1. Roles
For the personal data of your guests and vendors that you process through AIOSTR, you are the controller and AIOSTR ([Your Company Ltd]) is the processor. This DPA forms part of our Terms of Service.
2. Scope & purpose
We process personal data only to provide the AIOSTR service to you: coordinating bookings, guests, vendors, messaging, compliance, pricing and revenue workflows.
3. Our instructions
We process personal data only on your documented instructions (including via your use of the product), unless required otherwise by law, in which case we will tell you where permitted.
4. Confidentiality & security
Personnel with access are bound by confidentiality. We apply appropriate technical and organisational measures: encryption in transit and at rest for secrets, per-tenant data isolation, access controls, audit logging and least-privilege.
5. Subprocessors
You authorise us to use subprocessors to deliver the service, currently including Vercel (hosting), Neon (database), Stripe (payments), Resend (email), Anthropic (AI), and Twilio (messaging), plus the integrations you choose to connect. We impose data-protection terms on each and remain responsible for their performance. We will give notice of material changes so you can object.
6. Data subject rights & assistance
Taking into account the nature of the processing, we assist you with data subject requests and with your obligations on security, breach notification and impact assessments.
7. Breach notification
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you need to meet your obligations.
8. Deletion & return
On termination, we will delete or return your personal data within a reasonable period, except where retention is required by law.
9. International transfers
Where personal data is transferred outside the EEA, we rely on adequacy decisions or Standard Contractual Clauses with appropriate safeguards.
10. Audits
On reasonable request we provide information necessary to demonstrate compliance with this DPA and allow for audits consistent with the GDPR.