AIOSTRAll-in-one STR
Back to home

Data Processing Agreement

Last updated: 6 June 2026
This is a starting template. Have it reviewed by your legal counsel before you launch. The English version is authoritative.

1. Roles

For the personal data of your guests and vendors that you process through AIOSTR, you are the controller and AIOSTR ([Your Company Ltd]) is the processor. This DPA forms part of our Terms of Service.

2. Scope & purpose

We process personal data only to provide the AIOSTR service to you: coordinating bookings, guests, vendors, messaging, compliance, pricing and revenue workflows.

3. Our instructions

We process personal data only on your documented instructions (including via your use of the product), unless required otherwise by law, in which case we will tell you where permitted.

4. Confidentiality & security

Personnel with access are bound by confidentiality. We apply appropriate technical and organisational measures: encryption in transit and at rest for secrets, per-tenant data isolation, access controls, audit logging and least-privilege.

5. Subprocessors

You authorise us to use subprocessors to deliver the service, currently including Vercel (hosting), Neon (database), Stripe (payments), Resend (email), Anthropic (AI), and Twilio (messaging), plus the integrations you choose to connect. We impose data-protection terms on each and remain responsible for their performance. We will give notice of material changes so you can object.

6. Data subject rights & assistance

Taking into account the nature of the processing, we assist you with data subject requests and with your obligations on security, breach notification and impact assessments.

7. Breach notification

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you need to meet your obligations.

8. Deletion & return

On termination, we will delete or return your personal data within a reasonable period, except where retention is required by law.

9. International transfers

Where personal data is transferred outside the EEA, we rely on adequacy decisions or Standard Contractual Clauses with appropriate safeguards.

10. Audits

On reasonable request we provide information necessary to demonstrate compliance with this DPA and allow for audits consistent with the GDPR.