obligations to the Office of the Australian Information Commissioner (OAIC).
8.4 Complaint Handling
Australian data subjects may direct privacy complaints to the Controller in the first instance. Complaints that involve Propeter's conduct as a processor may be escalated to legal@propeter.com. Unresolved complaints may be referred to the OAIC at oaic.gov.au.
9 Liability
9.1 Processor Liability
Propeter shall be liable to the Controller for damages caused by processing that does not comply with this DPA or Applicable Data Protection Laws where Propeter has acted outside or contrary to the Controller's lawful instructions.
9.2 Controller Liability
The Controller shall be liable for damages caused by processing that violates Applicable Data Protection Laws where such violation results from the Controller's instructions or the Controller's failure to comply with its own obligations under Applicable Data Protection Laws or this DPA.
9.3 Joint and Several Liability (GDPR Article 82)
Where both parties are found jointly liable to a data subject for damages under GDPR Article 82, each party shall bear liability proportionate to its respective responsibility for the harm caused. A party that has paid full compensation to a data subject may seek contribution from the other party to the extent of the other party's responsibility.
9.4 Liability Cap
Propeter's total aggregate liability under this DPA (other than for fraud, wilful misconduct, or death/personal injury) is subject to the liability limitations set out in the Terms of Service. In particular, Propeter's liability is capped at the total fees paid by the Controller to Propeter in the 12-month period preceding the claim, except where Applicable Data Protection Laws impose higher liability requirements that cannot be contractually limited.
10 Term and Termination
10.1 This DPA commences on the date the Controller accepts the Terms of Service (or the date of execution of a separate DPA for Enterprise clients) and remains in full force and effect for the duration of the Services agreement.
10.2 Upon expiry or termination of the Terms of Service, this DPA terminates automatically, subject to the obligations in Section 4.9 (return/deletion of data) which shall survive termination for 90 days, and Section 4.2 (confidentiality) which shall survive for 3 years post-termination.
10.3 Earlier termination provisions in the Terms of Service (including termination for cause) apply equally to this DPA.
11 Governing Law and Jurisdiction
11.1 This DPA is governed by the laws of India (without reference to conflict of law principles), subject to the following:
11.2 EU/UK SCCs: To the extent required by applicable EU/UK law, the SCCs incorporated under Annex 3 of this DPA shall be governed by the law of the EU Member State specified in Annex 3 (Ireland), and disputes under the SCCs shall be subject to the jurisdiction of the courts of Ireland.
11.3 Disputes under this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service (SIAC arbitration, Singapore seat), except where Applicable Data Protection Laws require disputes to be submitted to a specific supervisory authority or court.
List of Approved Sub-processors
The following sub-processors are authorised to process Personal Data on behalf of the Controller as part of Propeter's delivery of the Services. Propeter will maintain an updated list at propeter.com/legal/sub-processors and will provide 30 days' notice of changes.
| Sub-processor | Service / Purpose | Data Types | Location | Transfer Mechanism |
|---|---|---|---|---|
| Twilio / SendGrid sendgrid.com |
Transactional and marketing email delivery | Email addresses, email content, engagement metadata | United States | SCCs (Module 2) |
| Twilio Inc. twilio.com |
SMS and WhatsApp delivery | Phone numbers, message content | United States | SCCs (Module 2) |
| Google Firebase firebase.google.com |
Mobile push notifications, crash analytics | Device tokens, notification content, app usage data | United States / Global | SCCs (Module 2) + EU-US DPF |
| Windcave / Qvalent windcave.com |
Payment processing (PCI DSS Level 1 certified) | Transaction references only — no card numbers stored by Propeter | Australia / New Zealand | APP 8 equivalent protections |
| Amazon Web Services (AWS) aws.amazon.com |
Cloud hosting, storage, compute infrastructure | All categories (encrypted at rest and in transit) | Asia Pacific (primary) / US | SCCs (Module 2) + AWS DPA |
| mkng360.com mkng360.com |
Marketing CRM and campaign management | Marketing contact data, campaign data, engagement | As configured per Controller | DPA with mkng360.com |
Technical and Organisational Security Measures (TOMs)
The following measures are implemented by Propeter to ensure a level of security appropriate to the risk of processing, as required by GDPR Article 32 and equivalent provisions of Applicable Data Protection Laws.
Encryption
- AES-256 encryption for all Personal Data at rest
- TLS 1.3 minimum for all data in transit
- Field-level encryption for sensitive data elements (passport numbers, financial identifiers)
- Encrypted database backups
Access Controls
- Multi-factor authentication (MFA) mandatory for all staff with production access
- Role-based access control (RBAC) — minimum necessary access principle
- Just-in-time access for privileged operations
- Access rights reviewed quarterly
- Immediate access revocation on staff departure
Network Security
- Web Application Firewall (WAF) protecting all external endpoints
- DDoS mitigation at network layer
- VPN required for internal system access
- Network segmentation: production / staging / development
- Intrusion detection and prevention systems (IDS/IPS)
Application Security
- OWASP Top 10 security practices in development lifecycle
- Annual third-party penetration testing
- Automated dependency vulnerability scanning
- Secure code review for all releases
- Security-aware software development lifecycle (SSDLC)
Monitoring & Logging
- 24/7 automated security monitoring and alerting
- Audit logs for all data access retained for minimum 12 months
- Anomaly detection for unusual data access patterns
- Automated breach detection alerts
- Regular log review and analysis
Personnel Security
- Background checks for all staff with Personal Data access
- Annual mandatory privacy and security training
- Confidentiality agreements with all staff
- Incident response training and simulation exercises
- Clear desk / clear screen policy for applicable roles
Physical Security
- Processing conducted entirely on AWS cloud infrastructure
- AWS maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications
- No Propeter physical access to underlying data centre hardware
- Multi-zone redundancy within cloud infrastructure
Business Continuity
- Daily encrypted backups with 30-day retention
- Recovery Point Objective (RPO): 24 hours
- Recovery Time Objective (RTO): 4 hours
- Annual disaster recovery testing
- Documented incident response plan
Standard Contractual Clauses — Clause Selection
For transfers of Personal Data from the EU/EEA to Propeter in India, the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914/EU apply. The following clause selections are made by the parties:
| SCC Reference | Selection / Value |
|---|---|
| Module applicable | Module 2 (Controller to Processor) |
| Clause 7 — Docking clause | Option 2 applies (new parties may accede with agreement of existing parties) |
| Clause 11 — Optional language | Optional language NOT included |
| Clause 17 — Governing law | Laws of Ireland (EU Member State) |
| Clause 18 — Choice of forum | Courts of Ireland |
| Annex I.A — List of parties | Controller (Client) as identified in Annex 4; Processor: Propeter (India) |
| Annex I.B — Description of transfer | As described in Section 3 of this DPA |
| Annex I.C — Competent supervisory authority | The supervisory authority of the EU Member State in which the Controller is established |
| Annex II — Technical and organisational measures | As described in Annex 2 of this DPA |
| Annex III — Sub-processors | As listed in Annex 1 of this DPA |
Controller Contact and Entity Details
To be completed by the Controller upon execution of this DPA or as part of Enterprise onboarding.
For and on behalf of the Controller
For and on behalf of Propeter (Processor)
Legal Disclaimer: This Data Processing Agreement has been prepared in good faith based on the requirements of GDPR Article 28, the Australian Privacy Act 1988, the India Digital Personal Data Protection Act 2023, and other Applicable Data Protection Laws. It is provided as a standard template. Propeter recommends that all Controllers — particularly those established in the EU, UK, or Australia — seek independent legal advice to confirm that this DPA satisfies their specific legal obligations and that the processing activities described accurately reflect their use of the Propeter platform. This document does not constitute legal advice.
Enhance customer engagement with our intelligent chatbot solutions. Seamlessly automate conversations and elevate user experiences with cutting-edge AI technology.
Products
Copyright © 2026 propeter | Powered by Propeter