Data Processing Agreement

⚠️ Important: This document is a draft template for informational purposes. It has not been reviewed by a lawyer. Before going live with paying customers, please have this reviewed by a legal professional familiar with EU/Slovenian law and GDPR requirements.

1. Parties and Purpose

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The accommodation provider ("Customer") who has subscribed to the Hilberton service
Data Processor: Hilberton ("we", "us"), operator of the Hilberton platform

This DPA forms part of the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller, in accordance with Article 28 of the GDPR.

2. Subject Matter and Nature of Processing

The Processor provides a channel management software platform. In this context, the Processor processes personal data of the Controller's guests solely to provide the contracted Service.

Nature of processing: Storage, retrieval, transmission (to booking platforms and government authorities), and deletion of guest personal data.

3. Categories of Data Subjects and Personal Data

3.1 Data Subjects

Guests and visitors of the Controller's accommodation properties.

3.2 Categories of Personal Data Processed

Data category	Examples	Processing purpose
Identity data	Full name, date of birth, gender, nationality	Reservation management, government reporting
Contact data	Email address, phone number	Booking confirmations, communication
Identity document data	Document type, number, country of issue, expiry date	Government reporting (eTurizem, eVisitor)
Stay data	Check-in/out dates, room type, number of guests	Reservation management, tourism statistics
Financial data	Booking price, payment source	Revenue reporting (no card data stored)

4. Obligations of the Processor

The Processor shall:

Process personal data only on documented instructions from the Controller (i.e., use of the Service)
Ensure that persons authorised to process the data are subject to confidentiality obligations
Implement appropriate technical and organisational security measures (Article 32 GDPR)
Not engage sub-processors without prior written authorisation from the Controller (see Section 6)
Assist the Controller in responding to data subject rights requests
Assist the Controller in ensuring compliance with Articles 32–36 GDPR
Delete or return all personal data at the end of the service relationship, at the Controller's choice
Make available all information necessary to demonstrate compliance and cooperate with audits

5. Obligations of the Controller

The Controller shall:

Ensure a lawful basis exists for processing guest personal data
Inform guests about the use of Hilberton for processing their data (e.g., in a privacy notice at check-in)
Ensure the accuracy and completeness of data entered into the Service
Not instruct the Processor to process data in a manner that would violate applicable law
Be responsible for compliance with their obligations as Data Controller under GDPR

6. Sub-Processors

The Controller provides general authorisation for the use of the following sub-processors:

Sub-processor	Location	Role
Resend Inc.	USA (SCCs)	Transactional email delivery
Database hosting provider (TBD)	EU	Infrastructure and storage
AJPES (Slovenia)	Slovenia	eTurizem government reporting
Ministarstvo turizma (Croatia)	Croatia	eVisitor government reporting

The Processor will notify the Controller of any intended changes to sub-processors with at least 14 days' notice, giving the Controller the opportunity to object.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (e.g., to Resend in the USA), such transfers are subject to Standard Contractual Clauses (SCCs) approved by the European Commission, providing equivalent data protection guarantees.

8. Security Measures

The Processor implements the following measures in accordance with Article 32 GDPR:

Pseudonymisation and encryption of personal data where appropriate
Confidentiality, integrity, availability of processing systems
Regular testing of security measures
Access controls — only authorised personnel can access production data
Audit logging of all changes to reservation and guest data
HTTPS/TLS for all data in transit
Bcrypt hashing for passwords

9. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware. The notification shall include:

Description of the nature of the breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

The Controller remains responsible for notifying the relevant supervisory authority and affected data subjects as required by law.

10. Data Subject Rights Assistance

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, portability, etc.). The Controller may export or delete guest data directly from the Service at any time.

11. Data Retention and Deletion

Upon termination of the Service agreement, the Controller may export their data in CSV format within 30 days. After this period, all personal data will be permanently deleted from production systems. Backups may contain data for up to an additional 30 days before being overwritten.

Government reporting data (eTurizem, eVisitor submissions) may be retained for 1 year for audit purposes, then permanently deleted.

12. Term and Termination

This DPA is effective for the duration of the Terms of Service. Termination of the Terms automatically terminates this DPA. Provisions regarding security, breach notification, and deletion of data survive termination.

13. Governing Law

This DPA is governed by the laws of the Republic of Slovenia and the applicable EU regulations, including the GDPR.

14. Contact for Data Protection Matters

For all data protection queries under this DPA:
legal@hilberton.com
Hilberton, Slovenia